diff --git a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
index a65a86c43..72956dac9 100644
--- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
@@ -8,18 +8,6 @@
     resource: "configmap"
     namespace: "{{system_namespace}}"
 
-# FIXME: remove if kubernetes/features#124 is implemented
-- name: Purge old flannel and canal-node
-  run_once: true
-  kube:
-    name: "canal-node"
-    kubectl: "{{ bin_dir }}/kubectl"
-    filename: "{{ kube_config_dir }}/canal-node.yaml"
-    resource: "ds"
-    namespace: "{{system_namespace}}"
-    state: absent
-  when: inventory_hostname == groups['kube-master'][0] and canal_node_manifest.changed
-
 - name: Start flannel and calico-node
   run_once: true
   kube:
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 0cb7e37c6..09342625d 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -82,10 +82,13 @@ gen_key_and_cert() {
 
 # Admins
 if [ -n "$MASTERS" ]; then
-    # If any host requires new certs, just regenerate all master certs
     # kube-apiserver
-    gen_key_and_cert "apiserver" "/CN=kube-apiserver"
-    cat ca.pem >> apiserver.pem
+    # Generate only if we don't have existing ca and apiserver certs
+    if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
+      gen_key_and_cert "apiserver" "/CN=kube-apiserver"
+      cat ca.pem >> apiserver.pem
+    fi
+    # If any host requires new certs, just regenerate scheduler and controller-manager master certs
     # kube-scheduler
     gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
     # kube-controller-manager
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2
index ca7b37f86..cd9312832 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yml.j2
@@ -3,6 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
   name: canal-node
+  namespace: {{ system_namespace }}
   labels:
     k8s-app: canal-node
 spec:
@@ -180,3 +181,7 @@ spec:
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
               readOnly: true
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate