diff --git a/charts/kubeadm/.helmignore b/charts/kubeadm/.helmignore
new file mode 100644
index 0000000..0b1f83c
--- /dev/null
+++ b/charts/kubeadm/.helmignore
@@ -0,0 +1,2 @@
+*.sh
+*.md
diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml
index 3562382..b46b7d0 100644
--- a/charts/kubeadm/Chart.yaml
+++ b/charts/kubeadm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm golden config
 type: application
-version: 1.19.9
+version: 1.20.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
diff --git a/charts/kubeadm/templates/README.md b/charts/kubeadm/templates/README.md
new file mode 100644
index 0000000..afb2413
--- /dev/null
+++ b/charts/kubeadm/templates/README.md
@@ -0,0 +1,2 @@
+# aws-iam-authenticator
+- https://github.com/kubernetes-sigs/aws-iam-authenticator
diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/README.md b/charts/kubeadm/templates/k8s-ecr-login-renew/README.md
new file mode 100644
index 0000000..41b8bfc
--- /dev/null
+++ b/charts/kubeadm/templates/k8s-ecr-login-renew/README.md
@@ -0,0 +1,8 @@
+# Create IAM role for ECR read-only access
+- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
+
+# Create secret for IAM user for ecr-renew
+`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
+
+# Resources
+- https://github.com/nabsul/k8s-ecr-login-renew
diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml b/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml
new file mode 100644
index 0000000..5d4d041
--- /dev/null
+++ b/charts/kubeadm/templates/k8s-ecr-login-renew/cronjob.yaml
@@ -0,0 +1,40 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+  labels:
+    app: ecr-renew
+spec:
+  schedule: "0 */6 * * *"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 5
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: ecr-renew
+          containers:
+            - name: ecr-renew
+              image: nabsul/k8s-ecr-login-renew:v1.4
+              env:
+                - name: DOCKER_SECRET_NAME
+                  value: ecr-login
+                - name: TARGET_NAMESPACE
+                  value: "*"
+                - name: AWS_REGION
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_REGION
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_ACCESS_KEY_ID
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: ecr-renew-cred
+                      key: AWS_SECRET_ACCESS_KEY
diff --git a/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml b/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml
new file mode 100644
index 0000000..0591ebc
--- /dev/null
+++ b/charts/kubeadm/templates/k8s-ecr-login-renew/service-account.yml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ecr-renew
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create", "update", "get", "delete"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  namespace: kube-system
+  name: ecr-renew
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ecr-renew
+subjects:
+  - kind: ServiceAccount
+    name: ecr-renew
+    namespace: kube-system
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml b/charts/kubeadm/templates/resources/00-aws-iam-authenticator-crds.yaml
similarity index 100%
rename from charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
rename to charts/kubeadm/templates/resources/00-aws-iam-authenticator-crds.yaml
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml b/charts/kubeadm/templates/resources/01-aws-iam-authenticator-deployment.yaml
similarity index 100%
rename from charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
rename to charts/kubeadm/templates/resources/01-aws-iam-authenticator-deployment.yaml
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml b/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml
similarity index 100%
rename from charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml
rename to charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml
diff --git a/charts/kubeadm/templates/resources/10-runtimeClass.yaml b/charts/kubeadm/templates/resources/10-runtimeClass.yaml
new file mode 100644
index 0000000..ed979d2
--- /dev/null
+++ b/charts/kubeadm/templates/resources/10-runtimeClass.yaml
@@ -0,0 +1,8 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: crio
+handler: runc
+overhead:
+  podFixed:
+    memory: 16Mi
diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml
index 6798ff8..6260a55 100644
--- a/charts/kubeadm/values.yaml
+++ b/charts/kubeadm/values.yaml
@@ -13,5 +13,4 @@ systemd: true
 protectKernelDefaults: true
 
 WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
-WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode"
 KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"