diff --git a/docs/vars.md b/docs/vars.md
index c2cfbd3a0..8976bc695 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -67,7 +67,7 @@ following default cluster paramters:
   OpenStack (default is unset)
 * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
   Kubernetes
-* *authorization_mode* - A list of [authorization modes](
+* *authorization_modes* - A list of [authorization mode](
 https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
  that the cluster should be configured for. Defaults to `['AlwaysAllow']`. 
  Note: Only `AlwaysAllow`, `AlwaysDeny` and `RBAC` are tested.   
diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml
index 3a1d29667..14d513458 100644
--- a/roles/kargo-defaults/defaults/main.yaml
+++ b/roles/kargo-defaults/defaults/main.yaml
@@ -118,5 +118,5 @@ enable_network_policy: false
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
 ## 'RBAC' modes are tested.
-authorization_mode: ['AlwaysAllow']
-rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
+authorization_modes: ['AlwaysAllow']
+rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 60a707fd6..1263f9df2 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -42,7 +42,6 @@ etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
 
 kubedns_rbac_resources:
-  - clusterrole,
-  - clusterrolebinding,
+  - clusterrole
+  - clusterrolebinding
   - sa
-  - serviceaccount
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 1259f7204..27e453032 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -21,7 +21,9 @@
     - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
     - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
   register: manifests
-  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
+  when:
+    - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
+    - rbac_enabled or item.type not in kubedns_rbac_resources
   tags: dnsmasq
 
 # see https://github.com/kubernetes/kubernetes/issues/45084
diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
index ecde5dce2..5d6190f93 100644
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
@@ -46,4 +46,6 @@ spec:
           - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
           - --logtostderr=true
           - --v=2
+{% if rbac_enabled %}
       serviceAccountName: cluster-proportional-autoscaler
+{% endif %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index fddd66a27..07a48e728 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -81,8 +81,8 @@ spec:
 {% if kube_api_anonymous_auth is defined and kube_version | version_compare('v1.5', '>=')  %}
     - --anonymous-auth={{ kube_api_anonymous_auth }}
 {% endif %}
-{% if authorization_mode %}
-    - --authorization-mode={{ authorization_mode|join(',') }}
+{% if authorization_modes %}
+    - --authorization-mode={{ authorization_modes|join(',') }}
 {% endif %}
 {% if apiserver_custom_flags is string %}
     - {{ apiserver_custom_flags }}