diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go
index d077d4faf2..d4c65e4b31 100644
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@@ -23,7 +23,11 @@ type Server struct {
 	ExtraSchedulerArgs  cli.StringSlice
 	ExtraControllerArgs cli.StringSlice
 	Rootless            bool
+	StorageBackend      string
 	StorageEndpoint     string
+	StorageCAFile       string
+	StorageCertFile     string
+	StorageKeyFile      string
 }
 
 var ServerConfig Server
@@ -138,12 +142,36 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 				Usage:       "(experimental) Run rootless",
 				Destination: &ServerConfig.Rootless,
 			},
+			cli.StringFlag{
+				Name:        "storage-backend",
+				Usage:       "Specify storage type etcd3 or kvsql",
+				Destination: &ServerConfig.StorageBackend,
+				EnvVar:      "K3S_STORAGE_BACKEND",
+			},
 			cli.StringFlag{
 				Name:        "storage-endpoint",
-				Usage:       "Specify Mysql, Postgres, or Sqlite (default) data source name",
+				Usage:       "Specify etcd, Mysql, Postgres, or Sqlite (default) data source name",
 				Destination: &ServerConfig.StorageEndpoint,
 				EnvVar:      "K3S_STORAGE_ENDPOINT",
 			},
+			cli.StringFlag{
+				Name:        "storage-cafile",
+				Usage:       "SSL Certificate Authority file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageCAFile,
+				EnvVar:      "K3S_STORAGE_CAFILE",
+			},
+			cli.StringFlag{
+				Name:        "storage-certfile",
+				Usage:       "SSL certification file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageCertFile,
+				EnvVar:      "K3S_STORAGE_CERTFILE",
+			},
+			cli.StringFlag{
+				Name:        "storage-keyfile",
+				Usage:       "SSL key file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageKeyFile,
+				EnvVar:      "K3S_STORAGE_KEYFILE",
+			},
 			NodeIPFlag,
 			NodeNameFlag,
 			DockerFlag,
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 472e584eca..66a8a93938 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -109,6 +109,10 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 	serverConfig.ControlConfig.ExtraSchedulerAPIArgs = cfg.ExtraSchedulerArgs
 	serverConfig.ControlConfig.ClusterDomain = cfg.ClusterDomain
 	serverConfig.ControlConfig.StorageEndpoint = cfg.StorageEndpoint
+	serverConfig.ControlConfig.StorageBackend = cfg.StorageBackend
+	serverConfig.ControlConfig.StorageCAFile = cfg.StorageCAFile
+	serverConfig.ControlConfig.StorageCertFile = cfg.StorageCertFile
+	serverConfig.ControlConfig.StorageKeyFile = cfg.StorageKeyFile
 
 	_, serverConfig.ControlConfig.ClusterIPRange, err = net2.ParseCIDR(cfg.ClusterCIDR)
 	if err != nil {
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index 7f74e3c770..92fc1641b4 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -72,7 +72,11 @@ type Control struct {
 	KubeConfigMode        string
 	DataDir               string
 	Skips                 []string
+	StorageBackend        string
 	StorageEndpoint       string
+	StorageCAFile         string
+	StorageCertFile       string
+	StorageKeyFile        string
 	NoScheduler           bool
 	ExtraAPIArgs          []string
 	ExtraControllerArgs   []string
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index 3138790510..c9cedc834b 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -146,6 +146,8 @@ func scheduler(cfg *config.Control, runtime *config.ControlRuntime) {
 
 func apiServer(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) (authenticator.Request, http.Handler, error) {
 	argsMap := make(map[string]string)
+
+	setupStorageBackend(argsMap, cfg)
 	if len(cfg.StorageEndpoint) > 0 {
 		argsMap["etcd-servers"] = cfg.StorageEndpoint
 	}
@@ -599,3 +601,24 @@ func kubeConfig(dest, url, cert, user, password string) error {
 
 	return kubeconfigTemplate.Execute(output, &data)
 }
+
+func setupStorageBackend(argsMap map[string]string, cfg *config.Control) {
+	// setup the storage backend
+	if len(cfg.StorageBackend) > 0 {
+		argsMap["storage-backend"] = cfg.StorageBackend
+	}
+	// specify the endpoints
+	if len(cfg.StorageEndpoint) > 0 {
+		argsMap["etcd-servers"] = cfg.StorageEndpoint
+	}
+	// storage backend tls configuration
+	if len(cfg.StorageCAFile) > 0 {
+		argsMap["etcd-cafile"] = cfg.StorageCAFile
+	}
+	if len(cfg.StorageCertFile) > 0 {
+		argsMap["etcd-certfile"] = cfg.StorageCertFile
+	}
+	if len(cfg.StorageKeyFile) > 0 {
+		argsMap["etcd-keyfile"] = cfg.StorageKeyFile
+	}
+}