diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index f5896903bd4bd87aab13243a31fcfc136c547d1f..5e47740ca9f9727e94bbd344edaa58c69c6636d5 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -48,7 +48,3 @@ dashboard_tls_cert_file: dashboard.crt
 
 # Override dashboard default settings
 dashboard_token_ttl: 900
-
-# SSL
-etcd_cert_dir: "/etc/ssl/etcd/ssl"
-canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index c2035859d377629acc180a81b68e82b4b2f93232..6c8743c7cd9d349e8f560ead5d3cc67a9ab042d4 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -16,7 +16,7 @@
   register: kubelet_conf
 
 - name: Calculate kubeadm CA cert hash
-  shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
   register: kubeadm_ca_hash
   delegate_to: "{{ groups['kube-master'][0] }}"
   run_once: true
diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index 2d8af345caeb2af2b8c98606c6fd980442b2009c..e8d495884e015fe780f384c6bfa7be00bcd2b3e5 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0
 # Inclusive at both ends of the range.
 kube_apiserver_node_port_range: "30000-32767"
 
-# ETCD cert dir for connecting apiserver to etcd
-etcd_config_dir: /etc/ssl/etcd
-etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-
 # ETCD backend for k8s data
 kube_apiserver_storage_backend: etcd3
 
diff --git a/roles/kubernetes/master/tasks/encrypt-at-rest.yml b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
index 2e569b08bb63ca753f2c11ea232df494ba52ccc1..332e622c797e9dff61c73ab2f15fec5aeeb4b28a 100644
--- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml
+++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
@@ -2,7 +2,7 @@
 - name: Write secrets for encrypting secret data at rest
   template:
     src: secrets_encryption.yaml.j2
-    dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
+    dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
     owner: root
     group: "{{ kube_cert_group }}"
     mode: 0640
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index f2ad127c785ad3944de5205cdcc543c8121aacf3..71c5045324710595654931fba639462d9d29d72e 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -102,7 +102,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
   storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 3385d2892c785ca927b856a2b21b690d624413c5..fb43775d272f3e9d845efa53077b13dc9e9998f9 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -87,7 +87,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
   storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index d6f77ff7f99738f48e368b14c578c3951015b0d2..58250724d051dc1516d3a9c3160672941a447689 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -97,7 +97,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
   storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index 366cbee23613bd923ff16c5fcce1d0cc4975786e..01338230e5ced3569204d62b51f655a0cb15653a 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -95,7 +95,7 @@ apiServer:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-    encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
     storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index b6b6f9ea649bd794b1ac345742197002df3810ee..ecd75e3cc990639664e2534779aa1dc4a2511498 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -67,8 +67,6 @@ nginx_image_repo: nginx
 nginx_image_tag: 1.13
 nginx_config_dir: "/etc/nginx"
 
-etcd_config_dir: /etc/ssl/etcd
-
 kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins
 
 # A port range to reserve for services with NodePort visibility.
diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
index c508af4c998653336a3dfc42eea7ee247909f0e1..f27bda3fea09643f6e0fb6ae3f0ff792d720b8f5 100644
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -19,7 +19,7 @@
   with_items:
     - "{{bin_dir}}"
     - "{{ kube_config_dir }}"
-    - "{{ kube_config_dir }}/ssl"
+    - "{{ kube_cert_dir }}"
     - "{{ kube_manifest_dir }}"
     - "{{ kube_script_dir }}"
 
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 745e2a9f81758215fe2a1218f6c0492ba0660298..15797558f75ec6a49170986031f5ed66fee56943 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -449,3 +449,6 @@ pip_extra_args: |-
   {%- endif -%}
   {%- endif -%}
   {{ pip_extra_args_list|join(' ') }}
+
+etcd_config_dir: /etc/ssl/etcd
+etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index 9883ad1fd27bf2fc5f11311bd55e51c3e7a30f33..39bf108610d7dc602adfcebba198a67820618669 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -15,7 +15,6 @@ ipip_mode: Always  # change to "CrossSubnet" if you only want ipip encapsulation
 overwrite_hyperkube_cni: true
 
 calico_cert_dir: /etc/calico/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
 
 # Global as_num (/calico/bgp/v1/global/as_num)
 global_as_num: "64512"
diff --git a/roles/network_plugin/calico/rr/defaults/main.yml b/roles/network_plugin/calico/rr/defaults/main.yml
index 0fde5eff812ac157dea023212e0577feb2c1c656..bdc2d9f10dc463c131a6779698d1b480c9c15e3a 100644
--- a/roles/network_plugin/calico/rr/defaults/main.yml
+++ b/roles/network_plugin/calico/rr/defaults/main.yml
@@ -4,7 +4,6 @@
 global_as_num: "64512"
 
 calico_cert_dir: /etc/calico/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
 
 # Limits for apps
 calico_rr_memory_limit: 1000M
diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index 38696b87a1a5af788ab45f9eef0b8b486303b280..0be0f14fcd642481596791971a5a9091d1082096 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -13,7 +13,6 @@ canal_log_level: "info"
 
 # Etcd SSL dirs
 canal_cert_dir: /etc/canal/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
 
 # Canal Network Policy directory
 canal_policy_dir: /etc/kubernetes/policy
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index f6a836f953b1fcc2eef7036d525882f351f4b243..e97364644d22884826b5fcf29a58bea64ace7514 100755
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -5,7 +5,6 @@ cilium_disable_ipv4: false
 
 # Etcd SSL dirs
 cilium_cert_dir: /etc/cilium/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
 
 # Cilium Network Policy directory
 cilium_policy_dir: /etc/kubernetes/policy