diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 94da756be49ff75687a6e33e27e45b98008a87bd..2c173837060f85fc8cdb60d7d694ed800d0415b5 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf"
 
 kube_proxy_mode: iptables
 
+# If using the pure iptables proxy, SNAT everything
+kube_proxy_masquerade_all: true
+
 # kube_api_runtime_config:
 #   - extensions/v1beta1/daemonsets=true
 #   - extensions/v1beta1/deployments=true
diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
index 296658cbdafb2ac56ed5172fe81261c7e0225c44..f0c4bc211de4b0df7270d5dd085588cad6a5418d 100644
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -18,6 +18,9 @@ spec:
 {% endif %}
     - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
     - --proxy-mode={{ kube_proxy_mode }}
+{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
+    - --masquerade-all
+{% endif %}
     securityContext:
       privileged: true
     volumeMounts: