diff --git a/roles/docker/tasks/install.yml b/roles/docker/tasks/install.yml
index 4880629a863f160dfb414f24363933dc2387ff0f..e2d18d1f64f788b04ba1c900f686c62c0228eb0a 100644
--- a/roles/docker/tasks/install.yml
+++ b/roles/docker/tasks/install.yml
@@ -13,7 +13,7 @@
   with_items:
     - aufs-tools
     - cgroupfs-mount
-    - docker-engine=1.8.3-0~{{ ansible_distribution_release }}
+    - docker-engine=1.9.0-0~{{ ansible_distribution_release }}
 
 - name: Copy default docker configuration
   template: src=default-docker.j2 dest=/etc/default/docker backup=yes
diff --git a/roles/docker/templates/default-docker.j2 b/roles/docker/templates/default-docker.j2
index 2a332353e1ca7cf747671208a7e83eb6f15145bf..66e3cd2ee57cc545512603b8d17ae49578ee385b 100644
--- a/roles/docker/templates/default-docker.j2
+++ b/roles/docker/templates/default-docker.j2
@@ -4,9 +4,9 @@
 #DOCKER="/usr/local/bin/docker"
 
 # Use DOCKER_OPTS to modify the daemon startup options.
-#{% if kube_network_plugin is defined and kube_network_plugin == "calico" %}
-#DOCKER_OPTS="--bridge=cbr0 --iptables=false --ip-masq=false"
-#{% endif %}
+{% if kube_network_plugin is defined and kube_network_plugin == "calico" %}
+DOCKER_OPTS="--bridge=cbr0 --iptables=false --ip-masq=false"
+{% endif %}
 
 # If you need Docker to use an HTTP proxy, it can also be specified here.
 #export http_proxy="http://127.0.0.1:3128/"
diff --git a/roles/kubernetes/common/defaults/main.yml b/roles/kubernetes/common/defaults/main.yml
index 09df9be6bd6a76764dfcdbb90d0cfbd7a821cc3d..367a2c34fa0906fc048910f2b8507808457088b2 100644
--- a/roles/kubernetes/common/defaults/main.yml
+++ b/roles/kubernetes/common/defaults/main.yml
@@ -31,6 +31,7 @@ kube_cert_group: kube-cert
 dns_domain: "{{ cluster_name }}"
 
 kube_proxy_mode: iptables
+kube_master_port: 443
 # IP address of the DNS server.
 # Kubernetes will create a pod with several containers, serving as the DNS
 # server and expose it under this IP address. The IP address must be from
diff --git a/roles/kubernetes/common/tasks/secrets.yml b/roles/kubernetes/common/tasks/secrets.yml
index 65107da0b277c40444cf8412ed29b17363311c34..c61e17d9b22b9e385ebd8fed94f7e976128d6055 100644
--- a/roles/kubernetes/common/tasks/secrets.yml
+++ b/roles/kubernetes/common/tasks/secrets.yml
@@ -45,6 +45,10 @@
   notify:
     - restart daemons
 
+- debug: msg="{{groups['kube-master'][0]}} == {{inventory_hostname}}"
+  tags:
+    - debug
+
 - include: gen_tokens.yml
   run_once: true
   when: inventory_hostname == groups['kube-master'][0]
diff --git a/roles/network_plugin/tasks/calico.yml b/roles/network_plugin/tasks/calico.yml
index f7042bf5090da97041fdf4c0171971c340336e0a..1e6f5d47a0c5414ece0c112ffe1750ed77f2176d 100644
--- a/roles/network_plugin/tasks/calico.yml
+++ b/roles/network_plugin/tasks/calico.yml
@@ -1,6 +1,6 @@
 ---
 - name: Calico | Install calicoctl bin
-  copy: 
+  copy:
      src={{ local_release_dir }}/calico/bin/calicoctl
      dest={{ bin_dir }}
      mode=u+x
@@ -11,22 +11,28 @@
 
 - name: Calico | Write calico-node systemd init file
   template: src=calico/calico-node.service.j2 dest=/etc/systemd/system/calico-node.service
-  notify: 
+  register: newservice
+  notify:
     - reload systemd
     - restart calico-node
 
+- name: Calico | daemon-reload
+  command: systemctl daemon-reload
+  when: newservice|changed
+  changed_when: False
+
 - name: Calico | Enable calico-node
   service: name=calico-node enabled=yes state=started
 
 - name: Calico | Configure calico-node remove default pool
   shell: calicoctl pool remove 192.168.0.0/16
-  environment: 
+  environment:
      ETCD_AUTHORITY: "{{ groups['kube-master'][0] }}:4001"
   run_once: true
 
 - name: Calico | Configure calico-node desired pool
   shell: calicoctl pool add {{ kube_pods_subnet }}
-  environment: 
+  environment:
      ETCD_AUTHORITY: "{{ groups['kube-master'][0] }}:4001"
   run_once: true