diff --git a/env/avroid_prod/k8s-avroid-office.prod.local/README.md b/env/avroid_prod/k8s-avroid-office.prod.local/README.md
index 93d4862..7774cc0 100644
--- a/env/avroid_prod/k8s-avroid-office.prod.local/README.md
+++ b/env/avroid_prod/k8s-avroid-office.prod.local/README.md
@@ -98,7 +98,7 @@ export VENVDIR=kubespray-venv
 export KUBESPRAYDIR=kubespray
 source $VENVDIR/bin/activate
 cd $KUBESPRAYDIR
-ansible-playbook cluster.yml -i ../inventory/inventory.ini -bkK -v
+ansible-playbook cluster.yml -i ../inventory/inventory.ini -e "@../inventory/hardening.yaml" -bK -v
 ```
 
 ### 5. Копируем конфиг для подключения к кластеру через kubectl
diff --git a/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml b/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml
new file mode 100644
index 0000000..ec53cb5
--- /dev/null
+++ b/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml
@@ -0,0 +1,10 @@
+---
+# https://github.com/kubernetes-sigs/kubespray/blob/master/docs/operations/hardening.md
+# list of admission plugins that needs to be configured
+# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
+kube_apiserver_enable_admission_plugins:
+  - ServiceAccount
+  - NodeRestriction
+  - ResourceQuota
+  - PodNodeSelector
+kube_apiserver_admission_control_config_file: true