diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index a050be1da..a2199e6ef 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -56,6 +56,20 @@ kube_apiserver_admission_control:
       {%- endif -%}
   - ResourceQuota
 
+# 1.10+ admission plugins
+kube_apiserver_enable_admission_plugins:
+  - NamespaceLifecycle
+  - LimitRanger
+  - ServiceAccount
+  - DefaultStorageClass
+  - DefaultTolerationSeconds
+  - MutatingAdmissionWebhook
+  - ValidatingAdmissionWebhook
+  - ResourceQuota
+
+# 1.10+ list of disabled admission plugins
+kube_apiserver_disable_admission_plugins: []
+
 # extra runtime config
 kube_api_runtime_config:
   - admissionregistration.k8s.io/v1alpha1
diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index 4479eb95f..438b900a9 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -37,7 +37,8 @@ apiServerExtraArgs:
 {% if kube_version | version_compare('v1.10', '<') %}
   admission-control: {{ kube_apiserver_admission_control | join(',') }}
 {% else %}
-  enable-admission-plugins: {{ kube_apiserver_admission_control | join(',') }} 
+  enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} 
+  disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }} 
 {% endif %}
   apiserver-count: "{{ kube_apiserver_count }}"
 {% if kube_version | version_compare('v1.9', '>=') %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 02a550d7b..c373ee285 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -48,7 +48,8 @@ spec:
 {% if kube_version | version_compare('v1.10', '<') %}
     - --admission-control={{ kube_apiserver_admission_control | join(',') }}
 {% else %}
-    - --enable-admission-plugins={{ kube_apiserver_admission_control | join(',') }} 
+    - --enable-admission-plugins={{ kube_apiserver_enable_admission_plugins | join(',') }} 
+    - --disable-admission-plugins={{ kube_apiserver_disable_admission_plugins | join(',') }} 
 {% endif %}
     - --service-cluster-ip-range={{ kube_service_addresses }}
     - --service-node-port-range={{ kube_apiserver_node_port_range }}