diff --git a/README.md b/README.md
index 8299846f..7941a90c 100644
--- a/README.md
+++ b/README.md
@@ -222,6 +222,25 @@ ingress:
 
 RKE will deploy Nginx Ingress controller as a DaemonSet with `hostnetwork: true`, so ports `80`, and `443` will be opened on each node where the controller is deployed.
 
+## Operating Systems Notes
+
+### Atomic OS
+
+- Container volumes may have some issues in Atomic OS due to SELinux, most of volumes are mounted in rke with option `z`, however user still need to run the following commands before running rke:
+```
+# mkdir /opt/cni /etc/cni
+# chcon -Rt svirt_sandbox_file_t /etc/cni
+# chcon -Rt svirt_sandbox_file_t /opt/cni
+```
+- OpenSSH 6.4 shipped by default on Atomic CentOS which doesn't support SSH tunneling and therefore breaks rke, upgrading OpenSSH to the latest version supported by Atomic host will solve this problem:
+```
+# atomic host upgrade
+```
+- Atomic host doesn't come with docker group by default, you can change ownership of docker.sock to enable specific user to run rke:
+```
+# chown <user> /var/run/docker.sock
+```
+
 ## License
 
 Copyright (c) 2017 [Rancher Labs, Inc.](http://rancher.com)
diff --git a/hosts/hosts.go b/hosts/hosts.go
index 70e04e9f..eae5cbb9 100644
--- a/hosts/hosts.go
+++ b/hosts/hosts.go
@@ -220,7 +220,7 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
 	}
 	bindMounts := []string{}
 	for _, vol := range toCleanDirs {
-		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
+		bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
 	}
 	hostCfg := &container.HostConfig{
 		Binds: bindMounts,
diff --git a/services/etcd.go b/services/etcd.go
index 4343a89d..afd93035 100644
--- a/services/etcd.go
+++ b/services/etcd.go
@@ -90,8 +90,8 @@ func buildEtcdConfig(host *hosts.Host, etcdService v3.ETCDService, initCluster,
 	hostCfg := &container.HostConfig{
 		RestartPolicy: container.RestartPolicy{Name: "always"},
 		Binds: []string{
-			"/var/lib/etcd:/etcd-data",
-			"/etc/kubernetes:/etc/kubernetes",
+			"/var/lib/etcd:/etcd-data:z",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode: "host",
 	}
diff --git a/services/etcd_test.go b/services/etcd_test.go
index 9639fdd6..cffb87ff 100644
--- a/services/etcd_test.go
+++ b/services/etcd_test.go
@@ -13,7 +13,7 @@ const (
 	TestInitEtcdClusterString = "etcd-etcd1=https://1.1.1.1:2380,etcd-etcd2=https://2.2.2.2:2380"
 	TestEtcdImage             = "etcd/etcdImage:latest"
 	TestEtcdNamePrefix        = "--name=etcd-"
-	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data"
+	TestEtcdVolumeBind        = "/var/lib/etcd:/etcd-data:z"
 	TestEtcdExtraArgs         = "--foo=bar"
 )
 
diff --git a/services/kubeapi.go b/services/kubeapi.go
index 0ef649d1..114ec8c7 100644
--- a/services/kubeapi.go
+++ b/services/kubeapi.go
@@ -62,7 +62,7 @@ func buildKubeAPIConfig(host *hosts.Host, kubeAPIService v3.KubeAPIService, etcd
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
diff --git a/services/kubeapi_test.go b/services/kubeapi_test.go
index 8e48124d..e9f823e5 100644
--- a/services/kubeapi_test.go
+++ b/services/kubeapi_test.go
@@ -12,7 +12,7 @@ const (
 	TestEtcdConnString      = "https://1.1.1.1:2379,https://2.2.2.2:2379"
 	TestKubeAPIImage        = "rancher/k8s:latest"
 	TestInsecureBindAddress = "--insecure-bind-address=127.0.0.1"
-	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeAPIVolumeBind   = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeAPIExtraArgs    = "--foo=bar"
 )
 
