rationalize network config and k8s NetworkPolicy (#2813)

2018-05-02 15:50:42 -07:00 · 2018-05-02 15:50:42 -07:00 · 94013a4d76
--- a/docs/clusterdefinition.md
+++ b/docs/clusterdefinition.md
@ -32,7 +32,8 @@ Here are the valid values for the orchestrator types:
 |---|---|---|
 |kubernetesImageBase|no|Specifies the base URL (everything preceding the actual image filename) of the kubernetes hyperkube image to use for cluster deployment, e.g., `k8s-gcrio.azureedge.net/`|
 |dockerEngineVersion|no|Which version of docker-engine to use in your cluster, e.g. "17.03.*"|
-|networkPolicy|no|Specifies the network policy tool for the cluster. Valid values are:<br>`"azure"` (default), which provides an Azure native networking experience,<br>`none` for not enforcing any network policy,<br>`calico` for Calico network policy (required for Kubernetes network policies; clusters with Linux agents only).<br>`cilium` for cilium network policy (required for Kubernetes network policies; clusters with Linux agents only).<br>See [network policy examples](../examples/networkpolicy) for more information|
+|networkPlugin|no|Specifies the network plugin implementation for the cluster. Valid values are:<br>`"azure"` (default), which provides an Azure native networking experience, or <br>`"kubenet"` for k8s software networking implementation.|
+|networkPolicy|no|Specifies the network policy enforcement tool for the cluster (currently Linux-only). Valid values are:<br>`calico` for Calico network policy.<br>`cilium` for cilium network policy (Lin).<br>See [network policy examples](../examples/networkpolicy) for more information|
 |containerRuntime|no|The container runtime to use as a backend. The default is `docker`. The only other option is `clear-containers`|
 |clusterSubnet|no|The IP subnet used for allocating IP addresses for pod network interfaces. The subnet must be in the VNET address space. Default value is 10.244.0.0/16|
 |dnsServiceIP|no|IP address for kube-dns to listen on. If specified must be in the range of `serviceCidr`|
@ -169,7 +170,7 @@ Below is a list of kubelet options that acs-engine will configure by default:
 |"--cloud-provider"|"azure"|
 |"--cluster-domain"|"cluster.local"|
 |"--pod-infra-container-image"|"pause-amd64:*version*"|
-|"--max-pods"|"30", or "100" if using kubenet --network-plugin (i.e., `"networkPolicy": "none"`)|
+|"--max-pods"|"30", or "100" if using kubenet --network-plugin (i.e., `"networkPlugin": "kubenet"`)|
 |"--eviction-hard"|"memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%"|
 |"--node-status-update-frequency"|"10s"|
 |"--image-gc-high-threshold"|"85"|
--- a/docs/kubernetes/features.md
+++ b/docs/kubernetes/features.md
@ -104,11 +104,11 @@ spec:

 ## Using Azure integrated networking (CNI)

-Kubernetes clusters are configured by default to use the [Azure CNI plugin](https://github.com/Azure/azure-container-networking) which provides an Azure native networking experience. Pods will receive IP addresses directly from the vnet subnet on which they're hosted. If the api model doesn't specify explicitly, acs-engine will automatically provide the following `networkPolicy` configuration in `kubernetesConfig`:
+Kubernetes clusters are configured by default to use the [Azure CNI plugin](https://github.com/Azure/azure-container-networking) which provides an Azure native networking experience. Pods will receive IP addresses directly from the vnet subnet on which they're hosted. If the api model doesn't specify explicitly, acs-engine will automatically provide the following `networkPlugin` configuration in `kubernetesConfig`:

 ```
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
 ```

@ -242,7 +242,7 @@ Before provisioning, modify the `masterProfile` and `agentPoolProfiles` to match

 ### Kubenet Networking Custom VNET

-If you're not using Azure CNI (e.g., `"networkPolicy": "none"` in the `kubernetesConfig` api model configuration object): After a custom VNET-configured cluster finishes provisioning, fetch the id of the Route Table resource from `Microsoft.Network` provider in your new cluster's Resource Group.
+If you're *not* using Azure CNI (e.g., `"networkPlugin": "kubenet"` in the `kubernetesConfig` api model configuration object): After a custom VNET-configured cluster finishes provisioning, fetch the id of the Route Table resource from `Microsoft.Network` provider in your new cluster's Resource Group.

 The route table resource id is of the format: `/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUPNAME/providers/Microsoft.Network/routeTables/ROUTETABLENAME`

--- a/examples/azure-cni/k8s-scaledown.json
+++ b/examples/azure-cni/k8s-scaledown.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
    },
    "masterProfile": {
--- a/examples/azure-cni/k8s-scaleup.json
+++ b/examples/azure-cni/k8s-scaleup.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
    },
    "masterProfile": {
--- a/examples/azure-cni/k8s-vnet-scaledown.json
+++ b/examples/azure-cni/k8s-vnet-scaledown.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
    },
    "masterProfile": {
--- a/examples/azure-cni/k8s-vnet-scaleup.json
+++ b/examples/azure-cni/k8s-vnet-scaleup.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
    },
    "masterProfile": {
--- a/examples/coreos/kubernetes-coreos-hybrid.json
+++ b/examples/coreos/kubernetes-coreos-hybrid.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "none"
+        "networkPlugin": "kubenet"
      }
    },
    "masterProfile": {
--- a/examples/coreos/kubernetes-coreos.json
+++ b/examples/coreos/kubernetes-coreos.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "none"
+        "networkPlugin": "kubenet"
      }
    },
    "masterProfile": {
--- a/examples/e2e-tests/kubernetes/kubernetes-config/clear-containers.json
+++ b/examples/e2e-tests/kubernetes/kubernetes-config/clear-containers.json
@ -5,7 +5,7 @@
      "orchestratorType": "Kubernetes",
      "orchestratorRelease": "1.10",
      "kubernetesConfig": {
-        "networkPolicy": "azure",
+        "networkPlugin": "azure",
        "containerRuntime": "clear-containers"
      }
    },
--- a/examples/e2e-tests/kubernetes/kubernetes-config/network-plugin-kubenet.json
+++ b/examples/e2e-tests/kubernetes/kubernetes-config/network-plugin-kubenet.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy":"none"
+        "networkPlugin":"kubenet"
      }
    },
    "masterProfile": {
--- a/examples/kubernetes-clear-containers.json
+++ b/examples/kubernetes-clear-containers.json
@ -5,7 +5,7 @@
      "orchestratorType": "Kubernetes",
      "orchestratorRelease": "1.10",
      "kubernetesConfig": {
-        "networkPolicy": "azure",
+        "networkPlugin": "azure",
        "containerRuntime": "clear-containers",
        "addons": [
          {
--- a/examples/networkplugin/README.md
+++ b/examples/networkplugin/README.md
@ -0,0 +1,57 @@
+# Microsoft Azure Container Service Engine - Network Plugin
+
+There are 2 different Network Plugin options :
+
+- Azure Container Networking (default)
+- Kubenet
+
+## Azure Container Networking (default)
+
+By default (currently Linux clusters only), the `azure` network policy is applied. It is an open source implementation of [the CNI Network Plugin interface](https://github.com/containernetworking/cni/blob/master/SPEC.md) and [the CNI Ipam plugin interface](https://github.com/containernetworking/cni/blob/master/SPEC.md#ip-address-management-ipam-interface)
+
+CNI brings the containers to a single flat L3 Azure subnet. This enables full integration with other SDN features such as network security groups and VNET peering. The plugin creates a bridge for each underlying Azure VNET. The bridge functions in L2 mode and is connected to the host network interface.
+
+If the container host VM has multiple network interfaces, the primary network interface is reserved for management traffic. A secondary interface is used for container traffic whenever possible.
+
+More detailed documentation can be found in [the Azure Container Networking Repository](https://github.com/Azure/azure-container-networking/tree/master/docs)
+
+Example of templates enabling CNI:
+
+```json
+  "properties": {
+    "orchestratorProfile": {
+      "orchestratorType": "Kubernetes",
+      "kubernetesConfig": {
+        "networkPlugin": "azure"
+      }
+    }
+    ...
+  }
+```
+
+Or by not specifying any network policy, leaving the default :
+
+```json
+    "properties": {
+    "orchestratorProfile": {
+      "orchestratorType": "Kubernetes"
+    }
+    ...
+  }
+```
+
+## Kubenet
+
+Also available is the Kubernetes-native kubenet implementation, which is declared as configuration thusly:
+
+```json
+  "properties": {
+    "orchestratorProfile": {
+      "orchestratorType": "Kubernetes",
+      "kubernetesConfig": {
+        "networkPlugin": "kubenet"
+      }
+    }
+    ...
+  }
+```
--- a/examples/networkplugin/kubernetes-azure.json
+++ b/examples/networkplugin/kubernetes-azure.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "azure"
+        "networkPlugin": "azure"
      }
    },
    "masterProfile": {
--- a/examples/networkpolicy/README.md
+++ b/examples/networkpolicy/README.md
@ -1,48 +1,9 @@
 # Microsoft Azure Container Service Engine - Network Policy

-There are 3 different Network Policy options :
+There are 2 different Network Policy options :

- Azure Container Networking (default)
 - Calico
- Kubenet (none)
-
-Please note that only the `calico` network policy supports the Kubernetes notion
-of network policies.
-
-## Azure Container Networking (default)
-
-By default (currently Linux clusters only), the `azure` network policy is applied. It is an open source implementation of [the CNI Network Plugin interface](https://github.com/containernetworking/cni/blob/master/SPEC.md) and [the CNI Ipam plugin interface](https://github.com/containernetworking/cni/blob/master/SPEC.md#ip-address-management-ipam-interface)
-
-CNI brings the containers to a single flat L3 Azure subnet. This enables full integration with other SDN features such as network security groups and VNET peering. The plugin creates a bridge for each underlying Azure VNET. The bridge functions in L2 mode and is connected to the host network interface.
-
-If the container host VM has multiple network interfaces, the primary network interface is reserved for management traffic. A secondary interface is used for container traffic whenever possible.
-
-More detailed documentation can be found in [the Azure Container Networking Repository](https://github.com/Azure/azure-container-networking/tree/master/docs)
-
-Example of templates enabling CNI:
-
-```json
-  "properties": {
-    "orchestratorProfile": {
-      "orchestratorType": "Kubernetes",
-      "kubernetesConfig": {
-        "networkPolicy": "azure"
-      }
-    }
-    ...
-  }
-```
-
-Or by not specifying any network policy, leaving the default :
-
-```json
-    "properties": {
-    "orchestratorProfile": {
-      "orchestratorType": "Kubernetes"
-    }
-    ...
-  }
-```
+- Cilium (docs are //TODO)

 ## Calico

@ -57,38 +18,16 @@ The kubernetes-calico deployment template enables Calico networking and policies
      }
 ```

-<<<<<<< cca21c1a50cedc2631c9e73e9401be9fae0216f6
-If `"orchestratorRelease": "1.8",` is set a K8s 1.8.x cluster will be provisioned.  If `orchestratorRelease` is not specified a K8s 1.7.x cluster will be deployed.  In either of these cases, this template will deploy the [v2.6 release](https://docs.projectcalico.org/v2.6/releases/) of [Kubernetes Datastore Install](https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/) version of calico with the "Calico policy-only with user-supplied networking" which supports kubernetes ingress policies and has some limitations as denoted on the referenced page.
-=======
 This template will deploy the [v3.0 release](https://docs.projectcalico.org/v3.0/releases/) of [Kubernetes Datastore Install](https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubernetes-datastore/) version of calico with the "Calico policy-only with user-supplied networking" which supports kubernetes ingress policies and has some limitations as denoted on the referenced page.
->>>>>>> Updates for 3.0 Calico

 > Note: The Typha service and deployment is installed on the cluster, but effectively disabled using the default settings of deployment replicas set to 0 and Typha service name not configured.  Typha is recommended to be enabled when scaling to 50+ nodes on the cluster to reduce the load on the Kubernetes API server.  If this functionality is desired to be configurable via the API model, please file an issue on Github requesting this feature be added.  Otherwise, this can be manually changed via modifying and applying changes with the `/etc/kubernetes/addons/calico-daemonset.yaml` file on every master node in the cluster.

-If deploying on a K8s 1.8 cluster, then egress policies are also supported!
+If deploying on a K8s 1.8 or later cluster, then egress policies are also supported!

-If `orchestratorRelease` is set to 1.5 or 1.6, then this template will deploy the [v2.4.1 release](https://github.com/projectcalico/calico/releases/tag/v2.4.1) of [Kubernetes Datastore Install](https://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubernetes-datastore/) version of calico with the "Calico policy-only with user-supplied networking" which supports kubernetes ingress policies and has some limitations as denoted on the referenced page.
-
-To understand how to deploy this template, please read the baseline  [Kubernetes](../../docs/kubernetes.md) document and simply make sure to use the **kubernetes-calico.json** file in this folder which has the above referenced line to enable.
+To understand how to deploy this template, please read the baseline [Kubernetes](../../docs/kubernetes.md) document, and use the example **kubernetes-calico.json** file in this folder as an api model reference.

 ### Post installation

 Once the template has been successfully deployed, following the [simple policy tutorial](https://docs.projectcalico.org/v3.0/getting-started/kubernetes/tutorials/simple-policy) or the [advanced policy tutorial](https://docs.projectcalico.org/v3.0/getting-started/kubernetes/tutorials/advanced-policy) will help to understand calico networking.

 > Note: `ping` (ICMP) traffic is blocked on the cluster by default.  Wherever `ping` is used in any tutorial substitute testing access with something like `wget -q --timeout=5 google.com -O -` instead.
-
-## Kubenet (none)
-
-Also available is the Kubernetes-native kubenet implementation, which is declared as configuration thusly:
-
-```json
-  "properties": {
-    "orchestratorProfile": {
-      "orchestratorType": "Kubernetes",
-      "kubernetesConfig": {
-        "networkPolicy": "none"
-      }
-    }
-    ...
