diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index af5a0855d9b23b1505ec03b46a35f09958931467..d749e7956afa4216fc9dd9c20a385b8035ff5c9c 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -104,10 +104,12 @@
     - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
   notify: restart kubelet
 
+# FIXME(mattymo): Need to point to localhost, otherwise masters will all point
+#                 incorrectly to first master, creating SPoF.
 - name: Update server field in kube-proxy kubeconfig
   shell: >-
     {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf get configmap kube-proxy -n kube-system -o yaml
-    | sed 's#server:.*#server:\ {{ kube_apiserver_endpoint }}#g'
+    | sed 's#server:.*#server: https://127.0.0.1:{{ kube_apiserver_port }}#g'
     | {{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf replace -f -
   run_once: true
   when:
diff --git a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
new file mode 100644
index 0000000000000000000000000000000000000000..32a4e0ffbe6e6e3d4ae235003468d66bde258173
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
@@ -0,0 +1,13 @@
+---
+- name: Update server field in component kubeconfigs
+  lineinfile:
+    dest: "{{ kube_config_dir }}/{{ item }}.conf"
+    regexp: 'server:'
+    line: '    server: {{ kube_apiserver_endpoint }}'
+    backup: yes
+  with_items:
+    - controller-manager
+    - scheduler
+  when:
+    - not loadbalancer_apiserver is defined
+  notify: "Master | Restart kube-{{ item }}"
diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml
index 6d881caf917c7afcd606c76eb2cf8a61c30bce5f..4d646d22f46840ed3a253fb53df517cd8f2ddc82 100644
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -73,3 +73,6 @@
 - name: Include kubeadm etcd extra tasks
   include_tasks: kubeadm-etcd.yml
   when: etcd_kubeadm_enabled
+
+- name: Include kubeadm secondary server apiserver fixes
+  include_tasks: kubeadm-fix-apiserver.yml