diff --git a/pkg/assets/builder.go b/pkg/assets/builder.go
index ad1b4a4f70..febac67ef0 100644
--- a/pkg/assets/builder.go
+++ b/pkg/assets/builder.go
@@ -210,7 +210,7 @@ func (a *AssetBuilder) RemapImage(image string) (string, error) {
 	return image, nil
 }
 
-// RemapFileAndSHA returns a remapped url for the file, if AssetsLocation is defined.
+// RemapFileAndSHA returns a remapped URL for the file, if AssetsLocation is defined.
 // It also returns the SHA hash of the file.
 func (a *AssetBuilder) RemapFileAndSHA(fileURL *url.URL) (*url.URL, *hashing.Hash, error) {
 	if fileURL == nil {
@@ -240,15 +240,13 @@ func (a *AssetBuilder) RemapFileAndSHA(fileURL *url.URL) (*url.URL, *hashing.Has
 	}
 	fileAsset.SHAValue = h.Hex()
 
-	a.FileAssets = append(a.FileAssets, fileAsset)
 	klog.V(8).Infof("adding file: %+v", fileAsset)
+	a.FileAssets = append(a.FileAssets, fileAsset)
 
 	return fileAsset.DownloadURL, h, nil
 }
 
-// TODO - remove this method as CNI does now have a SHA file
-
-// RemapFileAndSHAValue is used exclusively to remap the cni tarball, as the tarball does not have a sha file in object storage.
+// RemapFileAndSHAValue returns a remapped URL for the file without a SHA file in object storage, if AssetsLocation is defined.
 func (a *AssetBuilder) RemapFileAndSHAValue(fileURL *url.URL, shaValue string) (*url.URL, error) {
 	if fileURL == nil {
 		return nil, fmt.Errorf("unable to remap a nil URL")
@@ -271,6 +269,7 @@ func (a *AssetBuilder) RemapFileAndSHAValue(fileURL *url.URL, shaValue string) (
 		klog.V(4).Infof("adding remapped file: %q", fileAsset.DownloadURL.String())
 	}
 
+	klog.V(8).Infof("adding file: %+v", fileAsset)
 	a.FileAssets = append(a.FileAssets, fileAsset)
 
 	return fileAsset.DownloadURL, nil
diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go
index f7c4b7e4a5..411cb4a181 100644
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@@ -62,7 +62,6 @@ import (
 	"k8s.io/kops/upup/pkg/fi/cloudup/openstack"
 	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
 	"k8s.io/kops/util/pkg/architectures"
-	"k8s.io/kops/util/pkg/hashing"
 	"k8s.io/kops/util/pkg/vfs"
 )
 
@@ -1079,39 +1078,11 @@ func (c *ApplyClusterCmd) addFileAssets(assetBuilder *assets.AssetBuilder) error
 		c.Assets[arch] = append(c.Assets[arch], BuildMirroredAsset(cniAsset, cniAssetHash))
 
 		if c.Cluster.Spec.Networking.LyftVPC != nil {
-			var hash *hashing.Hash
-
-			urlString := os.Getenv("LYFT_VPC_DOWNLOAD_URL")
-			if urlString == "" {
-				switch arch {
-				case architectures.ArchitectureAmd64:
-					urlString = "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/v0.6.0/cni-ipvlan-vpc-k8s-amd64-v0.6.0.tar.gz"
-					hash, err = hashing.FromString("871757d381035f64020a523e7a3e139b6177b98eb7a61b547813ff25957fc566")
-				case architectures.ArchitectureArm64:
-					urlString = "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/v0.6.0/cni-ipvlan-vpc-k8s-arm64-v0.6.0.tar.gz"
-					hash, err = hashing.FromString("3aadcb32ffda53990153790203eb72898e55a985207aa5b4451357f9862286f0")
-				default:
-					return fmt.Errorf("unknown arch for lyft asset %s", arch)
-				}
-				if err != nil {
-					// Should be impossible
-					return fmt.Errorf("invalid hard-coded hash for lyft url")
-				}
-			} else {
-				klog.Warningf("Using url from LYFT_VPC_DOWNLOAD_URL env var: %q", urlString)
-				hashString := os.Getenv("LYFT_VPC_DOWNLOAD_HASH")
-				hash, err = hashing.FromString(hashString)
-				if err != nil {
-					return fmt.Errorf("invalid hash supplied for lyft: %q", hashString)
-				}
-			}
-
-			u, err := url.Parse(urlString)
+			lyftAsset, lyftAssetHash, err := findLyftVPCAssets(c.Cluster, assetBuilder, arch)
 			if err != nil {
-				return fmt.Errorf("unable to parse lyft-vpc URL %q", urlString)
+				return err
 			}
-
-			c.Assets[arch] = append(c.Assets[arch], BuildMirroredAsset(u, hash))
+			c.Assets[arch] = append(c.Assets[arch], BuildMirroredAsset(lyftAsset, lyftAssetHash))
 		}
 