-  }
-```
--- a/examples/vnet/kubernetesvnet.json
+++ b/examples/vnet/kubernetesvnet.json
@ -4,7 +4,7 @@
    "orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "kubernetesConfig": {
-        "networkPolicy": "none"
+        "networkPlugin": "kubenet"
      }
    },
    "masterProfile": {
--- a/parts/k8s/kubernetescustomscript.sh
+++ b/parts/k8s/kubernetescustomscript.sh
@ -225,10 +225,10 @@ function configKubenet() {
    chmod -R 755 $CNI_BIN_DIR
 }

-function configNetworkPolicy() {
-    if [[ "${NETWORK_POLICY}" = "azure" ]]; then
+function configNetworkPlugin() {
+    if [[ "${NETWORK_PLUGIN}" = "azure" ]]; then
        configAzureCNI
-    elif [[ "${NETWORK_POLICY}" = "none" ]] ; then
+    elif [[ "${NETWORK_PLUGIN}" = "kubenet" ]] ; then
        configKubenet
    fi
 }
@ -487,8 +487,8 @@ fi
 echo `date`,`hostname`, EnsureDockerStart>>/opt/m
 ensureDockerInstallCompleted
 ensureDocker
-echo `date`,`hostname`, configNetworkPolicyStart>>/opt/m
-configNetworkPolicy
+echo `date`,`hostname`, configNetworkPluginStart>>/opt/m
+configNetworkPlugin
 if [[ "$CONTAINER_RUNTIME" == "clear-containers" ]]; then
 	# Ensure we can nest virtualization
 	if grep -q vmx /proc/cpuinfo; then
--- a/parts/k8s/kubernetesmastervars.t
+++ b/parts/k8s/kubernetesmastervars.t
@ -127,6 +127,7 @@
    "useInstanceMetadata": "{{ UseInstanceMetadata }}",
    "kubernetesKubeDNSSpec": "[parameters('kubernetesKubeDNSSpec')]",
    "kubernetesDNSMasqSpec": "[parameters('kubernetesDNSMasqSpec')]",
+    "networkPlugin": "[parameters('networkPlugin')]",
    "networkPolicy": "[parameters('networkPolicy')]",
    "containerRuntime": "[parameters('containerRuntime')]",
    "cniPluginsURL":"[parameters('cniPluginsURL')]",
@ -232,18 +233,18 @@
    {{ if not UseManagedIdentity}}
    "servicePrincipalObjectId": "[parameters('servicePrincipalObjectId')]",
    {{end}}
-    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_POLICY=',variables('networkPolicy'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KUBECONFIG_SERVER=',variables('kubeconfigServer'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'), ' EnableEncryptionWithExternalKms=true')]",
+    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_PLUGIN=',variables('networkPlugin'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KUBECONFIG_SERVER=',variables('kubeconfigServer'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'), ' EnableEncryptionWithExternalKms=true')]",
  {{else}}
-    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_POLICY=',variables('networkPolicy'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KUBECONFIG_SERVER=',variables('kubeconfigServer'))]",
+    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_PLUGIN=',variables('networkPlugin'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KUBECONFIG_SERVER=',variables('kubeconfigServer'))]",
  {{end}}
 {{else}}
  {{if EnableEncryptionWithExternalKms}}
    {{ if not UseManagedIdentity}}
    "servicePrincipalObjectId": "[parameters('servicePrincipalObjectId')]",
    {{end}}
-    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_POLICY=',variables('networkPolicy'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'), ' EnableEncryptionWithExternalKms=true')]",
+    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_PLUGIN=',variables('networkPlugin'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'),' KMS_PROVIDER_VAULT_NAME=',variables('clusterKeyVaultName'), ' EnableEncryptionWithExternalKms=true')]",
  {{else}}
-    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_POLICY=',variables('networkPolicy'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'))]",
+    "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' HYPERKUBE_URL=',variables('kubernetesHyperkubeSpec'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' VM_TYPE=',variables('vmType'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' PRIMARY_SCALE_SET=',variables('primaryScaleSetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('singleQuote'),variables('servicePrincipalClientSecret'),variables('singleQuote'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_PLUGIN=',variables('networkPlugin'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'))]",
  {{end}}
 {{end}}
 {{end}}
--- a/parts/k8s/kubernetesparams.t
+++ b/parts/k8s/kubernetesparams.t
@ -583,9 +583,10 @@
    "networkPolicy": {
      "defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPolicy}}",
      "metadata": {
-        "description": "The network policy enforcement to use (none|azure|calico|cilium)"
+        "description": "The network policy enforcement to use (calico|cilium); 'none' and 'azure' here for backwards compatibility"
      },
      "allowedValues": [
+        "",
        "none",
        "azure",
        "calico",
@ -593,6 +594,17 @@
      ],
      "type": "string"
    },
+    "networkPlugin": {
+      "defaultValue": "{{.OrchestratorProfile.KubernetesConfig.NetworkPlugin}}",
+      "metadata": {
+        "description": "The network plugin to use for Kubernetes (kubenet|azure)"
+      },
+      "allowedValues": [
+        "kubenet",
+        "azure"
+      ],
+      "type": "string"
+    },
    "containerRuntime": {
      "defaultValue": "{{.OrchestratorProfile.KubernetesConfig.ContainerRuntime}}",
      "metadata": {
--- a/parts/k8s/kuberneteswindowssetup.ps1
+++ b/parts/k8s/kuberneteswindowssetup.ps1
@ -75,6 +75,7 @@ $global:HNSModule = [Io.path]::Combine("$global:KubeDir", "hns.psm1")
 $global:VolumePluginDir = [Io.path]::Combine("$global:KubeDir", "volumeplugins")
 #azure cni
 $global:NetworkPolicy = "{{WrapAsVariable "networkPolicy"}}"
+$global:NetworkPlugin = "{{WrapAsVariable "networkPlugin"}}"
 $global:VNetCNIPluginsURL = "{{WrapAsVariable "vnetCniWindowsPluginsURL"}}"

 $global:AzureCNIDir = [Io.path]::Combine("$global:KubeDir", "azurecni")
--- a/pkg/acsengine/addons.go
+++ b/pkg/acsengine/addons.go
@ -65,12 +65,12 @@ func kubernetesAddonSettingsInit(profile *api.Properties) []kubernetesFeatureSet
 		{
 			"kubernetesmasteraddons-calico-daemonset.yaml",
 			"calico-daemonset.yaml",
-			profile.OrchestratorProfile.KubernetesConfig.NetworkPolicy == "calico",
+			profile.OrchestratorProfile.KubernetesConfig.NetworkPolicy == NetworkPolicyCalico,
 		},
 		{
 			"kubernetesmasteraddons-cilium-daemonset.yaml",
 			"cilium-daemonset.yaml",
-			profile.OrchestratorProfile.KubernetesConfig.NetworkPolicy == "cilium",
+			profile.OrchestratorProfile.KubernetesConfig.NetworkPolicy == NetworkPolicyCilium,
 		},
 		{
 			"kubernetesmasteraddons-aad-default-admin-group-rbac.yaml",
--- a/pkg/acsengine/const.go
+++ b/pkg/acsengine/const.go
@ -44,16 +44,24 @@ const (
 	// DefaultInternalLbStaticIPOffset specifies the offset of the internal LoadBalancer's IP
 	// address relative to the first consecutive Kubernetes static IP
 	DefaultInternalLbStaticIPOffset = 10
-	// NetworkPolicyNone is the string expression for no network policy
+	// NetworkPolicyNone is the string expression for the deprecated NetworkPolicy usage pattern "none"
 	NetworkPolicyNone = "none"
-	// NetworkPolicyAzure is the string expression for Azure CNI network policy
-	NetworkPolicyAzure = "azure"
+	// NetworkPolicyCalico is the string expression for calico network policy config option
+	NetworkPolicyCalico = "calico"
+	// NetworkPolicyCilium is the string expression for cilium network policy config option
+	NetworkPolicyCilium = "cilium"
+	// NetworkPluginAzure is the string expression for Azure CNI network policy
+	NetworkPluginAzure = "azure"
 	// NetworkPluginKubenet is the string expression for kubenet network plugin
 	NetworkPluginKubenet = "kubenet"
-	// DefaultNetworkPolicy defines the network policy to use by default
-	DefaultNetworkPolicy = NetworkPolicyNone
-	// DefaultNetworkPolicyWindows defines the network policy to use by default for clusters with Windows agent pools
-	DefaultNetworkPolicyWindows = NetworkPolicyNone
+	// DefaultNetworkPlugin defines the network plugin to use by default
+	DefaultNetworkPlugin = NetworkPluginKubenet
+	// DefaultNetworkPolicy defines the network policy implementation to use by default
+	DefaultNetworkPolicy = ""
+	// DefaultNetworkPluginWindows defines the network plugin implementation to use by default for clusters with Windows agent pools
+	DefaultNetworkPluginWindows = NetworkPluginKubenet
+	// DefaultNetworkPolicyWindows defines the network policy implementation to use by default for clusters with Windows agent pools
+	DefaultNetworkPolicyWindows = ""
 	// DefaultContainerRuntime is docker
 	DefaultContainerRuntime = "docker"
 	// DefaultKubernetesNodeStatusUpdateFrequency is 10s, see --node-status-update-frequency at https://kubernetes.io/docs/admin/kubelet/
--- a/pkg/acsengine/defaults-apiserver_test.go
+++ b/pkg/acsengine/defaults-apiserver_test.go
@ -345,6 +345,7 @@ func createContainerService(containerServiceName string, orchestratorVersion str
 		MaxPods:             DefaultKubernetesMaxPodsVNETIntegrated,
 		ClusterSubnet:       DefaultKubernetesSubnet,
 		ContainerRuntime:    DefaultContainerRuntime,
+		NetworkPlugin:       DefaultNetworkPlugin,
 		NetworkPolicy:       DefaultNetworkPolicy,
 		EtcdVersion:         DefaultEtcdVersion,
 		KubeletConfig:       make(map[string]string),
--- a/pkg/acsengine/defaults-kubelet.go
+++ b/pkg/acsengine/defaults-kubelet.go
@ -58,7 +58,7 @@ func setKubeletConfig(cs *api.ContainerService) {
 	}

 	// Override default --network-plugin?
