diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ddeae95b6..d51c6887c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -62,7 +62,7 @@ before_script:
   KUBELET_DEPLOYMENT: "docker"
   VAULT_DEPLOYMENT: "docker"
   WEAVE_CPU_LIMIT: "100m"
-  AUTHORIZATION_MODES: "{ 'authorization_modes': ['AlwaysAllow'] }"
+  AUTHORIZATION_MODES: "{ 'authorization_modes': [] }"
   MAGIC: "ci check this"
 
 .gce: &gce
diff --git a/docs/vars.md b/docs/vars.md
index 46684395f..dd9988715 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -69,7 +69,7 @@ following default cluster paramters:
   Kubernetes
 * *authorization_modes* - A list of [authorization mode](
 https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
-  that the cluster should be configured for. Defaults to `['AlwaysAllow']`.
+  that the cluster should be configured for. Defaults to `[]` (i.e. no authorization).
   Note: Only `AlwaysAllow`, `AlwaysDeny` and `RBAC` are tested.
 
 Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index db5fc1997..ed827d27b 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -118,5 +118,5 @@ enable_network_policy: false
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
 ## 'RBAC' modes are tested.
-authorization_modes: ['AlwaysAllow']
+authorization_modes: []
 rbac_enabled: "{{ 'RBAC' in authorization_modes }}"