diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 22498bf..b96c668 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,48 +1,53 @@
 $ANSIBLE_VAULT;1.1;AES256
-36663361623738653132316466623231656662366262646435666439386336343134356437303136
-3039663831636266663934633231323133356264653162330a303834396265623562313331396137
-38323461343761653363643230393539663237663935656131376261613731323731643338666336
-3137383131343136340a316462316564303832313136646631396162663036343637656166666439
-32363134376639333364396561313936393739653762333334346531326332616362313132623831
-35386130386265383237326134356366353033323437633466383038303264643061353731633063
-37643636333466336561666465313235363265643233373738653864363335613233393332343966
-30353866353161343762383161353965386538666430346430353763646265643534326661353162
-31343233356464393433396135313064323433666132653966373961666433346666316336363535
-36653565393462613237636439333566643765363762346362613932336135306130376366663235
-64346335316561663363316232613036653837393439666537333961616232303535616361626263
-39656631643161643862363162666531636561353932303532366235306664323731363732363635
-62343561373935383936616463316239666139643835323439656162386636383439633034323164
-36313630356664663530626137396638333462303462316432613639316238306564303439653838
-32656339326531666263333430303334303635333261653933353339383935313032383662633332
-30316132613339383761373830356537623531616632643762613935356230636439316431396466
-34343465613730346639643462383633396664666362646231366436626332636365663766613764
-61313334313131343663636331633330623030653235313363623531336630306435396131366433
-37643733333962373031663561663636343932613663323731356136623462613930356635616432
-63333237366335353461326336643533376139366461343161326135303364323035373030326432
-39376263306266643536316532643661306430396261343732366662363933343161353933626134
-39663739363436653461333631333539343739363738613133373966653362636138333462356437
-38316533663139643334633635303435636332346561303838373061376536653263396234313932
-62393836336633353337326233393334366138376161356536616433326665613365363131373164
-62386361306365306264643466663762393330303963636339316333306638636566393339303033
-39366136326637306235316666303137316634306535333032373132353630663833306138396663
-63653232333363306138363131356435303230303362373239303365373161666164313639663433
-64653436343865356663386132366638346465333738366462353333643336666534633930303836
-63623265363832643832626561376666346561653062656264366131303866356365653439326338
-63623235373636306432363563326564633764346439303165336338633963363437383264613339
-34666432356636613364353035653964636138376235383333326233366463633038373736646137
-36333465303961336632633539666338346464343534373439643764346433326637373732366236
-34656338346536366133303732333537306132333438303166393330373632393137383763323961
-39653833623262383966363162643737343932646563613839383963623330353531376130616134
-62313561326135326666346330316331386531396465376438303263333335623864623462643862
-37313230663163396535666538396131343437373638393063363065386363333664623130323336
-30626637323764643639326536386532323238653935666462663732343831303064366636616338
-33383934383735633561303333393163616262626536613734656239303538363730396530643136
-65353537353534643933306262313664393963646163356363373261643832663365613964663763
-36626366303330633536613234383839336361636661666664633132346663306634663430663361
-32393436626332326339343836613639623135613431333762663236343333343964613135656263
-64343331313563616464363261303434323562343863393566383234633833623631383464376535
-66393437343866313865376263353238363734323332626663383332323939326133313761316663
-33633762393461613636613736633737303030373266383232323663336639396462373730386233
-61363264336465326530343939393465613264353061646662323135626365363362623134626163
-33636365663364663565623030643664346434646338373830333665373837623238393761623834
-306532353835663232373339333934393236
+39366565366664306333663934306533353861616161323165356433646331663239396164383138
+6436636361336164646564363036366439346335333533390a383061306436393933306239336239
+37383430323965323533643866323761626134376632313035356565373864373161386163363963
+3164613131346633350a636535316562316266323139323266643531313366656463653636306435
+36353465646163623665386566316362363264663334626634626236666330316662323966626334
+65653934383632663061663939656236653531663937663338653962633531316264656233326438
+34346362666534316636636134633731333764336461376162643231386563656231643938393936
+37366466313939656461376439623533346636623631363033633336336462306265663661613734
+39653532656666323065643466376432633837663032306363616632306237326137323864393964
+61346339343138383663633234643264353961323335393137653037343065366232376236356234
+66346137346439343463393834336134376362316566333461383062613335326533636137383763
+35333465393032666638616231623630313865353661623230313033333163303337623837363562
+36396335326365636566393636323533633866366163333261333731343137336666366362366265
+35333433616130373339343938356631316432626163313663366533323738353732636232323739
+37316138643233613765663666666366396138623765346433646366623831333462663465353661
+66383061336636613835313131363066343563383136373531626236653231633332663766303936
+61653262326134343166303132643961393861376532613764666462386164303061303737643739
+33376134366136323031366636643662653037646636323033313234363263346233633534386264