-	if o.KubernetesConfig.NetworkPolicy == NetworkPolicyNone {
+	if o.KubernetesConfig.NetworkPlugin == NetworkPluginKubenet {
 		o.KubernetesConfig.KubeletConfig["--network-plugin"] = NetworkPluginKubenet
 		o.KubernetesConfig.KubeletConfig["--max-pods"] = strconv.Itoa(DefaultKubernetesMaxPods)
 	}
--- a/pkg/acsengine/defaults-kubelet_test.go
+++ b/pkg/acsengine/defaults-kubelet_test.go
@ -98,24 +98,24 @@ func TestKubeletConfigAzureContainerRegistryCofig(t *testing.T) {
 	}
 }

-func TestKubeletConfigNetworkPolicy(t *testing.T) {
-	// Test NetworkPolicy = none
+func TestKubeletConfigNetworkPlugin(t *testing.T) {
+	// Test NetworkPlugin = "kubenet"
 	cs := createContainerService("testcluster", defaultTestClusterVer, 3, 2)
-	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyNone
+	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin = NetworkPluginKubenet
 	setKubeletConfig(cs)
 	k := cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
 	if k["--network-plugin"] != NetworkPluginKubenet {
-		t.Fatalf("got unexpected '--network-plugin' kubelet config value for NetworkPolicy=none: %s",
+		t.Fatalf("got unexpected '--network-plugin' kubelet config value for NetworkPlugin=kubenet: %s",
 			k["--network-plugin"])
 	}

-	// Test NetworkPolicy = azure
+	// Test NetworkPlugin = "azure"
 	cs = createContainerService("testcluster", defaultTestClusterVer, 3, 2)
-	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "azure"
+	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin = NetworkPluginAzure
 	setKubeletConfig(cs)
 	k = cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
 	if k["--network-plugin"] != "cni" {
-		t.Fatalf("got unexpected '--network-plugin' kubelet config value for NetworkPolicy=azure: %s",
+		t.Fatalf("got unexpected '--network-plugin' kubelet config value for NetworkPlugin=azure: %s",
 			k["--network-plugin"])
 	}

@ -156,20 +156,20 @@ func TestKubeletConfigEnableSecureKubelet(t *testing.T) {

 func TestKubeletMaxPods(t *testing.T) {
 	cs := createContainerService("testcluster", defaultTestClusterVer, 3, 2)
-	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyAzure
+	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin = NetworkPluginAzure
 	setKubeletConfig(cs)
 	k := cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
 	if k["--max-pods"] != strconv.Itoa(DefaultKubernetesMaxPodsVNETIntegrated) {
 		t.Fatalf("got unexpected '--max-pods' kubelet config value for NetworkPolicy=%s: %s",
-			NetworkPolicyAzure, k["--max-pods"])
+			NetworkPluginAzure, k["--max-pods"])
 	}

 	cs = createContainerService("testcluster", defaultTestClusterVer, 3, 2)
-	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = NetworkPolicyNone
+	cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin = NetworkPluginKubenet
 	setKubeletConfig(cs)
 	k = cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
 	if k["--max-pods"] != strconv.Itoa(DefaultKubernetesMaxPods) {
 		t.Fatalf("got unexpected '--max-pods' kubelet config value for NetworkPolicy=%s: %s",
-			NetworkPolicyNone, k["--max-pods"])
+			NetworkPluginKubenet, k["--max-pods"])
 	}
 }
--- a/pkg/acsengine/defaults.go
+++ b/pkg/acsengine/defaults.go
@ -329,6 +329,21 @@ func setOrchestratorDefaults(cs *api.ContainerService) {
 		if o.KubernetesConfig == nil {
 			o.KubernetesConfig = &api.KubernetesConfig{}
 		}
+		// For backwards compatibility with original, overloaded "NetworkPolicy" config vector
+		// we translate deprecated NetworkPolicy usage to the NetworkConfig equivalent
+		// and set a default network policy enforcement configuration
+		switch o.KubernetesConfig.NetworkPolicy {
+		case NetworkPluginAzure:
+			o.KubernetesConfig.NetworkPlugin = NetworkPluginAzure
+			o.KubernetesConfig.NetworkPolicy = DefaultNetworkPolicy
+		case NetworkPolicyNone:
+			o.KubernetesConfig.NetworkPlugin = NetworkPluginKubenet
+			o.KubernetesConfig.NetworkPolicy = DefaultNetworkPolicy
+		case NetworkPolicyCalico:
+			o.KubernetesConfig.NetworkPlugin = NetworkPluginKubenet
+		case NetworkPolicyCilium:
+			o.KubernetesConfig.NetworkPlugin = NetworkPluginKubenet
+		}
 		// Add default addons specification, if no user-provided spec exists
 		if o.KubernetesConfig.Addons == nil {
 			o.KubernetesConfig.Addons = []api.KubernetesAddon{
@ -376,12 +391,12 @@ func setOrchestratorDefaults(cs *api.ContainerService) {
 			o.KubernetesConfig.EtcdVersion = DefaultEtcdVersion
 		}
 		if a.HasWindows() {
-			if o.KubernetesConfig.NetworkPolicy == "" {
-				o.KubernetesConfig.NetworkPolicy = DefaultNetworkPolicyWindows
+			if o.KubernetesConfig.NetworkPlugin == "" {
+				o.KubernetesConfig.NetworkPlugin = DefaultNetworkPluginWindows
 			}
 		} else {
-			if o.KubernetesConfig.NetworkPolicy == "" {
-				o.KubernetesConfig.NetworkPolicy = DefaultNetworkPolicy
+			if o.KubernetesConfig.NetworkPlugin == "" {
+				o.KubernetesConfig.NetworkPlugin = DefaultNetworkPlugin
 			}
 		}
 		if o.KubernetesConfig.ContainerRuntime == "" {
@ -553,8 +568,8 @@ func setOrchestratorDefaults(cs *api.ContainerService) {
 		if kc.ContainerRuntime == "" {
 			kc.ContainerRuntime = DefaultContainerRuntime
 		}
-		if kc.NetworkPolicy == "" {
-			kc.NetworkPolicy = DefaultNetworkPolicy
+		if kc.NetworkPlugin == "" {
+			kc.NetworkPlugin = DefaultNetworkPlugin
 		}
 	}
 }
--- a/pkg/acsengine/defaults_test.go
+++ b/pkg/acsengine/defaults_test.go
@ -398,6 +398,56 @@ func TestGenerateEtcdEncryptionKey(t *testing.T) {
 	}
 }

+func TestNetworkPolicyDefaults(t *testing.T) {
+	mockCS := getMockBaseContainerService("1.8.10")
+	properties := mockCS.Properties
+	properties.OrchestratorProfile.OrchestratorType = "Kubernetes"
+	properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "calico"
+	setOrchestratorDefaults(&mockCS)
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin != "kubenet" {
+		t.Fatalf("NetworkPlugin did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, "kubenet")
