diff --git a/docs/vars.md b/docs/vars.md
index 702f3ac6a9fae3e3d2043ce3caac5575c88000cc..32841ee9fbb30365b925f5deef5fba2681d534e2 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -101,7 +101,8 @@ Stack](https://github.com/kubernetes-incubator/kubespray/blob/master/docs/dns-st
 * *docker_options* - Commonly used to set
   ``--insecure-registry=myregistry.mydomain:5000``
 * *http_proxy/https_proxy/no_proxy* - Proxy variables for deploying behind a
-  proxy
+  proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
+  that correspond to each node.
 * *kubelet_deployment_type* - Controls which platform to deploy kubelet on. 
   Available options are ``host``, ``rkt``, and ``docker``. ``docker`` mode
   is unlikely to work on newer releases. Starting with Kubernetes v1.7 
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index 956814ce7eb416cccbb6265c4aaac1c05ba0c1eb..74b738e16e958e381b7d8c66ca16a852aa47d360 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -91,9 +91,10 @@ bin_dir: /usr/local/bin
 #kubeadm_token_second: "{{ lookup('password', 'credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
 #kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
 #
-## Set these proxy values in order to update docker daemon to use proxies
+## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""
+## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 
 ## Uncomment this if you want to force overlay/overlay2 as docker storage driver
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 0ecd6756fa9d14176b5ff344c08803d02e07a892..602cdacaa9bd7e92edd35b3756318ace087d9644 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -40,6 +40,7 @@
   until: keyserver_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
 
@@ -67,6 +68,7 @@
   until: docker_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{ docker_package_info.pkgs }}"
   notify: restart docker
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
diff --git a/roles/docker/tasks/systemd.yml b/roles/docker/tasks/systemd.yml
index ec4bbf9ab11655d8427bd71f92aad5f064532612..355ee993989867b959391acfd6e9ea7da94905fb 100644
--- a/roles/docker/tasks/systemd.yml
+++ b/roles/docker/tasks/systemd.yml
@@ -8,7 +8,7 @@
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/docker.service.d/http-proxy.conf
-  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
+  when: http_proxy is defined or https_proxy is defined
 
 - name: get systemd version
   command: rpm -q --qf '%{V}\n' systemd
@@ -44,4 +44,4 @@
   notify: restart docker
   when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
 
-- meta: flush_handlers
\ No newline at end of file
+- meta: flush_handlers
diff --git a/roles/docker/templates/http-proxy.conf.j2 b/roles/docker/templates/http-proxy.conf.j2
index e790477719dd30fd8c252a909de350d172844cec..212f30f92065f447ade0d7ecf2305113bc93dfac 100644
--- a/roles/docker/templates/http-proxy.conf.j2
+++ b/roles/docker/templates/http-proxy.conf.j2
@@ -1,2 +1,2 @@
 [Service]
-Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 888515e8332139699b81e4eeccb553c814370dfd..d8db2cc2c1033c49ffaebd1bafb5ac72753be08f 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -21,6 +21,7 @@
   until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - download.enabled|bool
     - not download.container|bool
@@ -108,6 +109,7 @@
   until: pull_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - download.enabled|bool
     - download.container|bool
diff --git a/roles/kubernetes/node/tasks/install_rkt.yml b/roles/kubernetes/node/tasks/install_rkt.yml
index d19b099bdb40003f7c55026d5e235a43dcd12d88..22f9c7e81a59ec7e7970276043d49bafcc797d2e 100644
--- a/roles/kubernetes/node/tasks/install_rkt.yml
+++ b/roles/kubernetes/node/tasks/install_rkt.yml
@@ -28,5 +28,5 @@
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/kubelet.service.d/http-proxy.conf
-  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
+  when: http_proxy is defined or https_proxy is defined
   notify: restart kubelet
diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml
index 6021dcf67b94cc10b7001f2ecfce2ecf1de05445..80dcff7b15071c63aeb3ecaaf26988984a47e94b 100644
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -105,6 +105,7 @@
   until: yum_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - ansible_pkg_mgr == 'yum'
     - not is_atomic
@@ -117,6 +118,7 @@
     state: latest
     update_cache: yes
     cache_valid_time: 3600
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "Debian"
   tags:
     - bootstrap-os
@@ -127,6 +129,7 @@
   until: dnf_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when:
     - ansible_distribution == "Fedora"
     - ansible_distribution_major_version > 21
@@ -136,16 +139,17 @@
 
 - name: Install epel-release on RedHat/CentOS
   shell: rpm -qa | grep epel-release || rpm -ivh {{ epel_rpm_download_url }}
-  when:
-    - ansible_distribution in ["CentOS","RedHat"]
-    - not is_atomic
-    - epel_rpm_download_url != ''
-    - epel_enabled|bool
   register: epel_task_result
   until: epel_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   changed_when: False
+  when:
+    - ansible_distribution in ["CentOS","RedHat"]
+    - not is_atomic
+    - epel_rpm_download_url != ''
+    - epel_enabled|bool
   check_mode: no
   tags:
     - bootstrap-os
@@ -159,6 +163,7 @@
   until: pkgs_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
   tags:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index edcc224ae492ca53f03008ee1b01ec615b8a9560..92cd4a471ac2c3b464ff673c1d0e071483e4bfba 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -162,6 +162,28 @@ vault_config_dir: "{{ vault_base_dir }}/config"
 vault_roles_dir: "{{ vault_base_dir }}/roles"
 vault_secrets_dir: "{{ vault_base_dir }}/secrets"
 
+## Set no_proxy to all assigned cluster IPs and hostnames
+no_proxy: >-
+  127.0.0.1
+  localhost
+  {% if loadbalancer_apiserver is defined %}
+    {{ apiserver_loadbalancer_domain_name| default('') }}
+    {{ loadbalancer_apiserver.address | default('') }}
+  {% endif %}
+  {% for item in (groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
+    {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item]['ansible_default_ipv4']['address'])) }}
+    {% if (item != hostvars[item]['ansible_hostname']) %} {{ hostvars[item]['ansible_hostname'] }}
+      {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }}
+    {% endif %}
+    {{ item }}
+    {{ item }}.{{ dns_domain }}
+  {% endfor %}
+
+proxy_env:
+  http_proxy: "{{ http_proxy| default ('') }}"
+  https_proxy: "{{ https_proxy| default ('') }}"
+  no_proxy: "{{ no_proxy }}"
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"
diff --git a/roles/rkt/tasks/install.yml b/roles/rkt/tasks/install.yml
index 599f9e50e2b1d5e3c3cd22c7b73b29560a2c924b..cba44329d6ba0cd9612441355a61e3efb175cb1e 100644
--- a/roles/rkt/tasks/install.yml
+++ b/roles/rkt/tasks/install.yml
@@ -23,6 +23,7 @@
   until: rkt_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "Debian"
 
 - name: install rkt pkg on centos
@@ -33,4 +34,5 @@
   until: rkt_task_result|succeeded
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
+  environment: "{{ proxy_env }}"
   when: ansible_os_family == "RedHat"