 		asset, err := NodeUpAsset(assetBuilder, arch)
diff --git a/upup/pkg/fi/cloudup/networking.go b/upup/pkg/fi/cloudup/networking.go
index eea5a12ecc..f45733d82d 100644
--- a/upup/pkg/fi/cloudup/networking.go
+++ b/upup/pkg/fi/cloudup/networking.go
@@ -36,88 +36,127 @@ import (
 
 const (
 	// defaultCNIAssetAmd64K8s_11 is the CNI tarball for k8s >= 1.11
-	defaultCNIAssetAmd64K8s_11              = "https://storage.googleapis.com/kubernetes-release/network-plugins/cni-plugins-amd64-v0.7.5.tgz"
-	defaultCNIAssetAmd64SHA256StringK8s1_11 = "3ca15c0a18ee830520cf3a95408be826cbd255a1535a38e0be9608b25ad8bf64"
-	defaultCNIAssetArm64K8s_11              = "https://storage.googleapis.com/kubernetes-release/network-plugins/cni-plugins-arm64-v0.7.5.tgz"
-	defaultCNIAssetArm64SHA256StringK8s1_11 = "7fec91af78e9548df306f0ec43bea527c8c10cc3a9682c33e971c8522a7fcded"
+	defaultCNIAssetAmd64K8s_11 = "https://storage.googleapis.com/kubernetes-release/network-plugins/cni-plugins-amd64-v0.7.5.tgz"
+	defaultCNIAssetArm64K8s_11 = "https://storage.googleapis.com/kubernetes-release/network-plugins/cni-plugins-arm64-v0.7.5.tgz"
 
 	// defaultCNIAssetAmd64K8s_15 is the CNI tarball for k8s >= 1.15
-	defaultCNIAssetAmd64K8s_15              = "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz"
-	defaultCNIAssetAmd64SHA256StringK8s1_15 = "994fbfcdbb2eedcfa87e48d8edb9bb365f4e2747a7e47658482556c12fd9b2f5"
-	defaultCNIAssetArm64K8s_15              = "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz"
-	defaultCNIAssetArm64SHA256StringK8s1_15 = "43fbf750c5eccb10accffeeb092693c32b236fb25d919cf058c91a677822c999"
+	defaultCNIAssetAmd64K8s_15 = "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz"
+	defaultCNIAssetArm64K8s_15 = "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz"
 
 	// Environment variable for overriding CNI url
-	ENV_VAR_CNI_VERSION_URL       = "CNI_VERSION_URL"
-	ENV_VAR_CNI_ASSET_HASH_STRING = "CNI_ASSET_HASH_STRING"
+	ENV_VAR_CNI_ASSET_URL  = "CNI_VERSION_URL"
+	ENV_VAR_CNI_ASSET_HASH = "CNI_ASSET_HASH_STRING"
+
+	// Default LyftVPC packages
+	defaultLyftVPCAssetAmd64       = "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/v0.6.0/cni-ipvlan-vpc-k8s-amd64-v0.6.0.tar.gz"
+	defaultLyftVPCAssetAmd64SHA256 = "871757d381035f64020a523e7a3e139b6177b98eb7a61b547813ff25957fc566"
+	defaultLyftVPCAssetArm64       = "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/v0.6.0/cni-ipvlan-vpc-k8s-arm64-v0.6.0.tar.gz"
+	defaultLyftVPCAssetArm64SHA256 = "3aadcb32ffda53990153790203eb72898e55a985207aa5b4451357f9862286f0"
+
+	// Environment variable for overriding LyftVPC url
+	ENV_VAR_LYFT_VPC_ASSET_URL  = "LYFT_VPC_DOWNLOAD_URL"
+	ENV_VAR_LYFT_VPC_ASSET_HASH = "LYFT_VPC_DOWNLOAD_HASH"
 )
 
 func findCNIAssets(c *kopsapi.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
+	// Override CNI packages from env vars
+	cniAssetURL := os.Getenv(ENV_VAR_CNI_ASSET_URL)
+	cniAssetHash := os.Getenv(ENV_VAR_CNI_ASSET_HASH)
 