+	}
+
+	mockCS = getMockBaseContainerService("1.8.10")
+	properties = mockCS.Properties
+	properties.OrchestratorProfile.OrchestratorType = "Kubernetes"
+	properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "cilium"
+	setOrchestratorDefaults(&mockCS)
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin != "kubenet" {
+		t.Fatalf("NetworkPlugin did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, "kubenet")
+	}
+
+	mockCS = getMockBaseContainerService("1.8.10")
+	properties = mockCS.Properties
+	properties.OrchestratorProfile.OrchestratorType = "Kubernetes"
+	properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "azure"
+	setOrchestratorDefaults(&mockCS)
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin != "azure" {
+		t.Fatalf("NetworkPlugin did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, "azure")
+	}
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy != "" {
+		t.Fatalf("NetworkPolicy did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy, "")
+	}
+
+	mockCS = getMockBaseContainerService("1.8.10")
+	properties = mockCS.Properties
+	properties.OrchestratorProfile.OrchestratorType = "Kubernetes"
+	properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy = "none"
+	setOrchestratorDefaults(&mockCS)
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin != "kubenet" {
+		t.Fatalf("NetworkPlugin did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin, "kubenet")
+	}
+	if properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy != "" {
+		t.Fatalf("NetworkPolicy did not have the expected value, got %s, expected %s",
+			properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy, "")
+	}
+}
+
 func getMockAddon(name string) api.KubernetesAddon {
 	return api.KubernetesAddon{
 		Name:    name,
--- a/pkg/acsengine/engine.go
+++ b/pkg/acsengine/engine.go
@ -716,6 +716,7 @@ func getParameters(cs *api.ContainerService, isClassicMode bool, generatorCode s
 		}
 		addValue(parametersMap, "dockerBridgeCidr", properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet)
 		addValue(parametersMap, "networkPolicy", properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy)
+		addValue(parametersMap, "networkPlugin", properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin)
 		addValue(parametersMap, "containerRuntime", properties.OrchestratorProfile.KubernetesConfig.ContainerRuntime)
 		addValue(parametersMap, "cniPluginsURL", cloudSpecConfig.KubernetesSpecConfig.CNIPluginsDownloadURL)
 		addValue(parametersMap, "vnetCniLinuxPluginsURL", cloudSpecConfig.KubernetesSpecConfig.VnetCNILinuxPluginsDownloadURL)
--- a/pkg/api/agentPoolOnlyApi/v20180331/apiloader_test.go
+++ b/pkg/api/agentPoolOnlyApi/v20180331/apiloader_test.go
@ -63,7 +63,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs.Properties.LinuxProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("none"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("kubenet"))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(api.DefaultKubernetesServiceCIDR))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(api.DefaultKubernetesDNSServiceIP))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(api.DefaultDockerBridgeSubnet))
@ -97,7 +98,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs2.Properties.LinuxProfile).To(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("none"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("kubenet"))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(api.DefaultKubernetesServiceCIDR))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(api.DefaultKubernetesDNSServiceIP))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(api.DefaultDockerBridgeSubnet))
@ -151,7 +153,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs.Properties.LinuxProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
@ -185,7 +188,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs2.Properties.LinuxProfile).To(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
@ -239,7 +243,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs.Properties.LinuxProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
@ -277,7 +282,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs2.Properties.LinuxProfile).To(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
@ -331,7 +337,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs.Properties.LinuxProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[0]))
-			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
@ -361,7 +368,8 @@ var _ = Describe("v20180331 test suite", func() {
 			Expect(cs2.Properties.LinuxProfile).To(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile).NotTo(BeNil())
 			Expect(cs2.Properties.OrchestratorProfile.OrchestratorVersion).To(Equal(k8sVersions[1]))
-			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPlugin).To(Equal("azure"))
+			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.NetworkPolicy).To(Equal(""))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.ServiceCIDR).To(Equal(serviceCidr))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DNSServiceIP).To(Equal(dnsServiceIP))
 			Expect(cs2.Properties.OrchestratorProfile.KubernetesConfig.DockerBridgeSubnet).To(Equal(dockerBridgeCidr))
--- a/pkg/api/converterfromagentpoolonlyapi.go
+++ b/pkg/api/converterfromagentpoolonlyapi.go
@ -189,14 +189,9 @@ func convertOrchestratorProfileToV20180331AgentPoolOnly(orchestratorProfile *Orc

 	if orchestratorProfile.KubernetesConfig != nil {
 		k := orchestratorProfile.KubernetesConfig
-		if k.NetworkPolicy != "" || k.ServiceCIDR != "" || k.DNSServiceIP != "" || k.DockerBridgeSubnet != "" {
+		if k.NetworkPlugin != "" || k.ServiceCIDR != "" || k.DNSServiceIP != "" || k.DockerBridgeSubnet != "" {
 			networkProfile = &v20180331.NetworkProfile{}
-			// ACS-E uses "none" in the un-versioned model to represent kubenet.
-			if k.NetworkPolicy == "none" {
-				networkProfile.NetworkPlugin = v20180331.Kubenet
-			} else {
-				networkProfile.NetworkPlugin = v20180331.NetworkPlugin(k.NetworkPolicy)
-			}
+			networkProfile.NetworkPlugin = v20180331.NetworkPlugin(k.NetworkPlugin)
 			networkProfile.ServiceCidr = k.ServiceCIDR
 			networkProfile.DNSServiceIP = k.DNSServiceIP
 			networkProfile.DockerBridgeCidr = k.DockerBridgeSubnet
--- a/pkg/api/converterfromagentpoolonlyapi_test.go
+++ b/pkg/api/converterfromagentpoolonlyapi_test.go
@ -10,14 +10,14 @@ import (

 func TestConvertOrchestratorProfileToV20180331AgentPoolOnly(t *testing.T) {
 	orchestratorVersion := "1.7.9"
-	networkPolicy := "azure"
+	networkPlugin := "azure"
 	serviceCIDR := "10.0.0.0/8"
 	dnsServiceIP := "10.0.0.10"
 	dockerBridgeSubnet := "172.17.0.1/16"

 	// all networkProfile related fields are defined in kubernetesConfig
 	kubernetesConfig := &KubernetesConfig{
-		NetworkPolicy:      networkPolicy,
+		NetworkPlugin:      networkPlugin,
 		ServiceCIDR:        serviceCIDR,
 		DNSServiceIP:       dnsServiceIP,
 		DockerBridgeSubnet: dockerBridgeSubnet,
@ -35,7 +35,7 @@ func TestConvertOrchestratorProfileToV20180331AgentPoolOnly(t *testing.T) {
 		t.Error("error in orchestrator profile orchestratorVersion conversion")
 	}

-	if string(p.NetworkPlugin) != networkPolicy {
+	if string(p.NetworkPlugin) != networkPlugin {
 		t.Error("error in orchestrator profile networkPlugin conversion")
 	}

@ -70,7 +70,7 @@ func TestConvertOrchestratorProfileToV20180331AgentPoolOnly(t *testing.T) {

 	// only networkProfile networkPolicy field is defined in kubernetesConfig
 	kubernetesConfig = &KubernetesConfig{
-		NetworkPolicy: networkPolicy,
+		NetworkPlugin: networkPlugin,
 	}
 	api = &OrchestratorProfile{
 		OrchestratorVersion: orchestratorVersion,
@ -83,7 +83,7 @@ func TestConvertOrchestratorProfileToV20180331AgentPoolOnly(t *testing.T) {
 		t.Error("error in orchestrator profile orchestratorVersion conversion")
 	}

-	if string(p.NetworkPlugin) != networkPolicy {
+	if string(p.NetworkPlugin) != networkPlugin {
 		t.Error("error in orchestrator profile networkPlugin conversion")
 	}

--- a/pkg/api/converterfromapi.go
+++ b/pkg/api/converterfromapi.go
@ -699,6 +699,7 @@ func convertKubernetesConfigToVLabs(api *KubernetesConfig, vlabs *vlabs.Kubernet
 	vlabs.DNSServiceIP = api.DNSServiceIP
 	vlabs.ServiceCidr = api.ServiceCIDR
 	vlabs.NetworkPolicy = api.NetworkPolicy
+	vlabs.NetworkPlugin = api.NetworkPlugin
 	vlabs.MaxPods = api.MaxPods
 	vlabs.DockerBridgeSubnet = api.DockerBridgeSubnet
 	vlabs.CloudProviderBackoff = api.CloudProviderBackoff
--- a/pkg/api/convertertoagentpoolonlyapi.go
+++ b/pkg/api/convertertoagentpoolonlyapi.go
@ -230,7 +230,7 @@ func convertV20170831AgentPoolOnlyOrchestratorProfile(kubernetesVersion string)
 			EnableRbac:          helpers.PointerToBool(false),
 			EnableSecureKubelet: helpers.PointerToBool(false),
 			// set network default for un-versioned model
-			NetworkPolicy:      "none",
+			NetworkPolicy:      string(v20180331.Kubenet),
 			ClusterSubnet:      DefaultKubernetesClusterSubnet,
 			ServiceCIDR:        DefaultKubernetesServiceCIDR,
 			DNSServiceIP:       DefaultKubernetesDNSServiceIP,
@ -400,7 +400,7 @@ func convertV20180331AgentPoolOnlyOrchestratorProfile(kubernetesVersion string,
 	if networkProfile != nil {
 		switch networkProfile.NetworkPlugin {
 		case v20180331.Azure:
-			kubernetesConfig.NetworkPolicy = "azure"
+			kubernetesConfig.NetworkPlugin = "azure"

 			if networkProfile.ServiceCidr != "" {
 				kubernetesConfig.ServiceCIDR = networkProfile.ServiceCidr
@ -420,7 +420,7 @@ func convertV20180331AgentPoolOnlyOrchestratorProfile(kubernetesVersion string,
 				kubernetesConfig.DockerBridgeSubnet = DefaultDockerBridgeSubnet
 			}
 		case v20180331.Kubenet:
-			kubernetesConfig.NetworkPolicy = "none"
+			kubernetesConfig.NetworkPlugin = "kubenet"

 			kubernetesConfig.ClusterSubnet = DefaultKubernetesClusterSubnet

@ -442,14 +442,14 @@ func convertV20180331AgentPoolOnlyOrchestratorProfile(kubernetesVersion string,
 				kubernetesConfig.DockerBridgeSubnet = DefaultDockerBridgeSubnet
 			}
 		default:
-			kubernetesConfig.NetworkPolicy = string(networkProfile.NetworkPlugin)
+			kubernetesConfig.NetworkPlugin = string(networkProfile.NetworkPlugin)
 			kubernetesConfig.ServiceCIDR = networkProfile.ServiceCidr
 			kubernetesConfig.DNSServiceIP = networkProfile.DNSServiceIP
 			kubernetesConfig.DockerBridgeSubnet = networkProfile.DockerBridgeCidr
 		}
 	} else {
 		// set network default for un-versioned model
-		kubernetesConfig.NetworkPolicy = "none"
+		kubernetesConfig.NetworkPlugin = string(v20180331.Kubenet)
 		kubernetesConfig.ClusterSubnet = DefaultKubernetesClusterSubnet
 		kubernetesConfig.ServiceCIDR = DefaultKubernetesServiceCIDR
 		kubernetesConfig.DNSServiceIP = DefaultKubernetesDNSServiceIP
--- a/pkg/api/convertertoagentpoolonlyapi_test.go
+++ b/pkg/api/convertertoagentpoolonlyapi_test.go
@ -30,7 +30,7 @@ func TestConvertV20180331AgentPoolOnlyOrchestratorProfile(t *testing.T) {
 		t.Error("error in orchestrator profile kubernetesVersion conversion")
 	}

-	if api.KubernetesConfig.NetworkPolicy != string(networkPlugin) {
+	if api.KubernetesConfig.NetworkPlugin != string(networkPlugin) {
 		t.Error("error in orchestrator profile networkPlugin conversion")
 	}

@ -55,7 +55,7 @@ func TestConvertV20180331AgentPoolOnlyOrchestratorProfile(t *testing.T) {
 		t.Error("error in orchestrator profile kubernetesVersion conversion")
 	}

-	if api.KubernetesConfig.NetworkPolicy != "none" {
+	if api.KubernetesConfig.NetworkPlugin != "kubenet" {
 		t.Error("error in orchestrator profile networkPlugin conversion")
 	}

@ -86,7 +86,7 @@ func TestConvertV20180331AgentPoolOnlyOrchestratorProfile(t *testing.T) {
 		t.Error("error in orchestrator profile kubernetesVersion conversion")
 	}

-	if api.KubernetesConfig.NetworkPolicy != "none" {
+	if api.KubernetesConfig.NetworkPlugin != "kubenet" {
 		t.Error("error in orchestrator profile networkPlugin conversion")
 	}

--- a/pkg/api/convertertoapi.go
+++ b/pkg/api/convertertoapi.go
@ -656,6 +656,7 @@ func convertVLabsKubernetesConfig(vlabs *vlabs.KubernetesConfig, api *Kubernetes
 	api.DNSServiceIP = vlabs.DNSServiceIP
 	api.ServiceCIDR = vlabs.ServiceCidr
 	api.NetworkPolicy = vlabs.NetworkPolicy
+	api.NetworkPlugin = vlabs.NetworkPlugin
 	api.ContainerRuntime = vlabs.ContainerRuntime
 	api.MaxPods = vlabs.MaxPods
 	api.DockerBridgeSubnet = vlabs.DockerBridgeSubnet
@ -698,11 +699,11 @@ func setVlabsKubernetesDefaults(vp *vlabs.Properties, api *OrchestratorProfile)
 	if api.KubernetesConfig == nil {
 		api.KubernetesConfig = &KubernetesConfig{}
 	}
-	if api.KubernetesConfig.NetworkPolicy == "" {
+	if api.KubernetesConfig.NetworkPlugin == "" {
 		if vp.HasWindows() {
-			api.KubernetesConfig.NetworkPolicy = vlabs.DefaultNetworkPolicyWindows
+			api.KubernetesConfig.NetworkPlugin = vlabs.DefaultNetworkPluginWindows
 		} else {
-			api.KubernetesConfig.NetworkPolicy = vlabs.DefaultNetworkPolicy
+			api.KubernetesConfig.NetworkPlugin = vlabs.DefaultNetworkPlugin
 		}
 	}
 }
--- a/pkg/api/convertertoapi_test.go
+++ b/pkg/api/convertertoapi_test.go
@ -139,6 +139,9 @@ func TestKubernetesVlabsDefaults(t *testing.T) {
 	if ap.OrchestratorProfile.KubernetesConfig == nil {
 		t.Fatalf("KubernetesConfig cannot be nil after vlabs default conversion")
 	}
+	if ap.OrchestratorProfile.KubernetesConfig.NetworkPlugin != vlabs.DefaultNetworkPlugin {
+		t.Fatalf("vlabs defaults not applied, expected NetworkPlugin: %s, instead got: %s", vlabs.DefaultNetworkPlugin, ap.OrchestratorProfile.KubernetesConfig.NetworkPlugin)
+	}
 	if ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy != vlabs.DefaultNetworkPolicy {
 		t.Fatalf("vlabs defaults not applied, expected NetworkPolicy: %s, instead got: %s", vlabs.DefaultNetworkPolicy, ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy)
 	}
@ -151,8 +154,11 @@ func TestKubernetesVlabsDefaults(t *testing.T) {
 	if ap.OrchestratorProfile.KubernetesConfig == nil {
 		t.Fatalf("KubernetesConfig cannot be nil after vlabs default conversion")
 	}
-	if ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy != vlabs.DefaultNetworkPolicyWindows {
-		t.Fatalf("vlabs defaults not applied, expected NetworkPolicy: %s, instead got: %s", vlabs.DefaultNetworkPolicyWindows, ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy)
+	if ap.OrchestratorProfile.KubernetesConfig.NetworkPlugin != vlabs.DefaultNetworkPluginWindows {
+		t.Fatalf("vlabs defaults not applied, expected NetworkPlugin: %s, instead got: %s", vlabs.DefaultNetworkPluginWindows, ap.OrchestratorProfile.KubernetesConfig.NetworkPlugin)
+	}
+	if ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy != vlabs.DefaultNetworkPolicy {
+		t.Fatalf("vlabs defaults not applied, expected NetworkPolicy: %s, instead got: %s", vlabs.DefaultNetworkPolicy, ap.OrchestratorProfile.KubernetesConfig.NetworkPolicy)
 	}
 }

--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@ -264,6 +264,7 @@ type KubernetesConfig struct {
 	KubernetesImageBase              string            `json:"kubernetesImageBase,omitempty"`
 	ClusterSubnet                    string            `json:"clusterSubnet,omitempty"`
 	NetworkPolicy                    string            `json:"networkPolicy,omitempty"`
+	NetworkPlugin                    string            `json:"networkPlugin,omitempty"`
 	ContainerRuntime                 string            `json:"containerRuntime,omitempty"`
 	MaxPods                          int               `json:"maxPods,omitempty"`
 	DockerBridgeSubnet               string            `json:"dockerBridgeSubnet,omitempty"`
@ -757,11 +758,11 @@ func (o *OrchestratorProfile) IsDCOS() bool {
 	return o.OrchestratorType == DCOS
 }

-// IsAzureCNI returns true if Azure VNET integration is enabled
+// IsAzureCNI returns true if Azure CNI network plugin is enabled
 func (o *OrchestratorProfile) IsAzureCNI() bool {
 	switch o.OrchestratorType {
 	case Kubernetes:
-		return o.KubernetesConfig.NetworkPolicy == "azure"
+		return o.KubernetesConfig.NetworkPlugin == "azure"
 	default:
 		return false
 	}
--- a/pkg/api/vlabs/const.go
+++ b/pkg/api/vlabs/const.go
@ -71,8 +71,12 @@ const (
 )

 var (
+	// NetworkPluginValues holds the valid values for network plugin implementation
+	NetworkPluginValues = [...]string{"", "kubenet", "azure"}
+
 	// NetworkPolicyValues holds the valid values for a network policy
-	NetworkPolicyValues = [...]string{"", "none", "azure", "calico", "cilium"}
+	// "azure" and "none" are there for backwards-compatibility
+	NetworkPolicyValues = [...]string{"", "calico", "cilium", "azure", "none"}

 	// ContainerRuntimeValues holds the valid values for container runtimes
 	ContainerRuntimeValues = [...]string{"", "docker", "clear-containers"}
@ -86,10 +90,12 @@ const (

 // vlabs default configuration
 const (
+	// DefaultNetworkPlugin defines the network plugin to use by default
+	DefaultNetworkPlugin = "azure"
+	// DefaultNetworkPluginWindows defines the network plugin to use by default for clusters with Windows agent pools
+	DefaultNetworkPluginWindows = "azure"
 	// DefaultNetworkPolicy defines the network policy to use by default
-	DefaultNetworkPolicy = "azure"
-	// DefaultNetworkPolicyWindows defines the network policy to use by default for clusters with Windows agent pools
-	DefaultNetworkPolicyWindows = "azure"
+	DefaultNetworkPolicy = ""
 )

 const (
--- a/pkg/api/vlabs/types.go
+++ b/pkg/api/vlabs/types.go
@ -266,6 +266,7 @@ type KubernetesConfig struct {
 	DNSServiceIP                    string            `json:"dnsServiceIP,omitempty"`
 	ServiceCidr                     string            `json:"serviceCidr,omitempty"`
 	NetworkPolicy                   string            `json:"networkPolicy,omitempty"`
+	NetworkPlugin                   string            `json:"networkPlugin,omitempty"`
 	ContainerRuntime                string            `json:"containerRuntime,omitempty"`
 	MaxPods                         int               `json:"maxPods,omitempty"`
 	DockerBridgeSubnet              string            `json:"dockerBridgeSubnet,omitempty"`
--- a/pkg/api/vlabs/validate.go
+++ b/pkg/api/vlabs/validate.go
@ -28,6 +28,44 @@ var (
 		"3.1.0", "3.1.1", "3.1.2", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7", "3.1.8", "3.1.9", "3.1.10",
 		"3.2.0", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.11", "3.2.12",
 		"3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.3.0", "3.3.1"}
+	networkPluginPlusPolicyAllowed = []k8sNetworkConfig{
+		{
+			networkPlugin: "",
+			networkPolicy: "",
+		},
+		{
+			networkPlugin: "azure",
+			networkPolicy: "",
+		},
+		{
+			networkPlugin: "kubenet",
+			networkPolicy: "",
+		},
+		{
