diff --git a/docs/vars.md b/docs/vars.md
index 72e3cc2757b28029930d5a9ebb7c963f7252c03c..f24b9d4b8e29b84ca181502199e34f828bfa19b0 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -113,6 +113,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
 * *kubelet_cgroup_driver* - Allows manual override of the
   cgroup-driver option for Kubelet. By default autodetection is used
   to match Docker configuration.
+* *kubelet_rotate_certificates* - Auto rotate the kubelet client certificates by requesting new certificates 
+  from the kube-apiserver when the certificate expiration approaches.
 * *node_labels* - Labels applied to nodes via kubelet --node-labels parameter.
   For example, labels can be set in the inventory as variables or more widely in group_vars.
   *node_labels* must be defined as a dict:
diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index 2d6bb5e80abd8c104c8ea78580c3a723400fb20d..6c46dba1e8445d7dc02359016f1b1bafc371969c 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -28,6 +28,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 {% endif %}
 --enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} \
 --client-ca-file={{ kube_cert_dir }}/ca.crt \
+{% if kubelet_rotate_certificates %}
+--rotate-certificates \
+{% endif %}
 --pod-manifest-path={{ kube_manifest_dir }} \
 {% if kube_version is version('v1.12.0', '<') %}
 --cadvisor-port={{ kube_cadvisor_port }} \
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index eb689f1c8c8f636275a50bf555446dce2279aac5..22ec23557c0e80e0bd406af2f107ce9d55d17716 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -308,6 +308,10 @@ kubelet_authentication_token_webhook: true
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
 kubelet_authorization_mode_webhook: false
 
+# kubelet uses certificates for authenticating to the Kubernetes API
+# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
+kubelet_rotate_certificates: true
+
 ## v1.11 feature
 feature_gate_v1_11:
   - "PersistentLocalVolumes={{ local_volume_provisioner_enabled | string }}"