+31373338653330323231373838373732383833333431383963383633326661333230316133316232
+39313363663536653433366464323136333165396163326161393238636563353531383864613239
+30323236633239666330363535626530666436373863383531383538323066363964353039313062
+39356564336261383436636139393638313539636235356539323339353137663834623935656131
+32363465626231653736366636316339303163616639666362636332623063356438326337326464
+30386232623362666266616364396563323138616164323363616334313531616261613339323465
+37613431653433653863346334656465303731373266376630336530363036386464303666313131
+66383165356434323865636631656131313735313134386162646634666135396431326437653761
+36633833353562653963316466333965316332366165653130363237366262346638376531313965
+38386363656332396634623535633365396332363462356232366461393463626336383165663132
+34393636616133356334653231366338386364396136643937613961653934333466303135346539
+37393865373133363464626132323037336638383138343866626638616535333937303764383263
+61386362313961626163383365376234666238633030306463666335373734616336303165653564
+37393136363439393735383964386134333731643565613865393266383966333531316238353433
+34303262633934386561363363643236646137653866356536613037613661663264333432306266
+64343732643365396235636366366164313039333332366561646339343162613861346635393833
+34346664303836386165336561333630616535383061333537323364623962666238396164333937
+39633938303131383463313964383364333062306166623039626131663133373831343963633463
+38386637393038396431666633366139393332393761316637653063633033363537333438306633
+30623436363037363232303562383165636135333933346562326533623831363363653165376163
+62363265343465303036306433366132666339396266333461383732343464343535626666646637
+32646632623636663330383632303835336138366336393638346437656530313762363739323965
+63336639383266386463653637306431316230353561373332353739383635663637343036623564
+66373831353864633865626538633431636333363433656136366639643765396435656433313965
+66643632623835343662616134383835323265646636343165373666383138306635373362303133
+63633536663439343065386630386637363431303238633661643335343262383533643764643939
+33396632333139336635356165643036323234613032643233346635326662383830313834343966
+35656163313463343561383664656632363436613032643335363539636466393338623663356161
+64363731393530633239303039636162633533396131663433323436376233313237336538623631
+33616638333232383931646534363230663064346137366264316432306134393163646634336336
+61323132336637323037356466366539323265303138623864316438613766613837383737383765
+33323166373633303138633566313034663636303066616136383433616433616562663231383736
+36316263386462353766373461636565323662356264376431313633353363646634623033616432
+30303435643564303236
diff --git a/kubespray b/kubespray
new file mode 160000
index 0000000..eeeca4a
--- /dev/null
+++ b/kubespray
@@ -0,0 +1 @@
+Subproject commit eeeca4a1d0334efebcf732d08bffc7e10240fc9c
diff --git a/roles/kubernetes/container-storage-interface/defaults/main.yml b/roles/kubernetes/container-storage-interface/defaults/main.yml
new file mode 100644
index 0000000..fb25202
--- /dev/null
+++ b/roles/kubernetes/container-storage-interface/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+k8s_csi__template: "hcloud-csi.v1.5.1.yaml.j2"
diff --git a/roles/kubernetes/container-storage-interface/tasks/main.yml b/roles/kubernetes/container-storage-interface/tasks/main.yml
new file mode 100644
index 0000000..d6ce68c
--- /dev/null
+++ b/roles/kubernetes/container-storage-interface/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+
+### tags:
+###   csi
+
+- name: Create secret for Hetzner CSI
+  kubernetes.core.k8s:
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: kube-system
+        name: hcloud-csi
+        label:
+          app: csi
+          provider: hcloud
+      type: Opaque
+      data:
+        token: "{{ hetzner_hcloud_csi_token | string | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+  tags:
+    - csi
+
+- name: Applying CSI deployment
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('template', k8s_csi__template) }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+  tags:
+    - csi
diff --git a/roles/kubernetes/container-storage-interface/templates/hcloud-csi.v1.5.1.yaml.j2 b/roles/kubernetes/container-storage-interface/templates/hcloud-csi.v1.5.1.yaml.j2
new file mode 100644
index 0000000..0193768
--- /dev/null
+++ b/roles/kubernetes/container-storage-interface/templates/hcloud-csi.v1.5.1.yaml.j2
@@ -0,0 +1,341 @@
+---
+apiVersion: storage.k8s.io/v1beta1
+kind: CSIDriver
+metadata:
+  name: csi.hetzner.cloud
+spec:
+  attachRequired: true
+  podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  namespace: kube-system
+  name: hcloud-volumes
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: csi.hetzner.cloud
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hcloud-csi
+  namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hcloud-csi
+rules:
+  # attacher
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["csi.storage.k8s.io"]
+    resources: ["csinodeinfos"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  # provisioner
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims", "persistentvolumeclaims/status"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]
+  # node
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hcloud-csi
+subjects:
+  - kind: ServiceAccount
+    name: hcloud-csi
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: hcloud-csi