+			networkPlugin: "kubenet",
+			networkPolicy: "calico",
+		},
+		{
+			networkPlugin: "kubenet",
+			networkPolicy: "cilium",
+		},
+		{
+			networkPlugin: "",
+			networkPolicy: "calico",
+		},
+		{
+			networkPlugin: "",
+			networkPolicy: "cilium",
+		},
+		{
+			networkPlugin: "",
+			networkPolicy: "azure", // for backwards-compatibility w/ prior networkPolicy usage
+		},
+		{
+			networkPlugin: "",
+			networkPolicy: "none", // for backwards-compatibility w/ prior networkPolicy usage
+		},
+	}
 )

 const (
@ -36,6 +74,11 @@ const (
 	labelKeyFormat          = "^(([a-zA-Z0-9-]+[.])*[a-zA-Z0-9-]+[/])?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"
 )

+type k8sNetworkConfig struct {
+	networkPlugin string
+	networkPolicy string
+}
+
 func init() {
 	validate = validator.New()
 	keyvaultIDRegex = regexp.MustCompile(`^/subscriptions/\S+/resourceGroups/\S+/providers/Microsoft.KeyVault/vaults/[^/\s]+$`)
@ -392,9 +435,15 @@ func (a *Properties) Validate(isUpdate bool) error {
 	if e := a.OrchestratorProfile.Validate(isUpdate); e != nil {
 		return e
 	}
+	if e := a.validateNetworkPlugin(); e != nil {
+		return e
+	}
 	if e := a.validateNetworkPolicy(); e != nil {
 		return e
 	}
+	if e := a.validateNetworkPluginPlusPolicy(); e != nil {
+		return e
+	}
 	if e := a.validateContainerRuntime(); e != nil {
 		return e
 	}
@ -690,7 +739,7 @@ func (a *KubernetesConfig) Validate(k8sVersion string) error {
 			return fmt.Errorf("OrchestratorProfile.KubernetesConfig.ClusterSubnet '%s' is an invalid subnet", a.ClusterSubnet)
 		}

-		if a.NetworkPolicy == "azure" {
+		if a.NetworkPlugin == "azure" {
 			ones, bits := subnet.Mask.Size()
 			if bits-ones <= 8 {
 				return fmt.Errorf("OrchestratorProfile.KubernetesConfig.ClusterSubnet '%s' must reserve at least 9 bits for nodes", a.ClusterSubnet)
@ -824,6 +873,33 @@ func (a *KubernetesConfig) Validate(k8sVersion string) error {
 	return nil
 }

+func (a *Properties) validateNetworkPlugin() error {
+	var networkPlugin string
+
+	switch a.OrchestratorProfile.OrchestratorType {
+	case Kubernetes:
+		if a.OrchestratorProfile.KubernetesConfig != nil {
+			networkPlugin = a.OrchestratorProfile.KubernetesConfig.NetworkPlugin
+		}
+	default:
+		return nil
+	}
+
+	// Check NetworkPlugin has a valid value.
+	valid := false
+	for _, plugin := range NetworkPluginValues {
+		if networkPlugin == plugin {
+			valid = true
+			break
+		}
+	}
+	if !valid {
+		return fmt.Errorf("unknown networkPlugin '%s' specified", networkPlugin)
+	}
+
+	return nil
+}
+
 func (a *Properties) validateNetworkPolicy() error {
 	var networkPolicy string

@ -838,8 +914,8 @@ func (a *Properties) validateNetworkPolicy() error {

 	// Check NetworkPolicy has a valid value.
 	valid := false
-	for _, policy := range NetworkPolicyValues {
-		if networkPolicy == policy {
+	for _, plugin := range NetworkPolicyValues {
+		if networkPolicy == plugin {
 			valid = true
 			break
 		}
@ -856,6 +932,24 @@ func (a *Properties) validateNetworkPolicy() error {
 	return nil
 }

+func (a *Properties) validateNetworkPluginPlusPolicy() error {
+	var config k8sNetworkConfig
+
+	if a.OrchestratorProfile.KubernetesConfig != nil {
+		config.networkPlugin = a.OrchestratorProfile.KubernetesConfig.NetworkPlugin
+	}
+	if a.OrchestratorProfile.KubernetesConfig != nil {
+		config.networkPolicy = a.OrchestratorProfile.KubernetesConfig.NetworkPolicy
+	}
+
+	for _, c := range networkPluginPlusPolicyAllowed {
+		if c.networkPlugin == config.networkPlugin && c.networkPolicy == config.networkPolicy {
+			return nil
+		}
+	}
+	return fmt.Errorf("networkPolicy '%s' is not supported with networkPlugin '%s'", config.networkPolicy, config.networkPlugin)
+}
+
 func (a *Properties) validateContainerRuntime() error {
 	var containerRuntime string

--- a/pkg/api/vlabs/validate_test.go
+++ b/pkg/api/vlabs/validate_test.go
@ -353,6 +353,85 @@ func Test_Properties_ValidateNetworkPolicy(t *testing.T) {
 	}
 }

+func Test_Properties_ValidateNetworkPlugin(t *testing.T) {
+	p := &Properties{}
+	p.OrchestratorProfile = &OrchestratorProfile{}
+	p.OrchestratorProfile.OrchestratorType = Kubernetes
+
+	for _, policy := range NetworkPluginValues {
+		p.OrchestratorProfile.KubernetesConfig = &KubernetesConfig{}
+		p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = policy
+		if err := p.validateNetworkPlugin(); err != nil {
+			t.Errorf(
+				"should not error on networkPolicy=\"%s\"",
+				policy,
+			)
+		}
+	}
+
+	p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = "not-existing"
+	if err := p.validateNetworkPlugin(); err == nil {
+		t.Errorf(
+			"should error on invalid networkPlugin",
+		)
+	}
+}
+
+func Test_Properties_ValidateNetworkPluginPlusPolicy(t *testing.T) {
+	p := &Properties{}
+	p.OrchestratorProfile = &OrchestratorProfile{}
+	p.OrchestratorProfile.OrchestratorType = Kubernetes
+
+	for _, config := range networkPluginPlusPolicyAllowed {
+		p.OrchestratorProfile.KubernetesConfig = &KubernetesConfig{}
+		p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = config.networkPlugin
+		p.OrchestratorProfile.KubernetesConfig.NetworkPolicy = config.networkPolicy
+		if err := p.validateNetworkPluginPlusPolicy(); err != nil {
+			t.Errorf(
+				"should not error on networkPolicy=\"%s\" + networkPlugin=\"%s\"",
+				config.networkPolicy, config.networkPlugin,
+			)
+		}
+	}
+
+	for _, config := range []k8sNetworkConfig{
+		{
+			networkPlugin: "azure",
+			networkPolicy: "calico",
+		},
+		{
+			networkPlugin: "azure",
+			networkPolicy: "cilium",
+		},
+		{
+			networkPlugin: "azure",
+			networkPolicy: "azure",
+		},
+		{
+			networkPlugin: "kubenet",
+			networkPolicy: "none",
+		},
+		{
+			networkPlugin: "azure",
+			networkPolicy: "none",
+		},
+		{
+			networkPlugin: "kubenet",
+			networkPolicy: "kubenet",
+		},
+	} {
+		p.OrchestratorProfile.KubernetesConfig = &KubernetesConfig{}
+		p.OrchestratorProfile.KubernetesConfig.NetworkPlugin = config.networkPlugin
+		p.OrchestratorProfile.KubernetesConfig.NetworkPolicy = config.networkPolicy
+		if err := p.validateNetworkPluginPlusPolicy(); err == nil {
+			t.Errorf(
+				"should error on networkPolicy=\"%s\" + networkPlugin=\"%s\"",
+				config.networkPolicy, config.networkPlugin,
+			)
+		}
+	}
+}
+
 func Test_ServicePrincipalProfile_ValidateSecretOrKeyvaultSecretRef(t *testing.T) {

 	t.Run("ServicePrincipalProfile with secret should pass", func(t *testing.T) {