diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml
index e949e87defb23a6adf6063d2e1278a58aaa93744..b45a421943fe97b200512a47c19c6d798c52ae33 100644
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -21,10 +21,6 @@
     path: /var/lib/kubelet
   when: kubelet_deployment_type == "rkt"
 
-- name: install | Write kubelet systemd init file
-  template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
-  notify: restart kubelet
-
 - name: install | Set SSL CA directories
   set_fact:
     ssl_ca_dirs: "[
@@ -39,6 +35,10 @@
     ]"
   tags: facts
 
+- name: install | Write kubelet systemd init file
+  template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
+  notify: restart kubelet
+
 - name: install | Install kubelet launch script
   template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
   notify: restart kubelet
diff --git a/roles/kubernetes/node/templates/kubelet.rkt.service.j2 b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
index 12ce01c75483596649d8fb474edf7103358de117..a36ce1ef98eb51cca98d7a998cfafb0f6c25cd5a 100644
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@@ -27,9 +27,11 @@ ExecStart=/usr/bin/rkt run \
         --volume etcd-ssl,kind=host,source={{ etcd_config_dir }},readOnly=true \
         --volume opt-cni,kind=host,source=/opt/cni,readOnly=true \
         --volume run,kind=host,source=/run,readOnly=false \
-        --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
+        {% for dir in ssl_ca_dirs -%}
+        --volume {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},kind=host,source={{ dir }},readOnly=true \
+        {% endfor -%}
         --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
-	--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
+        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
         --volume var-log,kind=host,source=/var/log \
         --mount volume=dns,target=/etc/resolv.conf \
         --mount volume=etc-cni,target=/etc/cni \
@@ -38,7 +40,9 @@ ExecStart=/usr/bin/rkt run \
         --mount volume=etcd-ssl,target={{ etcd_config_dir }} \
         --mount volume=opt-cni,target=/opt/cni \
         --mount volume=run,target=/run \
-        --mount volume=usr-share-certs,target=/usr/share/ca-certificates \
+        {% for dir in ssl_ca_dirs -%}
+        --mount volume={{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},target={{ dir }} \
+        {% endfor -%}
         --mount volume=var-lib-docker,target=/var/lib/docker \
         --mount volume=var-lib-kubelet,target=/var/lib/kubelet \
         --mount volume=var-log,target=/var/log \