diff --git a/ansible/inventory/inventory.yaml b/ansible/inventory/inventory.yaml
index 7a0a785..0db15e9 100644
--- a/ansible/inventory/inventory.yaml
+++ b/ansible/inventory/inventory.yaml
@@ -4,32 +4,81 @@ all:
       children:
         hypervisors:
           hosts:
-            server:
-              ansible_host: server.balsillie.net
-            lab:
-              ansible_host: lab.balsillie.net
+            - server
+            - lab
+            - hv00
         vms:
           children:
             nodes:
               hosts:
-                node1:
-                  ansible_host: node1.balsillie.net
-                node2:
-                  ansible_host: node2.balsillie.net
-                node3:
-                  ansible_host: node3.balsillie.net
+                - node1
+                - node2
+                - node3
           hosts:
-            router:
-              ansible_host: router.balsillie.net
+            - router
+    hetzner:
+      hosts:
+        - hv00
+        - firewall00
+    k8s:
+      children:
+        k8s_control:
+          hosts:
+            - kube00
+            - kube01
+            - kube02
+        k8s_taint:
+          hosts:
+            - kube00
+            - kube01
+            - kube02
+        k8s_worker:
+          hosts:
+            - kube00
+            - kube01
+            - kube02        
+    firewalls:
+      children:
+        fortigate:
+          hosts:
+            - fortigate00
+        opnsense:
+          hosts:
+            - firewall00
+    switches:
+      hosts:
+        - switch00
     workstations:
       children:
         arch:
           hosts:
-            lat5420:
-              ansible_host: lat5420.balsillie.net
-            sff:
-              ansible_host: sff.balsillie.net
+            - lat5420
+            - sff
         windows:
           hosts:
-            bridie:
-              ansible_host: bridie.balsillie.net
\ No newline at end of file
+            - bridie
+  hosts:
+    server:
+      ansible_host: server.balsillie.net
+    lab:
+      ansible_host: lab.balsillie.net
+    hv00:
+      ansible_host: server.balsillie.net
+    bridie:
+      ansible_host: bridie.balsillie.net
+    lat5420:
+      ansible_host: lat5420.balsillie.net
+    sff:
+      ansible_host: sff.balsillie.net
+    node1:
+      ansible_host: node1.balsillie.net
+    node2:
+      ansible_host: node2.balsillie.net
+    node3:
+      ansible_host: node3.balsillie.net
+    router:
+      ansible_host: router.balsillie.net
+    firewall00:
+      ansible_host: firewall.balsillie.net
+    fortigate00:
+      ansible_host: fortigate.balsillie.net
diff --git a/ansible/playbooks/k8s.yaml b/ansible/playbooks/k8s.yaml
new file mode 100644
index 0000000..a9bb78c
--- /dev/null
+++ b/ansible/playbooks/k8s.yaml
@@ -0,0 +1,19 @@
+---
+- name: python bootstrap
+  hosts: k8s
+  gather_facts: false
+  become: true
+  roles:
+    - python-install
+- name: ssh hardening
+  hosts: k8s
+  gather_facts: true
+  become: true
+  roles:
+    - sshd
+- name: configure control plane
+  hosts: k8s_control
+  gather_facts: true
+  become: false
+  roles:
+    - k8s_control