-	if cniVersionURL := os.Getenv(ENV_VAR_CNI_VERSION_URL); cniVersionURL != "" {
-		u, err := url.Parse(cniVersionURL)
+	if cniAssetURL != "" && cniAssetHash != "" {
+		klog.V(2).Infof("Using CNI asset URL %q, as set in %s", cniAssetURL, ENV_VAR_CNI_ASSET_URL)
+		klog.V(2).Infof("Using CNI asset hash %q, as set in %s", cniAssetHash, ENV_VAR_CNI_ASSET_HASH)
+
+		u, err := url.Parse(cniAssetURL)
 		if err != nil {
-			return nil, nil, fmt.Errorf("unable to parse %q as a URL: %v", cniVersionURL, err)
+			return nil, nil, fmt.Errorf("unable to parse CNI plugin binaries asset URL %q: %v", cniAssetURL, err)
 		}
 
-		klog.Infof("Using CNI asset version %q, as set in %s", cniVersionURL, ENV_VAR_CNI_VERSION_URL)
-
-		if cniAssetHashString := os.Getenv(ENV_VAR_CNI_ASSET_HASH_STRING); cniAssetHashString != "" {
-
-			klog.Infof("Using CNI asset hash %q, as set in %s", cniAssetHashString, ENV_VAR_CNI_ASSET_HASH_STRING)
-
-			hash, err := hashing.FromString(cniAssetHashString)
-			if err != nil {
-				return nil, nil, fmt.Errorf("unable to parse CNI asset hash %q", cniAssetHashString)
-			}
-			return u, hash, nil
+		h, err := hashing.FromString(cniAssetHash)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to parse CNI plugin binaries asset hash %q: %v", cniAssetHash, err)
 		}
-		return u, nil, nil
+
+		u, err = assetBuilder.RemapFileAndSHAValue(u, cniAssetHash)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to remap CNI plugin binaries asset: %v", err)
+		}
+
+		return u, h, nil
 	}
 
 	sv, err := util.ParseKubernetesVersion(c.Spec.KubernetesVersion)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to lookup kubernetes version: %v", err)
+		return nil, nil, fmt.Errorf("unable to find Kubernetes version: %v", err)
 	}
 
-	var cniAsset, cniAssetHash string
 	switch arch {
 	case architectures.ArchitectureAmd64:
 		if util.IsKubernetesGTE("1.15", *sv) {
-			cniAsset = defaultCNIAssetAmd64K8s_15
-			cniAssetHash = defaultCNIAssetAmd64SHA256StringK8s1_15
+			cniAssetURL = defaultCNIAssetAmd64K8s_15
 		} else {
-			cniAsset = defaultCNIAssetAmd64K8s_11
-			cniAssetHash = defaultCNIAssetAmd64SHA256StringK8s1_11
+			cniAssetURL = defaultCNIAssetAmd64K8s_11
 		}
-		klog.V(2).Infof("Adding default ARM64 CNI plugin binaries asset : %s", cniAsset)
+		klog.V(2).Infof("Adding default ARM64 CNI plugin binaries asset: %s", cniAssetURL)
 	case architectures.ArchitectureArm64:
 		if util.IsKubernetesGTE("1.15", *sv) {
-			cniAsset = defaultCNIAssetArm64K8s_15
-			cniAssetHash = defaultCNIAssetArm64SHA256StringK8s1_15
+			cniAssetURL = defaultCNIAssetArm64K8s_15
 		} else {
-			cniAsset = defaultCNIAssetArm64K8s_11
-			cniAssetHash = defaultCNIAssetArm64SHA256StringK8s1_11
+			cniAssetURL = defaultCNIAssetArm64K8s_11
 		}
-		klog.V(2).Infof("Adding default AMD64 CNI plugin binaries asset : %s", cniAsset)
+		klog.V(2).Infof("Adding default AMD64 CNI plugin binaries asset: %s", cniAssetURL)
 	default:
-		return nil, nil, fmt.Errorf("unknown arch for CNI plugin binaries asset %s", arch)
+		return nil, nil, fmt.Errorf("unknown arch for CNI plugin binaries asset: %s", arch)
 	}
 
-	u, err := url.Parse(cniAsset)
+	u, err := url.Parse(cniAssetURL)
 	if err != nil {
-		return nil, nil, nil
+		return nil, nil, fmt.Errorf("unable to parse CNI plugin binaries asset URL %q: %v", cniAssetURL, err)
 	}
 
