diff --git a/bindata/v4.1.0/kube-apiserver/pod.yaml b/bindata/v4.1.0/kube-apiserver/pod.yaml
index f8884e22da..91b44b426e 100644
--- a/bindata/v4.1.0/kube-apiserver/pod.yaml
+++ b/bindata/v4.1.0/kube-apiserver/pod.yaml
@@ -31,9 +31,14 @@ spec:
     image: ${IMAGE}
     imagePullPolicy: IfNotPresent
     terminationMessagePolicy: FallbackToLogsOnError
-    command: ["hyperkube", "kube-apiserver"]
+    command: ["/bin/bash", "-ec"]
     args:
-    - --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml
+        - |
+          if [ -f /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
+            echo "Copying system trust bundle"
+            cp -f /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          fi
+          exec hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml
     resources:
       requests:
         memory: 1Gi
diff --git a/bindata/v4.1.0/kube-apiserver/trusted-ca-cm.yaml b/bindata/v4.1.0/kube-apiserver/trusted-ca-cm.yaml
new file mode 100644
index 0000000000..78b1a60262
--- /dev/null
+++ b/bindata/v4.1.0/kube-apiserver/trusted-ca-cm.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-kube-apiserver
+  name: trusted-ca-bundle
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
index fc954a2548..9f513a305a 100644
--- a/pkg/operator/starter.go
+++ b/pkg/operator/starter.go
@@ -204,6 +204,9 @@ var RevisionSecrets = []revision.RevisionResource{
 var CertConfigMaps = []revision.RevisionResource{
 	{Name: "aggregator-client-ca"},
 	{Name: "client-ca"},
+
+	// this is a copy of trusted-ca-bundle CM but with key modified to "tls-ca-bundle.pem" so that we can mount it the way we need
+	{Name: "trusted-ca-bundle", Optional: true},
 }
 
 var CertSecrets = []revision.RevisionResource{
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
index f398090a87..496c2da141 100644
--- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
+++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -12,6 +12,8 @@ import (
 	"k8s.io/klog"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -194,6 +196,11 @@ func createTargetConfig(c TargetConfigController, recorder events.Recorder, oper
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-server-ca", err))
 	}
 
+	err = ensureKubeAPIServerTrustedCA(c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/trusted-ca-bundle", err))
+	}
+
 	if len(errors) > 0 {
 		condition := operatorv1.OperatorCondition{
 			Type:    "TargetConfigControllerDegraded",
@@ -343,6 +350,28 @@ func manageKubeAPIServerCABundle(lister corev1listers.ConfigMapLister, client co
 	return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
 }
 
+func ensureKubeAPIServerTrustedCA(client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
+	required := resourceread.ReadConfigMapV1OrDie(v410_00_assets.MustAsset("v4.1.0/kube-apiserver/trusted-ca-cm.yaml"))
+	cmCLient := client.ConfigMaps(operatorclient.TargetNamespace)
+
+	cm, err := cmCLient.Get("trusted-ca-bundle", metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			_, err = cmCLient.Create(required)
+		}
+		return err
+	}
+
+	// update if modified by the user
+	if val, ok := cm.Labels["config.openshift.io/inject-trusted-cabundle"]; !ok || val != "true" {
+		cm.Labels["config.openshift.io/inject-trusted-cabundle"] = "true"
+		_, err = cmCLient.Update(cm)
+		return err
+	}
+
+	return err
+}
+
 // Run starts the kube-apiserver and blocks until stopCh is closed.
 func (c *TargetConfigController) Run(workers int, stopCh <-chan struct{}) {
 	defer utilruntime.HandleCrash()
diff --git a/pkg/operator/v410_00_assets/bindata.go b/pkg/operator/v410_00_assets/bindata.go
index 2c0b375f70..ac60c2059e 100644
--- a/pkg/operator/v410_00_assets/bindata.go
+++ b/pkg/operator/v410_00_assets/bindata.go
@@ -9,6 +9,7 @@
 // bindata/v4.1.0/kube-apiserver/recovery-config.yaml
 // bindata/v4.1.0/kube-apiserver/recovery-pod.yaml
 // bindata/v4.1.0/kube-apiserver/svc.yaml
+// bindata/v4.1.0/kube-apiserver/trusted-ca-cm.yaml
 // DO NOT EDIT!
 
 package v410_00_assets
@@ -331,9 +332,14 @@ spec:
     image: ${IMAGE}
     imagePullPolicy: IfNotPresent
     terminationMessagePolicy: FallbackToLogsOnError
-    command: ["hyperkube", "kube-apiserver"]
+    command: ["/bin/bash", "-ec"]
     args:
-    - --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml
+        - |
+          if [ -f /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
+            echo "Copying system trust bundle"
+            cp -f /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          fi
+          exec hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml
     resources:
       requests:
         memory: 1Gi
@@ -583,6 +589,30 @@ func v410KubeApiserverSvcYaml() (*asset, error) {
 	return a, nil
 }
 
+var _v410KubeApiserverTrustedCaCmYaml = []byte(`apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-kube-apiserver
+  name: trusted-ca-bundle
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+`)
+
+func v410KubeApiserverTrustedCaCmYamlBytes() ([]byte, error) {
+	return _v410KubeApiserverTrustedCaCmYaml, nil
+}
+
+func v410KubeApiserverTrustedCaCmYaml() (*asset, error) {
+	bytes, err := v410KubeApiserverTrustedCaCmYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "v4.1.0/kube-apiserver/trusted-ca-cm.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 // Asset loads and returns the asset for the given name.
 // It returns an error if the asset could not be found or
 // could not be loaded.
@@ -644,6 +674,7 @@ var _bindata = map[string]func() (*asset, error){
 	"v4.1.0/kube-apiserver/recovery-config.yaml": v410KubeApiserverRecoveryConfigYaml,
 	"v4.1.0/kube-apiserver/recovery-pod.yaml":    v410KubeApiserverRecoveryPodYaml,
 	"v4.1.0/kube-apiserver/svc.yaml":             v410KubeApiserverSvcYaml,
+	"v4.1.0/kube-apiserver/trusted-ca-cm.yaml":   v410KubeApiserverTrustedCaCmYaml,
 }
 
 // AssetDir returns the file names below a certain
@@ -698,6 +729,7 @@ var _bintree = &bintree{nil, map[string]*bintree{
 			"recovery-config.yaml": {v410KubeApiserverRecoveryConfigYaml, map[string]*bintree{}},
 			"recovery-pod.yaml":    {v410KubeApiserverRecoveryPodYaml, map[string]*bintree{}},
 			"svc.yaml":             {v410KubeApiserverSvcYaml, map[string]*bintree{}},
+			"trusted-ca-cm.yaml":   {v410KubeApiserverTrustedCaCmYaml, map[string]*bintree{}},
 		}},
 	}},
 }}