diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml
index 9bb32f162..139254734 100644
--- a/roles/etcd/tasks/check_certs.yml
+++ b/roles/etcd/tasks/check_certs.yml
@@ -61,7 +61,7 @@
       {% if gen_node_certs[inventory_hostname] or 
         (not etcdcert_node.results[0].stat.exists|default(False)) or
           (not etcdcert_node.results[1].stat.exists|default(False)) or
-            (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|first|map(attribute="checksum")|default('')) -%}
+            (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
               {%- set _ = certs.update({'sync': True}) -%}
       {% endif %}
       {{ certs.sync }}
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 06d86257c..ac6f906cf 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -4,7 +4,8 @@
     path: "{{ etcd_cert_dir }}"
     group: "{{ etcd_cert_group }}"
     state: directory
-    owner: root
+    owner: kube
+    mode: 0700
     recurse: yes
 
 - name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
@@ -12,6 +13,7 @@
     path: "{{ etcd_script_dir }}"
     state: directory
     owner: root
+    mode: 0700
   run_once: yes
   delegate_to: "{{groups['etcd'][0]}}"
 
@@ -20,8 +22,9 @@
     path: "{{ etcd_cert_dir }}"
     group: "{{ etcd_cert_group }}"
     state: directory
-    owner: root
+    owner: kube
     recurse: yes
+    mode: 0700
   run_once: yes
   delegate_to: "{{groups['etcd'][0]}}"
 
@@ -42,6 +45,7 @@
   delegate_to: "{{groups['etcd'][0]}}"
   when: gen_certs|default(false)
 
+
 - name: Gen_certs | run cert generation script
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
   environment:
@@ -114,7 +118,9 @@
 - name: Gen_certs | Prepare tempfile for unpacking certs                        
   shell: mktemp /tmp/certsXXXXX.tar.gz                                          
   register: cert_tempfile                                                       
-                                                                                
+  when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
+        inventory_hostname != groups['etcd'][0]                          
+
 - name: Gen_certs | Write master certs to tempfile                              
   copy:                                                                         
     content: "{{etcd_master_cert_data.stdout}}"                                      
@@ -154,13 +160,9 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
+    mode: "u=rwX,g-rwx,o-rwx"
     recurse: yes
 
-- name: Gen_certs | set permissions on keys
-  shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
-  when: inventory_hostname in groups['etcd']
-  changed_when: false
-
 - name: Gen_certs | target ca-certificate store file
   set_fact:
     ca_cert_path: |-
diff --git a/roles/kubernetes/preinstall/tasks/resolvconf.yml b/roles/kubernetes/preinstall/tasks/resolvconf.yml
index 55edd0ca7..6369dfd9c 100644
--- a/roles/kubernetes/preinstall/tasks/resolvconf.yml
+++ b/roles/kubernetes/preinstall/tasks/resolvconf.yml
@@ -3,25 +3,16 @@
   command: cp -f /etc/resolv.conf "{{ resolvconffile }}"
   when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
 
-- name: Remove search/domain/nameserver options
-  lineinfile:
-    dest: "{{item[0]}}"
-    state: absent
-    regexp: "^{{ item[1] }}.*$"
-    backup: yes
-    follow: yes
-  with_nested:
-    - "{{ [resolvconffile] + [base|default('')] + [head|default('')] }}"
-    - [ 'search ', 'nameserver ', 'domain ', 'options ' ]
-  notify: Preinstall | restart network
-
-- name: Add domain/search/nameservers to resolv.conf
+- name: Add domain/search/nameservers/options to resolv.conf
   blockinfile:
     dest: "{{resolvconffile}}"
     block: |-
       {% for item in [domainentry] + [searchentries] + nameserverentries.split(',') -%}
       {{ item }}
       {% endfor %}
+      options ndots:{{ ndots }}
+      options timeout:2
+      options attempts:2
     state: present
     insertbefore: BOF
     create: yes
@@ -30,21 +21,32 @@
     marker: "# Ansible entries {mark}"
   notify: Preinstall | restart network
 
-- name: Add options to resolv.conf
-  lineinfile:
-    line: options {{ item }}
-    dest: "{{resolvconffile}}"
-    state: present
-    regexp: "^options.*{{ item }}$"
-    insertafter: EOF
+- name: Remove search/domain/nameserver options before block
+  replace:
+    dest: "{{item[0]}}"
+    regexp: '^{{ item[1] }}[^#]*(?=# Ansible entries BEGIN)'
     backup: yes
     follow: yes
-  with_items:
-    - ndots:{{ ndots }}
-    - timeout:2
-    - attempts:2
+  with_nested:
+    - "{{ [resolvconffile] + [base|default('')] + [head|default('')] }}"
+    - [ 'search ', 'nameserver ', 'domain ', 'options ' ]
+  when: item[0] != ""
   notify: Preinstall | restart network
 
+- name: Remove search/domain/nameserver options after block
+  replace:
+    dest: "{{item[0]}}"
+    regexp: '(# Ansible entries END\n(?:(?!^{{ item[1] }}).*\n)*)(?:^{{ item[1] }}.*\n?)+'
+    replace: '\1'
+    backup: yes
+    follow: yes
+  with_nested:
+    - "{{ [resolvconffile] + [base|default('')] + [head|default('')] }}"
+    - [ 'search ', 'nameserver ', 'domain ', 'options ' ]
+  when: item[0] != ""
+  notify: Preinstall | restart network
+
+
 - name: get temporary resolveconf cloud init file content
   command: cat {{ resolvconffile }}
   register: cloud_config