diff --git a/roles/kubernetes/control-plane/defaults/main/etcd.yml b/roles/kubernetes/control-plane/defaults/main/etcd.yml
index e1755c5fe..e5590601d 100644
--- a/roles/kubernetes/control-plane/defaults/main/etcd.yml
+++ b/roles/kubernetes/control-plane/defaults/main/etcd.yml
@@ -27,3 +27,11 @@ etcd_extra_vars: {}
 # etcd_max_request_bytes: "1572864"
 
 etcd_compaction_retention: "8"
+
+
+# softlink to etcd certs
+etcd_cert_paths:
+  client:
+    ca: "{{ etcd_cert_dir }}/ca.pem"
+    cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+    key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 71ecfc4a9..c89fbd931 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -23,10 +23,6 @@ kube_apiserver_etcd_compaction_interval: "5m0s"
 # in the request is actually present in etcd.
 kube_apiserver_service_account_lookup: true
 
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
-
 # Associated interfaces must be reachable by the rest of the cluster, and by
 # CLI/web clients.
 kube_controller_manager_bind_address: "::"
diff --git a/roles/kubernetes/control-plane/tasks/0010-etcd-link.yml b/roles/kubernetes/control-plane/tasks/0010-etcd-link.yml
new file mode 100644
index 000000000..7c0fdeae3
--- /dev/null
+++ b/roles/kubernetes/control-plane/tasks/0010-etcd-link.yml
@@ -0,0 +1,24 @@
+---
+- name: Create etcd cert directory
+  ansible.builtin.file:
+    path: "{{ etcd_cert_dir }}"
+    state: directory
+    mode: '0750'
+  when:
+    - inventory_hostname  in groups['kube_control_plane']
+
+- name: Generate symlink to etcd certs
+  ansible.builtin.file:
+    src: "{{ etcd_cert_paths.client[item.src] }}"
+    dest: "{{ etcd_cert_dir }}/{{ item.dest }}"
+    state: link
+    force: true
+  loop:
+    - src: ca
+      dest: "{{ kube_etcd_cacert_file }}"
+    - src: cert
+      dest: "{{ kube_etcd_cert_file }}"
+    - src: key
+      dest: "{{ kube_etcd_key_file }}"
+  when:
+    - inventory_hostname  in groups['kube_control_plane']
diff --git a/roles/kubernetes/control-plane/tasks/main.yml b/roles/kubernetes/control-plane/tasks/main.yml
index fa0432702..9410fd615 100644
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -4,6 +4,11 @@
   tags:
     - k8s-pre-upgrade
 
+- name: Create etcd cert symbolic links
+  import_tasks: 0010-etcd-link.yml
+  when:
+    - etcd_deployment_type != "kubeadm"
+
 - name: Create webhook token auth config
   template:
     src: webhook-token-auth-config.yaml.j2
diff --git a/roles/kubespray-defaults/vars/main.yml b/roles/kubespray-defaults/vars/main.yml
index 6737b8efa..67fc164db 100644
--- a/roles/kubespray-defaults/vars/main.yml
+++ b/roles/kubespray-defaults/vars/main.yml
@@ -27,3 +27,8 @@ kube_pods_subnets: >-
   {%- else -%}
   {{ kube_pods_subnet_ipv6 }}
   {%- endif -%}
+
+# Symlinks to etcd certs
+kube_etcd_cacert_file: "kube-client-ca.pem"
+kube_etcd_cert_file: "kube-client-cert.pem"
+kube_etcd_key_file: "kube-client-key.pem"