diff --git a/bindata/v3.11.0/kube-controller-manager/defaultconfig.yaml b/bindata/v3.11.0/kube-controller-manager/defaultconfig.yaml
index d36a274c4..79f5393b6 100644
--- a/bindata/v3.11.0/kube-controller-manager/defaultconfig.yaml
+++ b/bindata/v3.11.0/kube-controller-manager/defaultconfig.yaml
@@ -33,3 +33,11 @@ extendedArguments:
   - "720h"
   port:
   - "10252"
+  root-ca-file:
+  - "/etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt"
+  service-account-private-key-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"
+  cluster-signing-cert-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/cluster-signing-ca/kube-ca.crt"
+  cluster-signing-key-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/cluster-signing-ca/kube-ca.key"
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
index 83aad1078..d92339bbb 100644
--- a/pkg/operator/starter.go
+++ b/pkg/operator/starter.go
@@ -122,6 +122,8 @@ var deploymentConfigMaps = []string{
 
 // deploymentSecrets is a list of secrets that are directly copied for the current values.  A different actor/controller modifies these.
 var deploymentSecrets = []string{
-	"serving-cert",
+	"cluster-signing-ca",
 	"controller-manager-kubeconfig",
+	"service-account-private-key",
+	"serving-cert",
 }
diff --git a/pkg/operator/v311_00_assets/bindata.go b/pkg/operator/v311_00_assets/bindata.go
index 5698ecde7..ddb616b90 100644
--- a/pkg/operator/v311_00_assets/bindata.go
+++ b/pkg/operator/v311_00_assets/bindata.go
@@ -116,6 +116,14 @@ extendedArguments:
   - "720h"
   port:
   - "10252"
+  root-ca-file:
+  - "/etc/kubernetes/static-pod-resources/configmaps/client-ca/ca-bundle.crt"
+  service-account-private-key-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"
+  cluster-signing-cert-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/cluster-signing-ca/kube-ca.crt"
+  cluster-signing-key-file:
+  - "/etc/kubernetes/static-pod-resources/secrets/cluster-signing-ca/kube-ca.key"
 `)
 
 func v3110KubeControllerManagerDefaultconfigYamlBytes() ([]byte, error) {