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: hcloud-csi-controller
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app: hcloud-csi-controller
+  serviceName: hcloud-csi-controller
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: hcloud-csi-controller
+    spec:
+      serviceAccount: hcloud-csi
+      containers:
+        - name: csi-attacher
+          image: quay.io/k8scsi/csi-attacher:v2.2.0
+          args:
+            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
+            - --v=5
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+        - name: csi-resizer
+          image: quay.io/k8scsi/csi-resizer:v0.3.0
+          args:
+            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
+            - --v=5
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+        - name: csi-provisioner
+          image: quay.io/k8scsi/csi-provisioner:v1.6.0
+          args:
+            - --provisioner=csi.hetzner.cloud
+            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
+            - --feature-gates=Topology=true
+            - --v=5
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+        - name: hcloud-csi-driver
+          image: hetznercloud/hcloud-csi-driver:1.5.1
+          imagePullPolicy: Always
+          env:
+            - name: CSI_ENDPOINT
+              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
+            - name: METRICS_ENDPOINT
+              value: 0.0.0.0:9189
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: HCLOUD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: hcloud-csi
+                  key: token
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          ports:
+            - containerPort: 9189
+              name: metrics
+            - name: healthz
+              containerPort: 9808
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+            periodSeconds: 2
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+        - name: liveness-probe
+          imagePullPolicy: Always
+          image: quay.io/k8scsi/livenessprobe:v1.1.0
+          args:
+            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - mountPath: /var/lib/csi/sockets/pluginproxy/
+              name: socket-dir
+      volumes:
+        - name: socket-dir
+          emptyDir: {}
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: hcloud-csi-node
+  namespace: kube-system
+  labels:
+    app: hcloud-csi
+spec:
+  selector:
+    matchLabels:
+      app: hcloud-csi
+  template:
+    metadata:
+      labels:
+        app: hcloud-csi
+    spec:
+      tolerations:
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      serviceAccount: hcloud-csi
+      containers:
+        - name: csi-node-driver-registrar
+          image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
+          args:
+            - --v=5
+            - --csi-address=/csi/csi.sock
+            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
+          env:
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /csi
+            - name: registration-dir
+              mountPath: /registration
+          securityContext:
+            privileged: true
+        - name: hcloud-csi-driver
+          image: hetznercloud/hcloud-csi-driver:1.5.1
+          imagePullPolicy: Always
+          env:
+            - name: CSI_ENDPOINT
+              value: unix:///csi/csi.sock
+            - name: METRICS_ENDPOINT
+              value: 0.0.0.0:9189
+            - name: HCLOUD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: hcloud-csi
+                  key: token
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: kubelet-dir
+              mountPath: /var/lib/kubelet
+              mountPropagation: "Bidirectional"
+            - name: plugin-dir
+              mountPath: /csi
+            - name: device-dir
+              mountPath: /dev
+          securityContext:
+            privileged: true
+          ports:
+            - containerPort: 9189
+              name: metrics
+            - name: healthz
+              containerPort: 9808
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: 10
+            timeoutSeconds: 3
+            periodSeconds: 2
+        - name: liveness-probe
+          imagePullPolicy: Always
+          image: quay.io/k8scsi/livenessprobe:v1.1.0
+          args:
+            - --csi-address=/csi/csi.sock
+          volumeMounts:
+            - mountPath: /csi
+              name: plugin-dir
+      volumes:
+        - name: kubelet-dir
+          hostPath:
+            path: /var/lib/kubelet
+            type: Directory
+        - name: plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
+            type: DirectoryOrCreate
+        - name: registration-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins_registry/
+            type: Directory
+        - name: device-dir
+          hostPath:
+            path: /dev
+            type: Directory
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hcloud-csi-controller-metrics
+  namespace: kube-system
+  labels:
+    app: hcloud-csi
+spec:
+  selector:
+    app: hcloud-csi-controller
+  ports:
+    - port: 9189
+      name: metrics
+      targetPort: metrics
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hcloud-csi-node-metrics
+  namespace: kube-system
+  labels:
+    app: hcloud-csi
+spec:
+  selector:
+    app: hcloud-csi
+  ports:
+    - port: 9189
+      name: metrics
+      targetPort: metrics
\ No newline at end of file