diff --git a/docs/proxy.md b/docs/proxy.md
index 867b90f4d0f64ac35d6aaf0c7ddff840b8de30bb..cb8472d76b55fef854a8617e6fc5d54f10a802f1 100644
--- a/docs/proxy.md
+++ b/docs/proxy.md
@@ -14,3 +14,10 @@ If you set http and https proxy, all nodes and loadbalancer will be excluded fro
 ## Set additional addresses to default no_proxy (all cluster nodes and loadbalancer)
 
 `additional_no_proxy: "aditional_host,"`
+
+## Exclude workers from no_proxy
+
+Since workers are included in the no_proxy variable, by default, docker engine will be restarted on all nodes (all
+pods will restart) when adding or removing workers.  To override this behaviour by only including master nodes in the
+no_proxy variable, set:
+`no_proxy_exclude_workers: true`
diff --git a/docs/vars.md b/docs/vars.md
index 710695e2bf82f0e77dc4d7a1fcf76c477c59a358..598fd4d7a129e752d1a81177c319eecda80b31b0 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -109,7 +109,7 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
 * *docker_plugins* - This list can be used to define [Docker plugins](https://docs.docker.com/engine/extend/) to install.
 * *containerd_config* - Controls some parameters in containerd configuration file (usually /etc/containerd/config.toml).
   [Default config](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/container-engine/containerd/defaults/main.yml) can be overriden in inventory vars.
-* *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
+* *http_proxy/https_proxy/no_proxy/no_proxy_exclude_workers/additional_no_proxy* - Proxy variables for deploying behind a
   proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
   that correspond to each node.
 * *kubelet_deployment_type* - Controls which platform to deploy kubelet on.
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index f3b7042d3852b769eb2972ce3042a5d935f73274..aa517a903c94271b595e99cca3a997d71e430f9a 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -68,6 +68,11 @@ loadbalancer_apiserver_healthcheck_port: 8081
 ## If you need exclude all cluster nodes from proxy and other resources, add other resources here.
 # additional_no_proxy: ""
 
+## Since workers are included in the no_proxy variable by default, docker engine will be restarted on all nodes (all
+## pods will restart) when adding or removing workers.  To override this behaviour by only including master nodes in the
+## no_proxy variable, set below to true:
+no_proxy_exclude_workers: false
+
 ## Certificate Management
 ## This setting determines whether certs are generated via scripts.
 ## Chose 'none' if you provide your own certificates.
diff --git a/roles/kubespray-defaults/tasks/no_proxy.yml b/roles/kubespray-defaults/tasks/no_proxy.yml
old mode 100644
new mode 100755
index 01c6e9ddf2e1e318993402293202d83b54fd9f6e..07098c674a3d911be3a1e903a563531ffa4bb399
--- a/roles/kubespray-defaults/tasks/no_proxy.yml
+++ b/roles/kubespray-defaults/tasks/no_proxy.yml
@@ -1,33 +1,38 @@
----
-- name: Set no_proxy to all assigned cluster IPs and hostnames
-  set_fact:
-    no_proxy_prepare: >-
-      {%- if loadbalancer_apiserver is defined -%}
-      {{ apiserver_loadbalancer_domain_name| default('') }},
-      {{ loadbalancer_apiserver.address | default('') }},
-      {%- endif -%}
-      {%- for item in (groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
-      {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }},
-      {%-   if item != hostvars[item].get('ansible_hostname', '') -%}
-      {{ hostvars[item]['ansible_hostname'] }},
-      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }},
-      {%-   endif -%}
-      {{ item }},{{ item }}.{{ dns_domain }},
-      {%- endfor -%}
-      {%- if additional_no_proxy is defined -%}
-      {{ additional_no_proxy }},
-      {%- endif -%}
-      127.0.0.1,localhost,{{ kube_service_addresses }},{{ kube_pods_subnet }}
-  delegate_to: localhost
-  connection: local
-  delegate_facts: yes
-  become: no
-  run_once: yes
-
-- name: Populates no_proxy to all hosts
-  set_fact:
-    no_proxy: "{{ hostvars.localhost.no_proxy_prepare }}"
-    proxy_env: "{{ proxy_env | combine({
-      'no_proxy': hostvars.localhost.no_proxy_prepare,
-      'NO_PROXY': hostvars.localhost.no_proxy_prepare
-    }) }}"
+---
+- name: Set no_proxy to all assigned cluster IPs and hostnames
+  set_fact:
+    no_proxy_prepare: >-
+      {%- if loadbalancer_apiserver is defined -%}
+      {{ apiserver_loadbalancer_domain_name| default('') }},
+      {{ loadbalancer_apiserver.address | default('') }},
+      {%- endif -%}
+      {%- if ( (no_proxy_exclude_workers is defined) and (no_proxy_exclude_workers) ) -%}
+      {% set cluster_or_master = 'kube-master' %}
+      {% else %}
+      {% set cluster_or_master = 'k8s-cluster' %}
+      {% endif %}
+      {%- for item in (groups[cluster_or_master] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
+      {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }},
+      {%-   if item != hostvars[item].get('ansible_hostname', '') -%}
+      {{ hostvars[item]['ansible_hostname'] }},
+      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }},
+      {%-   endif -%}
+      {{ item }},{{ item }}.{{ dns_domain }},
+      {%- endfor -%}
+      {%- if additional_no_proxy is defined -%}
+      {{ additional_no_proxy }},
+      {%- endif -%}
+      127.0.0.1,localhost,{{ kube_service_addresses }},{{ kube_pods_subnet }}
+  delegate_to: localhost
+  connection: local
+  delegate_facts: yes
+  become: no
+  run_once: yes
+
+- name: Populates no_proxy to all hosts
+  set_fact:
+    no_proxy: "{{ hostvars.localhost.no_proxy_prepare }}"
+    proxy_env: "{{ proxy_env | combine({
+      'no_proxy': hostvars.localhost.no_proxy_prepare,
+      'NO_PROXY': hostvars.localhost.no_proxy_prepare
+    }) }}"