diff --git a/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml b/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml
index da9cd8a254..566284e1c4 100644
--- a/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml
@@ -35,6 +35,8 @@ spec:
         - "--proxy-client-cert-file=/etc/kubernetes/certs/proxy.crt"
         - "--proxy-client-key-file=/etc/kubernetes/certs/proxy.key"
         - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
+        - "--kubelet-client-certificate=/etc/kubernetes/certs/client.crt"
+        - "--kubelet-client-key=/etc/kubernetes/certs/client.key"
         - "--oidc-client-id="
         - "--oidc-issuer-url="
         - "--oidc-username-claim=oid"
diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go
index 183cae42a4..7728d77b4c 100644
--- a/pkg/acsengine/defaults-kubelet.go
+++ b/pkg/acsengine/defaults-kubelet.go
@@ -13,6 +13,9 @@ func setKubeletConfig(cs *api.ContainerService) {
 	staticLinuxKubeletConfig := map[string]string{
 		"--address":                         "0.0.0.0",
 		"--allow-privileged":                "true",
+		"--anonymous-auth":                  "false",
+		"--authorization-mode":              "Webhook",
+		"--client-ca-file":                  "/etc/kubernetes/certs/ca.crt",
 		"--pod-manifest-path":               "/etc/kubernetes/manifests",
 		"--cloud-config":                    "/etc/kubernetes/azure.json",
 		"--cluster-domain":                  "cluster.local",