diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go
index 636b5f156..aa4756530 100644
--- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go
+++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go
@@ -65,6 +65,7 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en
 
 	args := map[string]string{
 		"--allow-privileged":                         "true",
+		"--anonymous-auth":                           "false",
 		"--authentication-token-webhook-config-file": authTokenWebhookConfigFile,
 		"--authorization-mode":                       authorizationMode,
 		"--client-ca-file":                           path.Join(snap.KubernetesPKIDir(), "client-ca.crt"),
@@ -73,6 +74,8 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en
 		"--kubelet-client-certificate":               path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.crt"),
 		"--kubelet-client-key":                       path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.key"),
 		"--kubelet-preferred-address-types":          "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP",
+		"--profiling":                                "false",
+		"--request-timeout":                          "300s",
 		"--secure-port":                              "6443",
 		"--service-account-issuer":                   "https://kubernetes.default.svc",
 		"--service-account-key-file":                 path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"),
diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go
index 20e06adcb..1332dff0b 100644
--- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go
+++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go
@@ -44,14 +44,25 @@ func TestKubeAPIServer(t *testing.T) {
 			expectedVal string
 		}{
 			{key: "--allow-privileged", expectedVal: "true"},
+			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")},
 			{key: "--authorization-mode", expectedVal: "Node,RBAC"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--enable-admission-plugins", expectedVal: "NodeRestriction"},
+			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 			{key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")},
 			{key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")},
 			{key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"},
+			{key: "--profiling", expectedVal: "false"},
+			{key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")},
+			{key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")},
+			{key: "--request-timeout", expectedVal: "300s"},
+			{key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"},
+			{key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")},
+			{key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"},
+			{key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"},
+			{key: "--requestheader-username-headers", expectedVal: "X-Remote-User"},
 			{key: "--secure-port", expectedVal: "6443"},
 			{key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"},
 			{key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
@@ -60,14 +71,6 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
 			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
-			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
-			{key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")},
-			{key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"},
-			{key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"},
-			{key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"},
-			{key: "--requestheader-username-headers", expectedVal: "X-Remote-User"},
-			{key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")},
-			{key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -99,14 +102,18 @@ func TestKubeAPIServer(t *testing.T) {
 			expectedVal string
 		}{
 			{key: "--allow-privileged", expectedVal: "true"},
+			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")},
 			{key: "--authorization-mode", expectedVal: "Node,RBAC"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--enable-admission-plugins", expectedVal: "NodeRestriction"},
+			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 			{key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")},
 			{key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")},
 			{key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"},
+			{key: "--profiling", expectedVal: "false"},
+			{key: "--request-timeout", expectedVal: "300s"},
 			{key: "--secure-port", expectedVal: "6443"},
 			{key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"},
 			{key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
@@ -115,7 +122,6 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
 			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
-			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -151,14 +157,26 @@ func TestKubeAPIServer(t *testing.T) {
 			key         string
 			expectedVal string
 		}{
+			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")},
 			{key: "--authorization-mode", expectedVal: "Node,RBAC"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--enable-admission-plugins", expectedVal: "NodeRestriction"},
+			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
 			{key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")},
 			{key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")},
 			{key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"},
+			{key: "--my-extra-arg", expectedVal: "my-extra-val"},
+			{key: "--profiling", expectedVal: "false"},
+			{key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")},
+			{key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")},
+			{key: "--request-timeout", expectedVal: "300s"},
+			{key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"},
+			{key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")},
+			{key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"},
+			{key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"},
+			{key: "--requestheader-username-headers", expectedVal: "X-Remote-User"},
 			{key: "--secure-port", expectedVal: "1337"},
 			{key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"},
 			{key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
@@ -167,15 +185,6 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")},
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
 			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
-			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
-			{key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")},
-			{key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"},
-			{key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"},
-			{key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"},
-			{key: "--requestheader-username-headers", expectedVal: "X-Remote-User"},
-			{key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")},
-			{key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")},
-			{key: "--my-extra-arg", expectedVal: "my-extra-val"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go
index 91f68fcd9..746a44eb2 100644
--- a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go
+++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go
@@ -21,6 +21,7 @@ func KubeControllerManager(snap snap.Snap, extraArgs map[string]*string) error {
 		"--profiling":                        "false",
 		"--root-ca-file":                     path.Join(snap.KubernetesPKIDir(), "ca.crt"),
 		"--service-account-private-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"),
+		"--terminated-pod-gc-threshold":      "12500",
 		"--use-service-account-credentials":  "true",
 	}
 	// enable cluster-signing if certificates are available
diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go
index e6878b2a1..7b5af3c0e 100644
--- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go
