diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml
index 7057614c1e9..92c1878f609 100644
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@@ -23,14 +23,14 @@ options:
     description: CIDR to user for Kubernetes services. Cannot be changed after deployment.
   allow-privileged:
     type: string
-    default: "auto"
+    default: "true"
     description: |
       Allow kube-apiserver to run in privileged mode. Supported values are
       "true", "false", and "auto". If "true", kube-apiserver will run in
       privileged mode by default. If "false", kube-apiserver will never run in
       privileged mode. If "auto", kube-apiserver will not run in privileged
       mode by default, but will switch to privileged mode if gpu hardware is
-      detected on a worker node.
+      detected on a worker node. 
   enable-nvidia-plugin:
     type: string
     default: "auto"
@@ -82,6 +82,11 @@ options:
     description: |
       Comma separated authorization modes. Allowed values are
       "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
+  cluster-context:
+    type: string
+    default: ""
+    description: |
+      When specified, the juju model name will be overridden in the kube config. 
   require-manual-upgrade:
     type: boolean
     default: true
diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
index f866471f934..63e558a9243 100644
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -1000,10 +1000,16 @@ def build_kubeconfig(server):
     if ca_exists and client_pass:
         # Create an absolute path for the kubeconfig file.
         kubeconfig_path = os.path.join(os.sep, 'home', 'ubuntu', 'config')
+        # set context_name based on combination of modelname and userinput
+        context_name =  hookenv.config('cluster-context')
+        if not context_name:
+          context_name = 'cdk-'+os.environ['JUJU_MODEL_NAME'] 
+        else:
+          context_name = 'cdk-'+context_name
         # Create the kubeconfig on this system so users can access the cluster.
-
-        create_kubeconfig(kubeconfig_path, server, ca,
-                          user='admin', password=client_pass)
+        create_kubeconfig(kubeconfig_path, server, ca, user=context_name+'-admin', 
+                          context=context_name+'-context',
+                          cluster=context_name,password=client_pass)
         # Make the config file readable by the ubuntu users so juju scp works.
         cmd = ['chown', 'ubuntu:ubuntu', kubeconfig_path]
         check_call(cmd)
diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml
index 46a985d95a0..b335495966b 100644
--- a/cluster/juju/layers/kubernetes-worker/config.yaml
+++ b/cluster/juju/layers/kubernetes-worker/config.yaml
@@ -13,13 +13,14 @@ options:
       cluster. Declare node labels in key=value format, separated by spaces.
   allow-privileged:
     type: string
-    default: true
+    default: "true"
     description: |
       Allow privileged containers to run on worker nodes. Supported values are
       "true", "false", and "auto". If "true", kubelet will run in privileged
       mode by default. If "false", kubelet will never run in privileged mode.
       If "auto", kubelet will not run in privileged mode by default, but will
-      switch to privileged mode if gpu hardware is detected.
+      switch to privileged mode if gpu hardware is detected. Pod security
+      policies (PSP) should be used to restrict container privileges.
   channel:
     type: string
     default: "1.10/stable"