diff --git a/docs/hardening.md b/docs/hardening.md
index b3359b74bcfdd2b886ef105416ce6b4b10cd9ddc..5aa8fcfb0a4756caf3166bd5e638a3fa79c941b9 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args:
 etcd_deployment_type: kubeadm
 
 ## kubelet
+kubelet_authorization_mode_webhook: true
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
index ddbddba4b11e595e009f6a03aa43b77810a344ef..f0e07018c16cec75306c2d35758fe38bf53fd0fd 100644
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -37,55 +37,25 @@
     - node_crb_manifest.changed
     - inventory_hostname == groups['kube_control_plane'][0]
 
-- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
-  template:
-    src: "node-webhook-cr.yml.j2"
-    dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
-    mode: 0640
-  register: node_webhook_cr_manifest
-  when:
-    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - inventory_hostname == groups['kube_control_plane'][0]
-  tags: node-webhook
-
-- name: Apply webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRole
   kube:
     name: "system:node-webhook"
     kubectl: "{{ bin_dir }}/kubectl"
     resource: "clusterrole"
-    filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
-    state: latest
+    state: absent
   when:
     - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - node_webhook_cr_manifest.changed
     - inventory_hostname == groups['kube_control_plane'][0]
   tags: node-webhook
 
-- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
-  template:
-    src: "node-webhook-crb.yml.j2"
-    dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
-    mode: 0640
-  register: node_webhook_crb_manifest
-  when:
-    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - inventory_hostname == groups['kube_control_plane'][0]
-  tags: node-webhook
-
-- name: Grant system:nodes the webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding
   kube:
     name: "system:node-webhook"
     kubectl: "{{ bin_dir }}/kubectl"
     resource: "clusterrolebinding"
-    filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
-    state: latest
+    state: absent
   when:
     - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - node_webhook_crb_manifest.changed
     - inventory_hostname == groups['kube_control_plane'][0]
   tags: node-webhook
 
diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
deleted file mode 100644
index bf9aaf73f921f65cc2716fe9082fabaa29413a08..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
+++ /dev/null
@@ -1,20 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:node-webhook
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes/proxy
-      - nodes/stats
-      - nodes/log
-      - nodes/spec
-      - nodes/metrics
-    verbs:
-      - "*"
diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
deleted file mode 100644
index 68aed5cb53cb87a99536f1f588505b470ae64452..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:node-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:node-webhook
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:nodes
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 6d91768bd61545150548362d117039dafc901cdf..b02744dbcedb43ed018c4ba3d97a7b1771ca7bb4 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 kubelet_authentication_token_webhook: true
 
 # When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: false
+kubelet_authorization_mode_webhook: true
 
 # kubelet uses certificates for authenticating to the Kubernetes API
 # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration