diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml
index bc7bed9db0..4f9fe52365 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml
@@ -25,7 +25,6 @@ write_files:
 
       DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
       mkdir -p $(dirname $DROP_IN_FILE)
-      cert_dir="/etc/kubernetes/ssl"
       protocol="https"
 
       if [ "$TLS_DISABLED" = "True" ]; then
@@ -46,12 +45,12 @@ write_files:
       if [ "$TLS_DISABLED" = "False" ]; then
 
       cat >> $DROP_IN_FILE <<EOF
-      Environment=ETCD_CA_FILE=$cert_dir/ca.pem
-      Environment=ETCD_CERT_FILE=$cert_dir/apiserver.pem
-      Environment=ETCD_KEY_FILE=$cert_dir/apiserver-key.pem
-      Environment=ETCD_PEER_CA_FILE=$cert_dir/ca.pem
-      Environment=ETCD_PEER_CERT_FILE=$cert_dir/apiserver.pem
-      Environment=ETCD_PEER_KEY_FILE=$cert_dir/apiserver-key.pem
+      Environment=ETCD_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
+      Environment=ETCD_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
+      Environment=ETCD_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
+      Environment=ETCD_PEER_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
+      Environment=ETCD_PEER_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
+      Environment=ETCD_PEER_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
       EOF
 
       fi
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
index 06923ba7c5..72e0293813 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
@@ -23,9 +23,6 @@ write_files:
 
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
 
-      KUBE_CERTS_PATH=/etc/kubernetes/ssl
-      HOST_CERTS_PATH=/usr/share/ca-certificates
-
       TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
       TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
       CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
@@ -75,7 +72,7 @@ write_files:
             hostPort: 8080
             name: local
           volumeMounts:
-          - mountPath: /etc/kubernetes/ssl
+          - mountPath: ${KUBE_CERTS_PATH}
             name: ssl-certs-kubernetes
             readOnly: true
           - mountPath: /etc/ssl/certs
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml
index 798f574e31..d41a38fb22 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml
@@ -21,8 +21,6 @@ write_files:
     content: |
       #!/bin/sh
 
-      KUBE_CERTS_PATH=/etc/kubernetes/ssl
-      HOST_CERTS_PATH=/usr/share/ca-certificates
       SYSCONFIG_PATH=/etc/sysconfig
 
       SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml
index 4f5764942e..7a45669eba 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml
@@ -23,8 +23,6 @@ write_files:
 
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
 
-      HOST_CERTS_PATH=/usr/share/ca-certificates
-
       TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
       mkdir -p $(dirname ${TEMPLATE})
       cat > ${TEMPLATE} <<EOF
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml
index 9c15bbc3de..8e5f32bcac 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml
@@ -23,7 +23,6 @@ write_files:
 
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
 
-      KUBE_CERTS_PATH=/etc/kubernetes/ssl
       KUBE_CONFIG_PATH=/etc/kubernetes/config
       KUBE_PROTOCOL="https"
       KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
@@ -56,17 +55,17 @@ write_files:
           securityContext:
             privileged: true
           volumeMounts:
-            - mountPath: /etc/kubernetes/config
-              name: "kubeconfig"
+            - mountPath: ${KUBE_CONFIG_PATH}
+              name: kubeconfig
               readOnly: true
-            - mountPath: /etc/kubernetes/ssl
-              name: "etc-kube-ssl"
+            - mountPath: ${KUBE_CERTS_PATH}
+              name: ssl-certs-kubernetes
               readOnly: true
         volumes:
-          - name: "kubeconfig"
+          - name: kubeconfig
             hostPath:
               path: ${KUBE_CONFIG_PATH}
-          - name: "etc-kube-ssl"
+          - name: ssl-certs-kubernetes
             hostPath:
               path: ${KUBE_CERTS_PATH}
       EOF
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml
index 0a44918f93..0fdac9240c 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml
@@ -23,7 +23,6 @@ write_files:
 
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
 
-      KUBE_CERTS_PATH=/etc/kubernetes/ssl
       TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
       TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
       KUBE_PROTOCOL="https"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml
index 7463a06e1f..690116cfea 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml
@@ -28,7 +28,6 @@ write_files:
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
       ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
 
-      CERT_DIR=/etc/kubernetes/ssl
       PROTOCOL=https
 
       if [ "$TLS_DISABLED" = "True" ]; then
@@ -44,9 +43,9 @@ write_files:
 
       if [ "$TLS_DISABLED" = "False" ]; then
         cat >> $ENV_FILE <<EOF
-      FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
-      FLANNELD_ETCD_CERTFILE=$CERT_DIR/worker.pem
-      FLANNELD_ETCD_KEYFILE=$CERT_DIR/worker-key.pem
+      FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
+      FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/worker.pem
+      FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/worker-key.pem
       EOF
       fi
 
@@ -54,7 +53,7 @@ write_files:
       mkdir -p $(dirname $DROP_IN_FILE)
       cat > $DROP_IN_FILE <<EOF
       [Service]
-      Environment="ETCD_SSL_DIR=$CERT_DIR"
+      Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
       ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
       EOF
 