diff --git a/services/kubecontroller.go b/services/kubecontroller.go
index 9ba10a13..f38bea83 100644
--- a/services/kubecontroller.go
+++ b/services/kubecontroller.go
@@ -51,7 +51,7 @@ func buildKubeControllerConfig(kubeControllerService v3.KubeControllerService, a
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
diff --git a/services/kubecontroller_test.go b/services/kubecontroller_test.go
index dad1844b..ff828955 100644
--- a/services/kubecontroller_test.go
+++ b/services/kubecontroller_test.go
@@ -11,7 +11,7 @@ const (
 	TestKubeControllerClusterCidr           = "10.0.0.0/16"
 	TestKubeControllerServiceClusterIPRange = "10.1.0.0/16"
 	TestKubeControllerImage                 = "rancher/k8s:latest"
-	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeControllerVolumeBind            = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeControllerExtraArgs             = "--foo=bar"
 	TestClusterCidrPrefix                   = "--cluster-cidr="
 	TestServiceIPRangePrefix                = "--service-cluster-ip-range="
diff --git a/services/kubelet.go b/services/kubelet.go
index ba6492dd..0f650189 100644
--- a/services/kubelet.go
+++ b/services/kubelet.go
@@ -44,6 +44,7 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			"--allow-privileged=true",
 			"--cloud-provider=",
 			"--kubeconfig=" + pki.GetConfigPath(pki.KubeNodeCertName),
+			"--volume-plugin-dir=/var/lib/kubelet/volumeplugins",
 			"--require-kubeconfig=True",
 			"--fail-swap-on=" + strconv.FormatBool(kubeletService.FailSwapOn),
 		},
@@ -53,20 +54,19 @@ func buildKubeletConfig(host *hosts.Host, kubeletService v3.KubeletService) (*co
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
-			"/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins",
-			"/etc/cni:/etc/cni:ro",
-			"/opt/cni:/opt/cni:ro",
+			"/etc/kubernetes:/etc/kubernetes:z",
+			"/etc/cni:/etc/cni:ro,z",
+			"/opt/cni:/opt/cni:ro,z",
 			"/etc/resolv.conf:/etc/resolv.conf",
 			"/sys:/sys",
-			"/var/lib/docker:/var/lib/docker:rw",
-			"/var/lib/kubelet:/var/lib/kubelet:shared",
+			"/var/lib/docker:/var/lib/docker:rw,z",
+			"/var/lib/kubelet:/var/lib/kubelet:shared,z",
 			"/var/run:/var/run:rw",
 			"/run:/run",
 			"/etc/ceph:/etc/ceph",
 			"/dev:/host/dev",
-			"/var/log/containers:/var/log/containers",
-			"/var/log/pods:/var/log/pods"},
+			"/var/log/containers:/var/log/containers:z",
+			"/var/log/pods:/var/log/pods:z"},
 		NetworkMode:   "host",
 		PidMode:       "host",
 		Privileged:    true,
diff --git a/services/kubelet_test.go b/services/kubelet_test.go
index b98ef446..e3921613 100644
--- a/services/kubelet_test.go
+++ b/services/kubelet_test.go
@@ -13,7 +13,7 @@ const (
 	TestKubeletClusterDNSServer    = "10.1.0.3"
 	TestKubeletInfraContainerImage = "test/test:latest"
 	TestKubeletImage               = "rancher/k8s:latest"
-	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeletVolumeBind          = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeletExtraArgs           = "--foo=bar"
 	TestClusterDomainPrefix        = "--cluster-domain="
 	TestClusterDNSServerPrefix     = "--cluster-dns="
diff --git a/services/kubeproxy.go b/services/kubeproxy.go
index cbe62b1d..265feab3 100644
--- a/services/kubeproxy.go
+++ b/services/kubeproxy.go
@@ -38,7 +38,7 @@ func buildKubeproxyConfig(host *hosts.Host, kubeproxyService v3.KubeproxyService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
diff --git a/services/kubeproxy_test.go b/services/kubeproxy_test.go
index cd66341d..6134d888 100644
--- a/services/kubeproxy_test.go
+++ b/services/kubeproxy_test.go
@@ -9,7 +9,7 @@ import (
 
 const (
 	TestKubeproxyImage      = "rancher/k8s:latest"
-	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestKubeproxyVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestKubeproxyExtraArgs  = "--foo=bar"
 )
 
diff --git a/services/scheduler.go b/services/scheduler.go
index fa5afa37..b101907b 100644
--- a/services/scheduler.go
+++ b/services/scheduler.go
@@ -39,7 +39,7 @@ func buildSchedulerConfig(host *hosts.Host, schedulerService v3.SchedulerService
 			SidekickContainerName,
 		},
 		Binds: []string{
-			"/etc/kubernetes:/etc/kubernetes",
+			"/etc/kubernetes:/etc/kubernetes:z",
 		},
 		NetworkMode:   "host",
 		RestartPolicy: container.RestartPolicy{Name: "always"},
diff --git a/services/scheduler_test.go b/services/scheduler_test.go
index e69f9108..d2c2389e 100644
--- a/services/scheduler_test.go
+++ b/services/scheduler_test.go
@@ -9,7 +9,7 @@ import (
 
 const (
 	TestSchedulerImage      = "rancher/k8s:latest"
-	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes"
+	TestSchedulerVolumeBind = "/etc/kubernetes:/etc/kubernetes:z"
 	TestSchedulerExtraArgs  = "--foo=bar"
 )