diff --git a/docs/aws.md b/docs/aws.md
index 1070958b9..429e77a54 100644
--- a/docs/aws.md
+++ b/docs/aws.md
@@ -1,7 +1,7 @@
 AWS
 ===============
 
-To deploy kubespray on [AWS](https://www.openstack.org/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`.
+To deploy kubespray on [AWS](https://aws.amazon.com/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`.
 
 Prior to creating your instances, you **must** ensure that you have created IAM roles and policies for both "kubernetes-master" and "kubernetes-node". You can find the IAM policies [here](https://github.com/kubernetes/kubernetes/tree/master/cluster/aws/templates/iam). See the [IAM Documentation](https://aws.amazon.com/documentation/iam/) if guidance is needed on how to set these up. When you bring your instances online, associate them with the respective IAM role. Nodes that are only to be used for Etcd do not need a role.
 
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 9b9caf126..528e449b1 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -9,8 +9,6 @@
 - name: Create dest directories
   file: path={{local_release_dir}}/{{download.dest|dirname}} state=directory recurse=yes
   when: "{{ download.enabled|bool and not download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Download items
   get_url:
@@ -24,8 +22,6 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
   when: "{{ download.enabled|bool and not download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Extract archives
   unarchive:
@@ -35,8 +31,6 @@
     mode: "{{ download.mode|default(omit) }}"
     copy: no
   when: "{{ download.enabled|bool and not download.container|bool and download.unarchive is defined and download.unarchive == True }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: Fix permissions
   file:
@@ -45,8 +39,6 @@
     owner: "{{ download.owner|default(omit) }}"
     mode: "{{ download.mode|default(omit) }}"
   when: "{{ download.enabled|bool and not download.container|bool and (download.unarchive is not defined or download.unarchive == False) }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
-  run_once: "{{ download_run_once|bool }}"
 
 - name: pulling...
   debug:
@@ -65,7 +57,7 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
   when: "{{ download.enabled|bool and download.container|bool }}"
-  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}"
+  delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}"
   run_once: "{{ download_run_once|bool }}"
 
 - set_fact:
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index cd6d77715..56023b997 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -13,6 +13,7 @@ spec:
     - apiserver
     - --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
     - --etcd-servers={{ etcd_access_endpoint }}
+    - --etcd-quorum-read=true
     - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
     - --apiserver-count={{ kube_apiserver_count }}
     - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 94da756be..2c1738370 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf"
 
 kube_proxy_mode: iptables
 
+# If using the pure iptables proxy, SNAT everything
+kube_proxy_masquerade_all: true
+
 # kube_api_runtime_config:
 #   - extensions/v1beta1/daemonsets=true
 #   - extensions/v1beta1/deployments=true
diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
index 296658cbd..f0c4bc211 100644
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -18,6 +18,9 @@ spec:
 {% endif %}
     - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
     - --proxy-mode={{ kube_proxy_mode }}
+{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
+    - --masquerade-all
+{% endif %}
     securityContext:
       privileged: true
     volumeMounts:
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index b5b275e04..45b04c8a9 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -5,5 +5,6 @@ nat_outgoing: true
 # Use IP-over-IP encapsulation across hosts
 ipip: false
 
-# cloud_provider can only be set to 'gce' or 'aws'
-# cloud_provider:
+# Set to true if you want your calico cni binaries to overwrite the
+# ones from hyperkube while leaving other cni plugins intact.
+overwrite_hyperkube_cni: false
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index d0d5c47c9..2ce342b20 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -32,18 +32,8 @@
     use_hyperkube_cni: true
   when: kube_version | version_compare('v1.3.4','>=')
 
-- name: Calico | Install calico cni bin
-  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico"
-  changed_when: false
-  when: "{{ not use_hyperkube_cni|bool }}"
-
-- name: Calico | Install calico-ipam cni bin
-  command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico-ipam"
-  changed_when: false
-  when: "{{ not use_hyperkube_cni|bool }}"
-
 - name: Calico | Copy cni plugins from hyperkube
-  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
+  command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/"
   register: cni_task_result
   until: cni_task_result.rc == 0
   retries: 4
@@ -51,6 +41,16 @@
   changed_when: false
   when: "{{ use_hyperkube_cni|bool }}"
 
+- name: Calico | Install calico cni bin
+  command: rsync -pi "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico"
+  changed_when: false
+  when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}"
+
+- name: Calico | Install calico-ipam cni bin
+  command: rsync -pi "{{ local_release_dir }}/calico/bin/calico-ipam" "/opt/cni/bin/calico-ipam"
+  changed_when: false
+  when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}"
+
 - name: Calico | wait for etcd
   uri: url=http://localhost:2379/health
   register: result