diff --git a/README.rst b/README.rst
index 30a4ba0..7881d27 100644
--- a/README.rst
+++ b/README.rst
@@ -30,6 +30,8 @@ Applications & Projects
 +------------------------------+----------------------------------------------------------------+-------------------------+
 | Ingress-Nginx_               | `Ingress Controller`_                                          | |ingress-nginx_status|  |
 +------------------------------+----------------------------------------------------------------+-------------------------+
+| Kube-Api_                    | Kube API exposed via ingress                                   | |kube-api_status|       |
++------------------------------+----------------------------------------------------------------+-------------------------+
 | Kube-State-Metrics_          | `Kubernetes Metrics`_                                          | |ksm_status|            |
 +------------------------------+----------------------------------------------------------------+-------------------------+
 | Local-Path-Provisioner_      | `Rancher Local-Path`_                                          | |local-path_status|     |
@@ -78,6 +80,9 @@ Applications & Projects
 .. _Kubernetes Metrics: https://github.com/kubernetes/kube-state-metrics
 .. |ksm_status| image:: https://argocd.ioot.xyz/api/badge?name=kube-state-metrics&revision=true
 
+.. _Kube-Api: https://argocd.ioot.xyz/applications/argocd/kube-api
+.. |kube-api_status| image:: https://argocd.ioot.xyz/api/badge?name=kube-api&revision=true
+
 .. _Grafana-Operator: https://argocd.ioot.xyz/applications/argocd/grafana-operator
 .. _Grafana Operator: https://github.com/grafana-operator/grafana-operator
 .. |grafana-op_status| image:: https://argocd.ioot.xyz/api/badge?name=grafana-operator&revision=true
diff --git a/state/gullfaxi/system/kube-api/application.yaml b/state/gullfaxi/system/kube-api/application.yaml
new file mode 100644
index 0000000..7adb49f
--- /dev/null
+++ b/state/gullfaxi/system/kube-api/application.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-api
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  project: system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    targetRevision: main
+    path: state/gullfaxi/system/kube-api/manifests
+
diff --git a/state/gullfaxi/system/kube-api/manifests/ingress.yaml b/state/gullfaxi/system/kube-api/manifests/ingress.yaml
new file mode 100644
index 0000000..97e2be8
--- /dev/null
+++ b/state/gullfaxi/system/kube-api/manifests/ingress.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kubernetes
+  namespace: default
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: kubernetes.default.svc.cluster.local
+      http:
+        paths:
+        - pathType: ImplementationSpecific
+          backend:
+            service:
+              name: kubernetes
+              port: 
+                number: 443
\ No newline at end of file
diff --git a/state/gullfaxi/system/kube-api/readme.md b/state/gullfaxi/system/kube-api/readme.md
new file mode 100644
index 0000000..66b0394
--- /dev/null
+++ b/state/gullfaxi/system/kube-api/readme.md
@@ -0,0 +1,12 @@
+# access kube api via ingress
+
+Take kubeconfig generated by kubeadm, replace `server` with external address of ingress controller and add  `tls-server-name: kubernetes.default.svc.cluster.local`.
+
+```yaml
+- cluster:
+    certificate-authority-data: ...
+    #server: https://192.168.1.8:6443
+    server: https://ioot.xyz
+    tls-server-name: kubernetes.default.svc.cluster.local
+  name: gullfaxi
+```