diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 50a14ee8a95fcf97f1d4971ff191f8f5b0d0d2aa..1a1e200b0c6c658e0aef8dd272478234dece18f1 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -51,10 +51,10 @@ kube_api_anonymous_auth: false
 #
 # For some things, kubelet needs to load kernel modules.  For example, dynamic kernel services are needed
 # for mounting persistent volumes into containers.  These may not be loaded by preinstall kubernetes
-# processes.  For example, ceph and rbd backed volumes.  Uncomment to allow kubelet to load kernel
+# processes.  For example, ceph and rbd backed volumes.  Set to true to allow kubelet to load kernel
 # modules.
 #
-#kubelet_load_modules: true
+kubelet_load_modules: false
 
 # Users to create for basic auth in Kubernetes API via HTTP
 kube_api_pwd: "changeme"
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index d60b7620822d3244d848325e9e695251db267216..da1ed6d079e05770f3af50dedb96a53731a761d3 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -33,3 +33,5 @@ etcd_config_dir: /etc/ssl/etcd
 # A port range to reserve for services with NodePort visibility.
 # Inclusive at both ends of the range.
 kube_apiserver_node_port_range: "30000-32767"
+
+kubelet_load_modules: false
diff --git a/roles/kubernetes/node/templates/kubelet-container.j2 b/roles/kubernetes/node/templates/kubelet-container.j2
index 388fab3c7d884e2cb6ca1a947c3004b576a495c2..5126f1b59486cf71fa8c5460494495a18b2fbe65 100644
--- a/roles/kubernetes/node/templates/kubelet-container.j2
+++ b/roles/kubernetes/node/templates/kubelet-container.j2
@@ -14,7 +14,7 @@
   {% for dir in ssl_ca_dirs -%}
   -v {{ dir }}:{{ dir }}:ro \
   {% endfor -%}
-  {% if kubelet_load_modules is defined and kubelet_load_modules == true -%}
+  {% if kubelet_load_modules -%}
   -v /lib/modules:/lib/modules:ro \
   {% endif -%}
   -v /sys:/sys:ro \