diff --git a/ROADMAP.md b/ROADMAP.md
index f81cc0e573..7b4bbfb390 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,5 +1,29 @@
 # ROADMAP
 
+# 1.9
+
+## Must-have features
+
+* Support for k8s 1.9
+
+## Other features
+
+* Use NodeAuthorizer / bootstrap kubeconfigs  [#3551](https://github.com/kubernetes/kops/issues/3551)
+
+
+# HISTORICAL
+
+# 1.8
+
+## Must-have features
+
+* Support for k8s 1.8
+
+## Other features
+
+* Improved GCE support
+* Support for API aggregation
+
 # 1.7
 
 ## Must-have features
@@ -18,8 +42,6 @@
 * RBAC policies for all components
 * bringing rolling-update out of alpha
 
-# HISTORICAL
-
 ## 1.6
 
 ### Must-have features
diff --git a/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/k8s-1.8.yaml b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/k8s-1.8.yaml
new file mode 100644
index 0000000000..d4f957a28c
--- /dev/null
+++ b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/k8s-1.8.yaml
@@ -0,0 +1,21 @@
+# Source: https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/rbac/kubelet-binding.yaml
+# The GKE environments don't have kubelets with certificates that
+# identify the system:nodes group.  They use the kubelet identity
+# TODO: remove this once new nodes are granted individual identities and the
+# NodeAuthorizer is enabled.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-cluster-admin
+  labels:
+    k8s-addon: rbac.addons.k8s.io
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kubelet
diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
index 092ee4f161..3f1f62ff7e 100644
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -149,6 +149,26 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
 		}
 	}
 
+	{
+		key := "rbac.addons.k8s.io"
+		version := "1.8.0"
+
+		{
+			location := key + "/k8s-1.8.yaml"
+			id := "k8s-1.8"
+
+			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+				Name:              fi.String(key),
+				Version:           fi.String(version),
+				Selector:          map[string]string{"k8s-addon": key},
+				Manifest:          fi.String(location),
+				KubernetesVersion: ">=1.8.0",
+				Id:                id,
+			})
+			manifests[key+"-"+id] = "addons/" + location
+		}
+	}
+
 	{
 		key := "limit-range.addons.k8s.io"
 		version := "1.5.0"