diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 00da94347d7..dbc0f239618 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
 #   cache_size: <cache_size_value>
 kube_apiserver_admission_event_rate_limits: {}
 
+## PodSecurityAdmission plugin configuration
 kube_pod_security_use_default: false
 kube_pod_security_default_enforce: baseline
 kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
@@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
 kube_pod_security_exemptions_namespaces:
   - kube-system
 
+## ResourceQuota plugin configuration
+## Resources that ResourceQuota should limit by default if no quota exists
+## Example below enforces quota on all storage classes
+# kube_resource_quota_limited_resources:
+# - apiGroup: ""
+#   resource: persistentvolumeclaims
+#   matchContains:
+#   - .storageclass.storage.k8s.io/requests.storage
+kube_resource_quota_limited_resources: []
+
 # 1.10+ list of disabled admission plugins
 kube_apiserver_disable_admission_plugins: []
 
diff --git a/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2 b/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
new file mode 100644
index 00000000000..ceec2511fc1
--- /dev/null
+++ b/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
@@ -0,0 +1,8 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: ResourceQuotaConfiguration
+{% if kube_resource_quota_limited_resources | d(false) -%}
+limitedResources:
+{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
+{% else %}
+# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
+{%- endif %}
diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml
index 3775d253a7c..263ee0b4569 100644
--- a/roles/kubernetes/control-plane/vars/main.yaml
+++ b/roles/kubernetes/control-plane/vars/main.yaml
@@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
 - ImagePolicyWebhook
 - PodSecurity
 - PodNodeSelector
+- ResourceQuota