diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml
index 7057614c1e9..e60de9e63cc 100644
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@@ -30,7 +30,7 @@ options:
       privileged mode by default. If "false", kube-apiserver will never run in
       privileged mode. If "auto", kube-apiserver will not run in privileged
       mode by default, but will switch to privileged mode if gpu hardware is
-      detected on a worker node.
+      detected on a worker node. 
   enable-nvidia-plugin:
     type: string
     default: "auto"
diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml
index 7f51776c169..b335495966b 100644
--- a/cluster/juju/layers/kubernetes-worker/config.yaml
+++ b/cluster/juju/layers/kubernetes-worker/config.yaml
@@ -13,13 +13,14 @@ options:
       cluster. Declare node labels in key=value format, separated by spaces.
   allow-privileged:
     type: string
-    default: "auto"
+    default: "true"
     description: |
       Allow privileged containers to run on worker nodes. Supported values are
       "true", "false", and "auto". If "true", kubelet will run in privileged
       mode by default. If "false", kubelet will never run in privileged mode.
       If "auto", kubelet will not run in privileged mode by default, but will
-      switch to privileged mode if gpu hardware is detected.
+      switch to privileged mode if gpu hardware is detected. Pod security
+      policies (PSP) should be used to restrict container privileges.
   channel:
     type: string
     default: "1.10/stable"