diff --git a/oracle/init/account.tf b/oracle/init/account.tf
index fcd78ad..a9c76fd 100644
--- a/oracle/init/account.tf
+++ b/oracle/init/account.tf
@@ -56,5 +56,5 @@ resource "oci_identity_dynamic_group" "ccm" {
   compartment_id = var.tenancy_ocid
   name           = "oci-ccm"
   description    = "dynamic group created by terraform for oci-cloud-controller-manager"
-  matching_rule  = "ANY {instance.compartment.id = '${oci_identity_compartment.project.id}'}"
+  matching_rule  = "ALL {instance.compartment.id = '${oci_identity_compartment.project.id}', tag.Kubernetes.Role.value = 'contolplane'}"
 }
diff --git a/oracle/templates/controlplane.yaml.tpl b/oracle/templates/controlplane.yaml.tpl
index 521896a..5c59c70 100644
--- a/oracle/templates/controlplane.yaml.tpl
+++ b/oracle/templates/controlplane.yaml.tpl
@@ -72,5 +72,6 @@ cluster:
     enabled: true
     manifests:
       - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/oci-cloud-controller-manager.yaml
+      - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/kubelet-serving-cert-approver.yaml
       - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/metrics-server.yaml
       - https://raw.githubusercontent.com/sergelogvinov/terraform-talos/main/oracle/deployments/local-path-storage.yaml