+++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go
@@ -40,15 +40,16 @@ func TestKubeControllerManager(t *testing.T) {
 		}{
 			{key: "--authentication-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
 			{key: "--authorization-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
+			{key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
+			{key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")},
 			{key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
 			{key: "--leader-elect-lease-duration", expectedVal: "30s"},
 			{key: "--leader-elect-renew-deadline", expectedVal: "15s"},
 			{key: "--profiling", expectedVal: "false"},
 			{key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
+			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
-			{key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
-			{key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -93,6 +94,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--profiling", expectedVal: "false"},
 			{key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
+			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
 		}
 		for _, tc := range tests {
@@ -140,14 +142,15 @@ func TestKubeControllerManager(t *testing.T) {
 		}{
 			{key: "--authentication-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
 			{key: "--authorization-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
+			{key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
+			{key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")},
 			{key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")},
 			{key: "--leader-elect-renew-deadline", expectedVal: "15s"},
 			{key: "--profiling", expectedVal: "true"},
 			{key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
+			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
-			{key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
-			{key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")},
 			{key: "--my-extra-arg", expectedVal: "my-extra-val"},
 		}
 		for _, tc := range tests {
diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go
index 4563cb224..6a4e417a0 100644
--- a/src/k8s/pkg/k8sd/setup/kubelet.go
+++ b/src/k8s/pkg/k8sd/setup/kubelet.go
@@ -45,7 +45,7 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string,
 	args := map[string]string{
 		"--anonymous-auth":               "false",
 		"--authentication-token-webhook": "true",
-		"--cert-dir":                     snap.KubernetesPKIDir(),
+		"--authorization-mode":           "Webhook",
 		"--client-ca-file":               path.Join(snap.KubernetesPKIDir(), "client-ca.crt"),
 		"--container-runtime-endpoint":   path.Join(snap.ContainerdSocketDir(), "containerd.sock"),
 		"--containerd":                   path.Join(snap.ContainerdSocketDir(), "containerd.sock"),
@@ -58,7 +58,9 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string,
 		"--register-with-taints":         strings.Join(taints, ","),
 		"--root-dir":                     snap.KubeletRootDir(),
 		"--serialize-image-pulls":        "false",
+		"--tls-cert-file":                path.Join(snap.KubernetesPKIDir(), "kubelet.crt"),
 		"--tls-cipher-suites":            strings.Join(kubeletTLSCipherSuites, ","),
+		"--tls-private-key-file":         path.Join(snap.KubernetesPKIDir(), "kubelet.key"),
 	}
 	if cloudProvider != "" {
 		args["--cloud-provider"] = cloudProvider
diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go
index 76686491a..43e09faa1 100644
--- a/src/k8s/pkg/k8sd/setup/kubelet_test.go
+++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go
@@ -55,24 +55,26 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
+			{key: "--cloud-provider", expectedVal: "provider"},
+			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
+			{key: "--cluster-domain", expectedVal: "test-cluster.local"},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"},
 			{key: "--fail-swap-on", expectedVal: "false"},
 			{key: "--hostname-override", expectedVal: "dev"},
 			{key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")},
+			{key: "--node-ip", expectedVal: "192.168.0.1"},
 			{key: "--node-labels", expectedVal: expectedControlPlaneLabels},
 			{key: "--read-only-port", expectedVal: "0"},
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
-			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
-			{key: "--cloud-provider", expectedVal: "provider"},
-			{key: "--cluster-domain", expectedVal: "test-cluster.local"},
-			{key: "--node-ip", expectedVal: "192.168.0.1"},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -110,8 +112,9 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
+			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"},
@@ -123,12 +126,13 @@ func TestKubelet(t *testing.T) {
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
-			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 			// Overwritten by extraArgs
 			{key: "--cluster-domain", expectedVal: "override.local"},
-			{key: "--node-ip", expectedVal: "192.168.0.1"},
 			{key: "--my-extra-arg", expectedVal: "my-extra-val"},
+			{key: "--node-ip", expectedVal: "192.168.0.1"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -165,7 +169,7 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
@@ -178,7 +182,9 @@ func TestKubelet(t *testing.T) {
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -211,24 +217,26 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
+			{key: "--cloud-provider", expectedVal: "provider"},
+			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
+			{key: "--cluster-domain", expectedVal: "test-cluster.local"},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"},
 			{key: "--fail-swap-on", expectedVal: "false"},
 			{key: "--hostname-override", expectedVal: "dev"},
 			{key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")},
+			{key: "--node-ip", expectedVal: "192.168.0.1"},
 			{key: "--node-labels", expectedVal: expectedWorkerLabels},
 			{key: "--read-only-port", expectedVal: "0"},
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
-			{key: "--cloud-provider", expectedVal: "provider"},
-			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
-			{key: "--cluster-domain", expectedVal: "test-cluster.local"},
-			{key: "--node-ip", expectedVal: "192.168.0.1"},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -266,23 +274,25 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
+			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
+			{key: "--cluster-domain", expectedVal: "override.local"},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"},
 			{key: "--fail-swap-on", expectedVal: "false"},
 			{key: "--hostname-override", expectedVal: "dev"},
 			{key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")},
+			{key: "--node-ip", expectedVal: "192.168.0.1"},
 			{key: "--node-labels", expectedVal: expectedWorkerLabels},
 			{key: "--read-only-port", expectedVal: "0"},
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
-			{key: "--cluster-dns", expectedVal: "10.152.1.1"},
-			{key: "--cluster-domain", expectedVal: "override.local"},
-			{key: "--node-ip", expectedVal: "192.168.0.1"},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -320,7 +330,7 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--authorization-mode", expectedVal: "Webhook"},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
@@ -333,7 +343,9 @@ func TestKubelet(t *testing.T) {
 			{key: "--register-with-taints", expectedVal: ""},
 			{key: "--root-dir", expectedVal: s.Mock.KubeletRootDir},
 			{key: "--serialize-image-pulls", expectedVal: "false"},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
 			{key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites},
+			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {