diff --git a/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py b/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
index b982dc65ec3..292038e14b9 100644
--- a/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
+++ b/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
@@ -24,7 +24,7 @@ from charms.reactive import when
 from charms.reactive import when_not
 from charms.reactive.helpers import data_changed
 
-from charmhelpers.core import hookenv, unitdata
+from charmhelpers.core import hookenv
 
 from shlex import split
 
@@ -32,7 +32,7 @@ from subprocess import check_call
 from subprocess import check_output
 
 
-db = unitdata.kv()
+USER = 'system:e2e'
 
 
 @hook('upgrade-charm')
@@ -91,15 +91,16 @@ def install_snaps():
 
 @when('tls_client.ca.saved', 'tls_client.client.certificate.saved',
       'tls_client.client.key.saved', 'kubernetes-master.available',
-      'kubernetes-e2e.installed', 'e2e.auth.bootstrapped')
+      'kubernetes-e2e.installed', 'e2e.auth.bootstrapped',
+      'kube-control.auth.available')
 @when_not('kubeconfig.ready')
-def prepare_kubeconfig_certificates(master):
+def prepare_kubeconfig_certificates(master, kube_control):
     ''' Prepare the data to feed to create the kubeconfig file. '''
 
     layer_options = layer.options('tls-client')
     # Get all the paths to the tls information required for kubeconfig.
     ca = layer_options.get('ca_certificate_path')
-    creds = db.get('credentials')
+    creds = kube_control.get_auth_credentials(USER)
     data_changed('kube-control.creds', creds)
 
     servers = get_kube_api_servers(master)
@@ -124,19 +125,16 @@ def request_credentials(kube_control):
     """ Request authorization creds."""
 
     # Ask for a user, although we will be using the 'client_token'
-    user = 'system:e2e'
-    kube_control.set_auth_request(user)
+    kube_control.set_auth_request(USER)
 
 
 @when('kube-control.auth.available')
 def catch_change_in_creds(kube_control):
     """Request a service restart in case credential updates were detected."""
-    user = 'system:e2e'
-    creds = kube_control.get_auth_credentials(user)
+    creds = kube_control.get_auth_credentials(USER)
     if creds \
             and data_changed('kube-control.creds', creds) \
-            and creds['user'] == user:
-        db.set('credentials', creds)
+            and creds['user'] == USER:
         set_state('e2e.auth.bootstrapped')
 
 
diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml
index c6c09cf82a2..61fbfab257c 100644
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@@ -42,7 +42,7 @@ options:
         --runtime-config=batch/v2alpha1=true --profiling=true
   authorization-mode:
     type: string
-    default: "None"
+    default: "AlwaysAllow"
     description: |
-      Set the cluster's authorization mode. Allowed values are
-      "RBAC" and "None".
+      Comma separated authorization modes. Allowed values are
+      "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
index ee1a6e372a9..de10c4ae22d 100644
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -61,8 +61,6 @@ nrpe.Check.shortname_re = '[\.A-Za-z0-9-_]+$'
 
 os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')
 
-valid_auth_modes = ['rbac', 'none']
-
 
 def service_cidr():
     ''' Return the charm's service-cidr config '''
@@ -357,11 +355,6 @@ def idle_status(kube_api, kube_control):
         msg = 'WARN: cannot change service-cidr, still using ' + service_cidr()
         hookenv.status_set('active', msg)
     else:
-        mode = hookenv.config().get('authorization-mode').lower()
-        if mode not in valid_auth_modes:
-            hookenv.status_set('blocked', 'Incorrect authorization mode.')
-            return
-
         # All services should be up and running at this point. Double-check...
         failing_services = master_services_down()
         if len(failing_services) == 0:
@@ -463,7 +456,7 @@ def create_service_configs(kube_control):
         group = request[1]['group']
         kubelet_token = get_token(username)
         if not kubelet_token and username and group:
-            # Usernames have to be in the form of system:node:<hostname>
+            # Usernames have to be in the form of system:node:<nodeName>
             userid = "kubelet-{}".format(request[0].split('/')[1])
             setup_tokens(None, username, userid, group)
             kubelet_token = get_token(username)
@@ -500,7 +493,7 @@ def flush_auth_for_departed(kube_control):
     with open(token_auth_file, 'w') as fp:
         fp.writelines(known_tokens)
     # Trigger rebroadcast of auth files for followers
-    remove_state('autentication.setup')
+    remove_state('authentication.setup')
 
 
 @when_not('kube-control.connected')
@@ -706,9 +699,8 @@ def initial_nrpe_config(nagios=None):
       'kubernetes-master.components.started')
 def switch_auth_mode():
     config = hookenv.config()
-    mode = config.get('authorization-mode').lower()
-    if mode in valid_auth_modes and \
-            data_changed('auth-mode', mode):
+    mode = config.get('authorization-mode')
+    if data_changed('auth-mode', mode):
         remove_state('kubernetes-master.components.started')
 
 
@@ -1063,11 +1055,11 @@ def configure_apiserver():
         'DefaultTolerationSeconds'
     ]
 
-    if hookenv.config('authorization-mode').lower() == 'rbac':
+    auth_mode = hookenv.config('authorization-mode')
+    if 'Node' in auth_mode:
         admission_control.append('NodeRestriction')
-        api_opts.add('authorization-mode', 'Node,RBAC', strict=True)
-    else:
-        api_opts.add('authorization-mode', 'AlwaysAllow', strict=True)
+
+    api_opts.add('authorization-mode', auth_mode, strict=True)
 
     if get_version('kube-apiserver') < (1, 6):
         hookenv.log('Removing DefaultTolerationSeconds from admission-control')
diff --git a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
index ff537a8828a..d05468944dd 100644
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@@ -52,8 +52,6 @@ kubeclientconfig_path = '/root/.kube/config'
 
 os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')
 
-db = unitdata.kv()
-
 
 @hook('upgrade-charm')
 def upgrade_charm():
@@ -338,7 +336,8 @@ def start_worker(kube_api, kube_control, auth_control, cni):
         hookenv.log('Waiting for cluster cidr.')
         return
 
-    creds = db.get('credentials')
+    nodeuser = 'system:node:{}'.format(gethostname())
+    creds = kube_control.get_auth_credentials(nodeuser)
     data_changed('kube-control.creds', creds)
 
     # set --allow-privileged flag for kubelet
@@ -830,7 +829,6 @@ def catch_change_in_creds(kube_control):
     if creds \
             and data_changed('kube-control.creds', creds) \
             and creds['user'] == nodeuser:
-        db.set('credentials', creds)
         set_state('worker.auth.bootstrapped')
         set_state('kubernetes-worker.restart-needed')