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml
index 5f1766ecd3..52a57189f2 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml
@@ -28,7 +28,6 @@ write_files:
       myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
       ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
 
-      CERT_DIR=/etc/kubernetes/ssl
       PROTOCOL=https
 
       if [ "$TLS_DISABLED" = "True" ]; then
@@ -44,9 +43,9 @@ write_files:
 
       if [ "$TLS_DISABLED" = "False" ]; then
         cat >> $ENV_FILE <<EOF
-      FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
-      FLANNELD_ETCD_CERTFILE=$CERT_DIR/apiserver.pem
-      FLANNELD_ETCD_KEYFILE=$CERT_DIR/apiserver-key.pem
+      FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
+      FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/apiserver.pem
+      FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/apiserver-key.pem
       EOF
       fi
 
@@ -54,7 +53,7 @@ write_files:
       mkdir -p $(dirname $DROP_IN_FILE)
       cat > $DROP_IN_FILE <<EOF
       [Service]
-      Environment="ETCD_SSL_DIR=$CERT_DIR"
+      Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
       ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
       EOF
 
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
index 2b5488cc4f..8498a35ba3 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -42,16 +42,14 @@ write_files:
         exit 0
       fi
 
-      cert_dir=/etc/kubernetes/ssl
-      cert_conf_dir=${cert_dir}/conf
+      cert_conf_dir=${KUBE_CERTS_PATH}/conf
 
-      mkdir -p "$cert_dir"
-      mkdir -p "$cert_conf_dir"
+      mkdir -p ${cert_conf_dir}
 
-      CA_CERT=$cert_dir/ca.pem
-      CLIENT_CERT=$cert_dir/worker.pem
-      CLIENT_CSR=$cert_dir/worker.csr
-      CLIENT_KEY=$cert_dir/worker-key.pem
+      CA_CERT=${KUBE_CERTS_PATH}/ca.pem
+      CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
+      CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
+      CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
 
       #Get a token by user credentials and trust
       cat > auth.json << EOF
@@ -129,5 +127,5 @@ write_files:
           $MAGNUM_URL/certificates)
       parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
 
-      chmod 600 ${cert_dir}/*-key.pem
-      chown root:root ${cert_dir}/*-key.pem
+      chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
+      chown root:root ${KUBE_CERTS_PATH}/*-key.pem
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index 84663ac5af..0e710e7035 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -65,16 +65,14 @@ write_files:
       fi
       sans="${sans},IP:127.0.0.1"
 
-      cert_dir=/etc/kubernetes/ssl
-      cert_conf_dir=${cert_dir}/conf
+      cert_conf_dir=${KUBE_CERTS_PATH}/conf
 
-      mkdir -p "$cert_dir"
-      mkdir -p "$cert_conf_dir"
+      mkdir -p ${cert_conf_dir}
 
-      CA_CERT=$cert_dir/ca.pem
-      SERVER_CERT=$cert_dir/apiserver.pem
-      SERVER_CSR=$cert_dir/apiserver.pem
-      SERVER_KEY=$cert_dir/apiserver-key.pem
+      CA_CERT=${KUBE_CERTS_PATH}/ca.pem
+      SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
+      SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
+      SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
 
       #Get a token by user credentials and trust
       cat > auth.json << EOF
@@ -148,6 +146,6 @@ write_files:
           $MAGNUM_URL/certificates)
       parse_json_response "${server_cert_json}" > ${SERVER_CERT}
 
-      chmod 600 ${cert_dir}/*-key.pem
+      chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
       # Certs will also be used by etcd service
-      chown -R etcd:etcd ${cert_dir}
+      chown -R etcd:etcd ${KUBE_CERTS_PATH}
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
index d472bb87a6..f2c05fab68 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
@@ -39,3 +39,5 @@ write_files:
       INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
       SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
       SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
+      KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
+      HOST_CERTS_PATH="$HOST_CERTS_PATH"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
index b8d501c802..3914508de2 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
@@ -40,3 +40,5 @@ write_files:
       TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
       TRUST_ID="$TRUST_ID"
       INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
+      KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
+      HOST_CERTS_PATH="$HOST_CERTS_PATH"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
index e503e727ae..d895418f16 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
@@ -232,6 +232,8 @@ resources:
             "$TRUSTEE_PASSWORD": {get_param: trustee_password}
             "$TRUST_ID": {get_param: trust_id}
             "$AUTH_URL": {get_param: auth_url}
+            "$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
+            "$HOST_CERTS_PATH": "/usr/share/ca-certificates"
 
   configure_etcd:
     type: OS::Heat::SoftwareConfig
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
index 0c02180307..014153bce0 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
@@ -164,6 +164,8 @@ resources:
             "$TRUSTEE_PASSWORD": {get_param: trustee_password}
             "$TRUST_ID": {get_param: trust_id}
             "$AUTH_URL": {get_param: auth_url}
+            "$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
+            "$HOST_CERTS_PATH": "/usr/share/ca-certificates"
 
   write_kubeconfig:
     type: OS::Heat::SoftwareConfig