diff --git a/cmd/ks-network/main.go b/cmd/ks-network/main.go
index 236c316cd8b8991fc93cb7ff13b443e83f5f18c0..cc2e74f2bfef15b96c8c2a29e9f7efdabdf9c603 100644
--- a/cmd/ks-network/main.go
+++ b/cmd/ks-network/main.go
@@ -2,64 +2,23 @@ package main
 
 import (
 	"flag"
-	"time"
 
-	"github.com/projectcalico/libcalico-go/lib/apiconfig"
-	"github.com/projectcalico/libcalico-go/lib/clientv3"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/klog"
-	"kubesphere.io/kubesphere/pkg/client/clientset/versioned"
-	ksinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
-	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
-	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+	"kubesphere.io/kubesphere/pkg/controller/network/runoption"
 )
 
-const (
-	certPath = "/calicocerts"
-)
-
-var npProviderFlag string
+var opt runoption.RunOption
 
 func init() {
-	flag.StringVar(&npProviderFlag, "np-provider", "calico", "specify the network policy provider, k8s or calico")
+	flag.StringVar(&opt.ProviderName, "np-provider", "calico", "specify the network policy provider, k8s or calico")
+	flag.BoolVar(&opt.AllowInsecureEtcd, "allow-insecure-etcd", false, "specify allow connect to etcd using insecure http")
+	//TODO add more flags
 }
+
 func main() {
 	klog.InitFlags(nil)
 	flag.Set("logtostderr", "true")
 	flag.Parse()
 	klog.V(1).Info("Preparing kubernetes client")
-	config, err := rest.InClusterConfig()
-	if err != nil {
-		panic(err.Error())
-	}
-	// creates the clientset
-	k8sClientset := kubernetes.NewForConfigOrDie(config)
-	ksClientset := versioned.NewForConfigOrDie(config)
-	informer := ksinformer.NewSharedInformerFactory(ksClientset, time.Minute*10)
-	klog.V(1).Info("Kubernetes client initialized successfully")
-	var npProvider provider.NsNetworkPolicyProvider
-	if npProviderFlag == "calico" {
-		klog.V(1).Info("Preparing calico client")
-		config := apiconfig.NewCalicoAPIConfig()
-		config.Spec.EtcdEndpoints = "https://127.0.0.1:2379"
-		config.Spec.EtcdKeyFile = certPath + "/etcd-key"
-		config.Spec.EtcdCertFile = certPath + "/etcd-cert"
-		config.Spec.EtcdCACertFile = certPath + "/etcd-ca"
-		config.Spec.DatastoreType = apiconfig.EtcdV3
-		client, err := clientv3.New(*config)
-		if err != nil {
-			klog.Fatal("Failed to initialize calico client", err)
-		}
-		npProvider = provider.NewCalicoNetworkProvider(client.NetworkPolicies())
-		klog.V(1).Info("Calico client initialized successfully")
-	}
-	//TODO: support no-calico cni
-	c := nsnetworkpolicy.NewController(k8sClientset, ksClientset, informer.Network().V1alpha1().NamespaceNetworkPolicies(), npProvider)
-	stop := make(chan struct{})
-	klog.V(1).Infof("Starting controller")
-	go informer.Network().V1alpha1().NamespaceNetworkPolicies().Informer().Run(stop)
-	if err := c.Run(1, stop); err != nil {
-		klog.Fatal(err)
-	}
+	klog.Fatal(opt.Run())
 }
diff --git a/go.sum b/go.sum
index 4fb917f7d11ff301eeefd30eb2a11f08538b6d47..cb4b71993c1398239c35c0ed32657e2f7df9688f 100644
--- a/go.sum
+++ b/go.sum
@@ -439,6 +439,7 @@ golang.org/x/net v0.0.0-20190328230028-74de082e2cca/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980 h1:dfGZHvZk057jK2MCeWus/TowKpJ8y4AmooUzdBSR9GU=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
diff --git a/pkg/controller/network/runoption/option.go b/pkg/controller/network/runoption/option.go
new file mode 100644
index 0000000000000000000000000000000000000000..1ec3b5e4ec74ea819b37fc1c8c9cbb7d2fabc2ef
--- /dev/null
+++ b/pkg/controller/network/runoption/option.go
@@ -0,0 +1,82 @@
+package runoption
+
+import (
+	"time"
+
+	"github.com/projectcalico/libcalico-go/lib/apiconfig"
+	"github.com/projectcalico/libcalico-go/lib/clientv3"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog"
+	"kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	ksinformer "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+	"kubesphere.io/kubesphere/pkg/controller/network/nsnetworkpolicy"
+	"kubesphere.io/kubesphere/pkg/controller/network/provider"
+)
+
+type CalicoDataStoreType string
+
+const (
+	certPath = "/calicocerts"
+
+	KubernetesDataStore CalicoDataStoreType = "k8s"
+	EtcdDataStore       CalicoDataStoreType = "etcd"
+)
+
+type RunOption struct {
+	ProviderName      string
+	DataStoreType     CalicoDataStoreType
+	EtcdEndpoints     string
+	AllowInsecureEtcd bool
+}
+
+func (r RunOption) Run() error {
+	klog.V(1).Info("Check config")
+	if err := r.check(); err != nil {
+		return err
+	}
+	klog.V(1).Info("Preparing kubernetes client")
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		panic(err.Error())
+	}
+	// creates the clientset
+	k8sClientset := kubernetes.NewForConfigOrDie(config)
+	ksClientset := versioned.NewForConfigOrDie(config)
+	informer := ksinformer.NewSharedInformerFactory(ksClientset, time.Minute*10)
+	klog.V(1).Info("Kubernetes client initialized successfully")
+	var npProvider provider.NsNetworkPolicyProvider
+
+	if r.ProviderName == "calico" {
+		klog.V(1).Info("Preparing calico client")
+		config := apiconfig.NewCalicoAPIConfig()
+		config.Spec.EtcdEndpoints = r.EtcdEndpoints
+		if !r.AllowInsecureEtcd {
+			config.Spec.EtcdKeyFile = certPath + "/etcd-key"
+			config.Spec.EtcdCertFile = certPath + "/etcd-cert"
+			config.Spec.EtcdCACertFile = certPath + "/etcd-ca"
+		}
+		if r.DataStoreType == KubernetesDataStore {
+			config.Spec.DatastoreType = apiconfig.Kubernetes
+		} else {
+			config.Spec.DatastoreType = apiconfig.EtcdV3
+		}
+		client, err := clientv3.New(*config)
+		if err != nil {
+			klog.Fatal("Failed to initialize calico client", err)
+		}
+		npProvider = provider.NewCalicoNetworkProvider(client.NetworkPolicies())
+		klog.V(1).Info("Calico client initialized successfully")
+	}
+
+	//TODO: support no-calico cni
+	c := nsnetworkpolicy.NewController(k8sClientset, ksClientset, informer.Network().V1alpha1().NamespaceNetworkPolicies(), npProvider)
+	stop := make(chan struct{})
+	klog.V(1).Infof("Starting controller")
+	go informer.Network().V1alpha1().NamespaceNetworkPolicies().Informer().Run(stop)
+	return c.Run(1, stop)
+}
+
+func (r RunOption) check() error {
+	return nil
+}