diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index 18ac8c18cc63ff27d8c453873f1cf917678c71a5..8b4271d6a76bd59280472668c4d125884384a3ae 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,31 +3,6 @@
   when: kube_network_plugin == 'canal'
   tags: [facts, canal]
 
-- name: Lay Down calico-policy-controller RBAC Template
-  template:
-    src: "{{item.file}}"
-    dest: "{{kube_config_dir}}/{{item.file}}"
-  with_items:
-    - {name: calico-policy-controller, file: calico-policy-controller-sa.yml, type: sa}
-    - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
-    - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
-  register: manifests
-  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-  tags: canal
-
-- name: Create calico-policy-controller RBAC Resources
-  kube:
-    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
-    kubectl: "{{bin_dir}}/kubectl"
-    resource: "{{item.item.type}}"
-    filename: "{{kube_config_dir}}/{{item.item.file}}"
-    state: "{{item.changed | ternary('latest','present') }}"
-  with_items: "{{ manifests.results }}"
-  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
-  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-  tags: canal
-
 - name: Write calico-policy-controller yaml
   template:
     src: calico-policy-controller.yml.j2
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
deleted file mode 100644
index 3b71b9001e46ea2a541d652d26cb5ca71efca866..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: calico-policy-controller
-  namespace: {{ system_namespace }}
-rules:
-  - apiGroups:
-    - ""
-    - extensions
-    resources:
-      - pods
-      - namespaces
-      - networkpolicies
-    verbs:
-      - watch
-      - list
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
deleted file mode 100644
index 535865f014a5922a8a9b1a4c4e1fe8a8c39b313c..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: calico-policy-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: calico-policy-controller
-subjects:
-- kind: ServiceAccount
-  name: calico-policy-controller
-  namespace: {{ system_namespace }}
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
deleted file mode 100644
index 388f129772e990e7fb41c674229b2da67af2a15f..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: calico-policy-controller
-  namespace: {{ system_namespace }}
-  labels:
-    kubernetes.io/cluster-service: "true"
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
index 9639fed82b04035b649b2e046c8a2a1d2c94abfa..322d3a37bd789d425b7b47d4bd5449cd3d13132a 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
@@ -60,6 +60,3 @@ spec:
       - hostPath:
           path: {{ calico_cert_dir }}
         name: etcd-certs
-{% if rbac_enabled %}
-      serviceAccountName: calico-policy-controller
-{% endif %}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index ed827d27bbd0d3596c07b420de122f140fc7596f..db5fc1997c57d517716bfc78e473219ec1523122 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -118,5 +118,5 @@ enable_network_policy: false
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
 ## 'RBAC' modes are tested.
-authorization_modes: []
+authorization_modes: ['AlwaysAllow']
 rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index a67cb7fca75cdd5c626214749ba6ecec14dde9e9..38d3ad5db69a6cbac39a37fdd10e7d5468c22d53 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -195,28 +195,6 @@
   when: secret_changed|default(false) or etcd_secret_changed|default(false)
   notify: restart calico-node
 
-- name: Calico | Lay Down calico-node RBAC Template
-  template:
-    src: "{{item.file}}"
-    dest: "{{kube_config_dir}}/{{item.file}}"
-  with_items:
-    - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole}
-    - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding}
-  register: manifests
-  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-
-- name: Calico | Create calico-node RBAC Resources
-  kube:
-    name: "{{item.item.name}}"
-    namespace: "{{ system_namespace }}"
-    kubectl: "{{bin_dir}}/kubectl"
-    resource: "{{item.item.type}}"
-    filename: "{{kube_config_dir}}/{{item.item.file}}"
-    state: "{{item.changed | ternary('latest','present') }}"
-  with_items: "{{ manifests.results }}"
-  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
-  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-
 - meta: flush_handlers
 
 - name: Calico | Enable calico-node
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
deleted file mode 100644
index b48c747355aceda2451d808dc5c3ed0a3d5aae32..0000000000000000000000000000000000000000
--- a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: calico-node
-  namespace: {{ system_namespace }}
-rules:
-  - apiGroups: [""]
-    resources:
-      - pods
-      - nodes
-    verbs:
-      - get
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
deleted file mode 100644
index cdbd1568577affcb849101434e3d610c12476ea7..0000000000000000000000000000000000000000
--- a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: calico-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: calico-node
-subjects:
-- kind: Group
-  name: system:nodes
-  namespace: kube-system