diff --git a/docs/vars.md b/docs/vars.md
index f51f71808..3756610fa 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -68,11 +68,6 @@ following default cluster paramters:
 * *kube_hostpath_dynamic_provisioner* - Required for use of PetSets type in
   Kubernetes
 * *authorization_mode* - A list of authorization modes that the apiserver should be configured. 
-Supported values are `['AlwaysAllow', 'RBAC']` (Default: `['AlwaysAllow']`)
-* *rotate_kubernetes_certs* - Set this to true to regenerate kubernetes node and master certificates.
-Useful if the authorization mode was changed and certificate format
-needs to be updated. This will not regenerate the root CA. *(!!Warning!!: Will overwrite old certs.)*
- 
  
 Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
 private addresses, make sure to pick another values for ``kube_service_addresses``
diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml
index 2dfb2cd70..d13a565aa 100644
--- a/roles/kargo-defaults/defaults/main.yaml
+++ b/roles/kargo-defaults/defaults/main.yaml
@@ -116,13 +116,10 @@ efk_enabled: false
 enable_network_policy: false
 
 ## List of authorization plugins that must be configured for
-## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported
-## at the moment.
+## the k8s cluster.
 authorization_mode: ['AlwaysAllow']
 rbac_enabled: "{{ 'RBAC' in authorization_mode }}"
 
-## Set this flag to re-create kubernetes node and master certificates !!WARNING!!: Will overwrite existing certs.
-rotate_kubernetes_certs: false
 
 ssl_ca_dirs: "[
       {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 13f8e41a2..60a707fd6 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -41,8 +41,7 @@ netchecker_server_memory_requests: 64M
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
 
-# RBAC specific resources that will be ignored when RBAC is not enabled.
-apiserver_rbac_resources:
+kubedns_rbac_resources:
   - clusterrole,
   - clusterrolebinding,
   - sa
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 37384496a..f7b8ca76d 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -21,7 +21,7 @@
     - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
     - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
   register: manifests
-  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled)
+  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in kubedns_rbac_resources or rbac_enabled)
   tags: dnsmasq
 
 # see https://github.com/kubernetes/kubernetes/issues/45084
diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml
index d9575e5c4..f3f741e42 100644
--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@@ -12,7 +12,7 @@
 
 - name: Helm | Lay Down Helm Manifests (RBAC)
   template:
-    src: "manifests/{{item.file}}"
+    src: "{{item.file}}"
     dest: "{{kube_config_dir}}/{{item.file}}"
   with_items:
     - {name: tiller, file: tiller-sa.yml, type: sa}
diff --git a/roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
similarity index 100%
rename from roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml
rename to roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
diff --git a/roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml b/roles/kubernetes-apps/helm/templates/tiller-sa.yml
similarity index 100%
rename from roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml
rename to roles/kubernetes-apps/helm/templates/tiller-sa.yml
diff --git a/roles/kubernetes/node/tasks/pre_upgrade.yml b/roles/kubernetes/node/tasks/pre_upgrade.yml
index 291817562..d6f729890 100644
--- a/roles/kubernetes/node/tasks/pre_upgrade.yml
+++ b/roles/kubernetes/node/tasks/pre_upgrade.yml
@@ -7,4 +7,4 @@
 
 - name: "Pre-upgrade | Make sure to restart kubelet if certificates changed"
   command: /bin/true
-  notify: restart kubelet if secrets changed
\ No newline at end of file
+  notify: restart kubelet if secrets changed
diff --git a/roles/kubernetes/secrets/defaults/main.yml b/roles/kubernetes/secrets/defaults/main.yml
index 3b65c23a9..e6177857e 100644
--- a/roles/kubernetes/secrets/defaults/main.yml
+++ b/roles/kubernetes/secrets/defaults/main.yml
@@ -1,4 +1,2 @@
 ---
 kube_cert_group: kube-cert
-
-rotate_kubernetes_certs: false # set this to true to regenerate certificates
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 73704caa4..1f2d9cb1d 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -25,7 +25,7 @@
 - name: "Check_certs | Set 'gen_certs' to true"
   set_fact:
     gen_certs: true
-  when: "rotate_kubernetes_certs or item not in (kubecert_master.files|map(attribute='path')|list)"
+  when: "item not in (kubecert_master.files|map(attribute='path')|list)"
   run_once: true
   with_items: >-
        ['{{ kube_cert_dir }}/ca.pem',
@@ -41,7 +41,7 @@
       {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
       {% for host in groups['k8s-cluster'] -%}
         {% set host_cert = "%s/node-%s-key.pem"|format(kube_cert_dir, host) %}
-        {% if host_cert in existing_certs and not rotate_kubernetes_certs -%}
+        {% if host_cert in existing_certs -%}
         "{{ host }}": False,
         {% else -%}
         "{{ host }}": True,
@@ -62,5 +62,5 @@
             (kubecert_node.results[1].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[1].stat.path)|map(attribute="checksum")|first|default('')) -%}
               {%- set _ = certs.update({'sync': True}) -%}
       {% endif %}
-      {{ rotate_kubernetes_certs or certs.sync }}
+      {{ certs.sync }}