diff --git a/cluster/defaults.go b/cluster/defaults.go
index 5c69f62c..e81caf40 100644
--- a/cluster/defaults.go
+++ b/cluster/defaults.go
@@ -76,7 +76,7 @@ const (
 	KubeAPIArgAuditLogFormat              = "audit-log-format"
 	KubeAPIArgAuditPolicyFile             = "audit-policy-file"
 	DefaultKubeAPIArgAuditLogPathValue    = "/var/log/kube-audit/audit-log.json"
-	DefaultKubeAPIArgAuditPolicyFileValue = "/etc/kubernetes/audit.yaml"
+	DefaultKubeAPIArgAuditPolicyFileValue = "/etc/kubernetes/audit-policy.yaml"
 )
 
 type ExternalFlags struct {
@@ -284,8 +284,8 @@ func newDefaultAuditPolicy() *auditv1.Policy {
 func newDefaultAuditLogConfig() *v3.AuditLogConfig {
 	p := newDefaultAuditPolicy()
 	c := &v3.AuditLogConfig{
-		MaxAge:    5,
-		MaxBackup: 5,
+		MaxAge:    30,
+		MaxBackup: 10,
 		MaxSize:   100,
 		Path:      DefaultKubeAPIArgAuditLogPathValue,
 		Format:    "json",
diff --git a/cluster/plan.go b/cluster/plan.go
index b3c43cd3..85e83da6 100644
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -50,6 +50,8 @@ const (
 	// MaxEtcdOldEnvVersion The versions are maxed out for minor versions because -rancher1 suffix will cause semver to think its older, example: v1.15.0 > v1.15.0-rancher1
 	MaxEtcdOldEnvVersion = "v3.2.99"
 	MaxK8s115Version     = "v1.15"
+
+	EncryptionProviderConfigArgument = "encryption-provider-config"
 )
 
 var admissionControlOptionNames = []string{"enable-admission-plugins", "admission-control"}
@@ -219,7 +221,7 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, prefixPath string, svcOp
 			fmt.Sprintf("%s=%s", CloudConfigSumEnv, getCloudConfigChecksum(c.CloudConfigFile)))
 	}
 	if c.EncryptionConfig.EncryptionProviderFile != "" {
-		CommandArgs["experimental-encryption-provider-config"] = EncryptionProviderFilePath
+		CommandArgs[EncryptionProviderConfigArgument] = EncryptionProviderFilePath
 	}
 
 	if c.IsKubeletGenerateServingCertificateEnabled() {