-	hash, err := hashing.FromString(cniAssetHash)
+	u, h, err := assetBuilder.RemapFileAndSHA(u)
 	if err != nil {
-		return nil, nil, fmt.Errorf("unable to parse CNI plugin binaries asset hash %q", cniAssetHash)
+		return nil, nil, fmt.Errorf("unable to remap CNI plugin binaries asset: %v", err)
 	}
 
-	u, err = assetBuilder.RemapFileAndSHAValue(u, cniAssetHash)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return u, hash, nil
+	return u, h, nil
+}
+
+func findLyftVPCAssets(c *kopsapi.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
+	// Override LyftVPC packages from env vars
+	lyftAssetURL := os.Getenv(ENV_VAR_LYFT_VPC_ASSET_URL)
+	lyftAssetHash := os.Getenv(ENV_VAR_LYFT_VPC_ASSET_HASH)
+
+	if lyftAssetURL != "" && lyftAssetHash != "" {
+		klog.V(2).Infof("Using LyftVPC package URL %q, as set in %s", lyftAssetURL, ENV_VAR_LYFT_VPC_ASSET_URL)
+		klog.V(2).Infof("Using LyftVPC package hash %q, as set in %s", lyftAssetHash, ENV_VAR_LYFT_VPC_ASSET_HASH)
+	} else {
+		switch arch {
+		case architectures.ArchitectureAmd64:
+			lyftAssetURL = defaultLyftVPCAssetAmd64
+			lyftAssetHash = defaultLyftVPCAssetAmd64SHA256
+		case architectures.ArchitectureArm64:
+			lyftAssetURL = defaultLyftVPCAssetArm64
+			lyftAssetHash = defaultLyftVPCAssetArm64SHA256
+		default:
+			return nil, nil, fmt.Errorf("unknown arch for LyftVPC asset: %s", arch)
+		}
+	}
+
+	u, err := url.Parse(lyftAssetURL)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to parse LyftVPC asset URL %q: %v", lyftAssetURL, err)
+	}
+
+	h, err := hashing.FromString(lyftAssetHash)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to parse LyftVPC asset hash %q: %v", lyftAssetHash, err)
+	}
+
+	u, err = assetBuilder.RemapFileAndSHAValue(u, lyftAssetHash)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to remap LyftVPC asset: %v", err)
+	}
+
+	return u, h, nil
 }
diff --git a/upup/pkg/fi/cloudup/networking_test.go b/upup/pkg/fi/cloudup/networking_test.go
index 2b0c5ffea7..e84e13c098 100644
--- a/upup/pkg/fi/cloudup/networking_test.go
+++ b/upup/pkg/fi/cloudup/networking_test.go
@@ -28,26 +28,109 @@ import (
 func Test_FindCNIAssetFromEnvironmentVariable(t *testing.T) {
 
 	desiredCNIVersion := "https://storage.googleapis.com/kubernetes-release/network-plugins/cni-TEST-VERSION.tar.gz"
-	os.Setenv(ENV_VAR_CNI_VERSION_URL, desiredCNIVersion)
+	desiredCNIVersionHash := "sha256:0000000000000000000000000000000000000000000000000000000000000000"
+
+	os.Setenv(ENV_VAR_CNI_ASSET_URL, desiredCNIVersion)
+	os.Setenv(ENV_VAR_CNI_ASSET_HASH, desiredCNIVersionHash)
 	defer func() {
-		os.Unsetenv(ENV_VAR_CNI_VERSION_URL)
+		os.Unsetenv(ENV_VAR_CNI_ASSET_URL)
+		os.Unsetenv(ENV_VAR_CNI_ASSET_HASH)
 	}()
 
 	cluster := &api.Cluster{}
-	cluster.Spec.KubernetesVersion = "v1.9.0"
+	cluster.Spec.KubernetesVersion = "v1.18.0"
 
 	assetBuilder := assets.NewAssetBuilder(cluster, "")
 	cniAsset, cniAssetHash, err := findCNIAssets(cluster, assetBuilder, architectures.ArchitectureAmd64)
 
 	if err != nil {
-		t.Errorf("Unable to parse k8s version %s", err)
+		t.Errorf("Unable to parse CNI version %s", err)
 	}
 
 	if cniAsset.String() != desiredCNIVersion {
-		t.Errorf("Expected CNI version from Environment variable %q, but got %q instead", desiredCNIVersion, cniAsset)
+		t.Errorf("Expected CNI version from env var %q, but got %q instead", desiredCNIVersion, cniAsset)
 	}
 
