diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml
index 49ca33186bf7025333cd4a310d1b7bf4c24d51b2..835e234b0d01493b33b459c3acc4aca6e22b8766 100644
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -1,19 +1,29 @@
 ---
+- name: Gen_certs | create etcd cert dir
+  file:
+    path={{ etcd_cert_dir }}
+    group={{ etcd_cert_group }}
+    state=directory
+    owner=root
+    recurse=yes
 
 - name: Gen_certs | create etcd script dir
   file:
     path: "{{ etcd_script_dir }}"
     state: directory
     owner: root
-  when: inventory_hostname == groups['etcd'][0]
+  run_once: yes
+  delegate_to: "{{groups['etcd'][0]}}"
 
-- name: Gen_certs | create etcd cert dir
+- name: Gen_certs | create etcd cert dir (on first etcd)
   file:
     path={{ etcd_cert_dir }}
     group={{ etcd_cert_group }}
     state=directory
     owner=root
     recurse=yes
+  run_once: yes
+  delegate_to: "{{groups['etcd'][0]}}"
 
 - name: Gen_certs | write openssl config
   template:
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index 545cba31f9face66ba6def76fb075c02e236953c..a343a93373737e0d73f4a09d7022cdb8ef644d18 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -1,4 +1,24 @@
 ---
+- name: Gen_certs | Create kubernetes config directory (on master[0])
+  file:
+    path: "{{ kube_config_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
+  when: gen_certs|default(false)
+
+- name: Gen_certs | Create kubernetes script directory (on master[0])
+  file:
+    path: "{{ kube_script_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false)
+
 - name: Gen_certs | write openssl config
   template:
     src: "openssl.conf.j2"
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 4dc6f8c30802f4da93215c2a5601f37719bebc6f..9969d529285e7a5ad218b22ea9a9049a19efa061 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -35,6 +35,41 @@
   when: inventory_hostname in "{{ groups['kube-master'] }}"
   notify: set secret_changed
 
+#
+# The following directory creates make sure that the directories
+# exist on the first master for cases where the first master isn't
+# being run.
+#
+- name: Gen_certs | Create kubernetes config directory (on master[0])
+  file:
+    path: "{{ kube_config_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
+  when: gen_certs|default(false) or gen_tokens|default(false)
+
+- name: Gen_certs | Create kubernetes script directory (on master[0])
+  file:
+    path: "{{ kube_script_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false) or gen_tokens|default(false)
+
+- name: Get_tokens | Make sure the tokens directory exits (on master[0])
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_tokens|default(false)
+
 - include: gen_certs.yml
   tags: k8s-secrets
 - include: gen_tokens.yml