diff --git a/cesnet-mcc/inventory/99-all.yaml b/cesnet-mcc/inventory/99-all.yaml
index 9c872de0c3522f6866d30d808e4224b11975c159..00b379892d71aa38aa17478a73803cd83ea8b631 100644
--- a/cesnet-mcc/inventory/99-all.yaml
+++ b/cesnet-mcc/inventory/99-all.yaml
@@ -15,3 +15,23 @@ all:
 
     gateway_hostname: gateway-cesnet.eosc.zcu.cz
     grafana_hostname: grafana-cesnet.eosc.zcu.cz
+    kubeapi_hostname: kubeapi-cesnet.eosc.zcu.cz
+
+    #
+    # When Kubernetes API needs to be exposed, for example:
+    #
+    # pod="$(kubectl get pod -n kube-system -l component=kube-apiserver -oname)"
+    # kubectl -n kube-system expose "$pod" --name=apiserver --port 6443 --external-ip=INGRESS_LOCAL_IP
+    #
+    kube_public_dns_name: "{{ kubeapi_hostname | default ('') }}"
+
+    # hack to add public IP to certSANs in API server in grycap.kubernetes
+    IM_NODE_PUBLIC_IP: "{{ groups['fip'][0] }}"
+
+    #
+    # Alternativelly, steps for manual update of the API server certificate:
+    #
+    # rm -fv /etc/kubernetes/pki/apiserver.*
+    # kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=10.96.0.1,MASTER_LOCAL_IP,KUBEAPI_HOSTNAME
+    # service kubelet restart
+    #