-	if cniAssetHash != nil {
-		t.Errorf("Expected Empty CNI Version Hash String, but got %v instead", cniAssetHash)
+	if cniAssetHash.String() != desiredCNIVersionHash {
+		t.Errorf("Expected empty CNI version hash, but got %v instead", cniAssetHash)
+	}
+}
+
+func Test_FindCNIAssetFromDefaults(t *testing.T) {
+
+	desiredCNIVersion := "https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz"
+	desiredCNIVersionHash := "sha256:994fbfcdbb2eedcfa87e48d8edb9bb365f4e2747a7e47658482556c12fd9b2f5"
+
+	cluster := &api.Cluster{}
+	cluster.Spec.KubernetesVersion = "v1.18.0"
+
+	assetBuilder := assets.NewAssetBuilder(cluster, "")
+	cniAsset, cniAssetHash, err := findCNIAssets(cluster, assetBuilder, architectures.ArchitectureAmd64)
+
+	if err != nil {
+		t.Errorf("Unable to parse CNI version %s", err)
+	}
+
+	if cniAsset.String() != desiredCNIVersion {
+		t.Errorf("Expected default CNI version %q, but got %q instead", desiredCNIVersion, cniAsset)
+	}
+
+	if cniAssetHash.String() != desiredCNIVersionHash {
+		t.Errorf("Expected default CNI version hash %q, but got %q instead", desiredCNIVersionHash, cniAssetHash)
+	}
+}
+
+func Test_FindLyftAssetFromEnvironmentVariable(t *testing.T) {
+
+	desiredLyftVersion := "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/TEST-VERSION/cni-TEST-VERSION.tar.gz"
+	desiredLyftVersionHash := "sha256:0000000000000000000000000000000000000000000000000000000000000000"
+
+	os.Setenv(ENV_VAR_LYFT_VPC_ASSET_URL, desiredLyftVersion)
+	os.Setenv(ENV_VAR_LYFT_VPC_ASSET_HASH, desiredLyftVersionHash)
+	defer func() {
+		os.Unsetenv(ENV_VAR_LYFT_VPC_ASSET_URL)
+		os.Unsetenv(ENV_VAR_LYFT_VPC_ASSET_HASH)
+	}()
+
+	cluster := &api.Cluster{}
+	cluster.Spec.KubernetesVersion = "v1.18.0"
+
+	assetBuilder := assets.NewAssetBuilder(cluster, "")
+	lyftAsset, lyftAssetHash, err := findLyftVPCAssets(cluster, assetBuilder, architectures.ArchitectureAmd64)
+
+	if err != nil {
+		t.Errorf("Unable to parse Lyft version %s", err)
+	}
+
+	if lyftAsset.String() != desiredLyftVersion {
+		t.Errorf("Expected Lyft version from env var %q, but got %q instead", desiredLyftVersion, lyftAsset)
+	}
+
+	if lyftAssetHash.String() != desiredLyftVersionHash {
+		t.Errorf("Expected Lyft version hash from env var %q, but got %q instead", desiredLyftVersionHash, lyftAssetHash)
+	}
+}
+
+func Test_FindLyftAssetFromDefaults(t *testing.T) {
+
+	desiredLyftVersion := "https://github.com/lyft/cni-ipvlan-vpc-k8s/releases/download/v0.6.0/cni-ipvlan-vpc-k8s-amd64-v0.6.0.tar.gz"
+	desiredLyftVersionHash := "sha256:871757d381035f64020a523e7a3e139b6177b98eb7a61b547813ff25957fc566"
+
+	cluster := &api.Cluster{}
+	cluster.Spec.KubernetesVersion = "v1.18.0"
+
+	assetBuilder := assets.NewAssetBuilder(cluster, "")
+	lyftAsset, lyftAssetHash, err := findLyftVPCAssets(cluster, assetBuilder, architectures.ArchitectureAmd64)
+
+	if err != nil {
+		t.Errorf("Unable to parse Lyft version %s", err)
+	}
+
+	if lyftAsset.String() != desiredLyftVersion {
+		t.Errorf("Expected default Lyft version %q, but got %q instead", desiredLyftVersion, lyftAsset)
+	}
+
+	if lyftAssetHash.String() != desiredLyftVersionHash {
+		t.Errorf("Expected default Lyft version hash %q, but got %q instead", desiredLyftVersionHash, lyftAssetHash)
 	}
 }