diff --git a/roles/kubernetes/node/templates/kubelet.j2 b/roles/kubernetes/node/templates/kubelet.j2
index b02e0c0a047f625f682c911151e13a239f0afcd2..fb70670c1c2605dc9f1c2d44bb2ea55d025368b5 100644
--- a/roles/kubernetes/node/templates/kubelet.j2
+++ b/roles/kubernetes/node/templates/kubelet.j2
@@ -21,7 +21,7 @@ KUBELET_ARGS="--cluster_dns={{ skydns_server }} --cluster_domain={{ dns_domain }
 {% elif dns_setup|bool %}
 KUBELET_ARGS="--cluster_dns={{ dns_server }} --cluster_domain={{ dns_domain }} --kubeconfig={{ kube_config_dir}}/node-kubeconfig.yaml --require-kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --resolv-conf={{ kube_resolv_conf }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
 {% else %}
-KUBELET_ARGS="--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
+KUBELET_ARGS="--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --require-kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
 {% endif %}
 {% if kube_network_plugin is defined and kube_network_plugin in ["calico", "weave", "canal"] %}
 KUBELET_NETWORK_PLUGIN="--network-plugin=cni --network-plugin-dir=/etc/cni/net.d"
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2
index c3894d47fa4c987752330ce3bb5a2e7ccf02815b..4fbb8bc14e351261015f362499bf94419d03d229 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yml.j2
@@ -111,6 +111,7 @@ spec:
               mountPath: "/run/flannel"
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
+              readOnly: true
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and local routes on each
         # host.
@@ -156,3 +157,4 @@ spec:
               readOnly: false
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
+              readOnly: true
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index 02c41e18ba83f3dc0ab4bc3842c3fff53806bd36..74a935bf14157f0a565066e587cdcca032e141d3 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -33,6 +33,7 @@
             mountPath: "/run/flannel"
           - name: "etcd-certs"
             mountPath: "{{ etcd_cert_dir }}"
+            readOnly: true
         securityContext:
           privileged: true
     hostNetwork: true