diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index 4da21b77d85a59b46feb8f5069bfd8e1a282eb83..2b6e739dbae341e8f473989d27e6ebe939d70fa3 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -28,16 +28,14 @@
   register: temp_token
   delegate_to: "{{ groups['kube-master'][0] }}"
 
-- name: Override predefined kubeadm_token that expires after 24h
-  set_fact:
-    kubeadm_token: "{{ temp_token.stdout }}"
-    
 - name: Create kubeadm client config
   template:
     src: kubeadm-client.conf.j2
     dest: "{{ kube_config_dir }}/kubeadm-client.conf"
     backup: yes
   when: not is_kube_master
+  vars:
+    kubeadm_token: "{{ temp_token.stdout }}"
   register: kubeadm_client_conf
 
 - name: Join to cluster if needed
diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index 69e74cf83d01aefd3146c922196dcfb35699e308..6b22bfd05613f8844e373904a98afa8bb8475d4d 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -82,9 +82,6 @@ controller_mgr_custom_flags: []
 
 scheduler_custom_flags: []
 
-# kubeadm settings
-## Value of 0 means it never expires
-kubeadm_token_ttl: 0
 ## Extra args for k8s components passing by kubeadm
 kube_kubeadm_controller_extra_args: {}
 kube_kubeadm_scheduler_extra_args: {}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index eafe6f8510be1b3cef449d6d0f92fe41ab0c1d81..1f243e54468aa18258f8135960ca797e20a1cef9 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -29,8 +29,6 @@ authorizationModes:
 {% for mode in authorization_modes %}
 - {{ mode }}
 {% endfor %}
-token: {{ kubeadm_token }}
-tokenTTL: "{{ kubeadm_token_ttl }}"
 selfHosted: false
 apiServerExtraArgs:
   bind-address: {{ kube_apiserver_bind_address }}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index f1d3a92b1a88b4fe67f4c0ca1d506d12e64f30af..3be3e9d6643435b2aed0219140fdffc5d2aa987f 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -147,7 +147,6 @@ helm_deployment_type: host
 
 # Enable kubeadm deployment (experimental)
 kubeadm_enabled: false
-kubeadm_token: "abcdef.0123456789abcdef"
 
 # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
 kubeconfig_localhost: false
diff --git a/roles/upgrade/post-upgrade/tasks/main.yml b/roles/upgrade/post-upgrade/tasks/main.yml
index ec6fdcf90723734bb04ae8f9f1d91988bea37f00..cef98bb0bb5df29a229e09a312b76738836d4373 100644
--- a/roles/upgrade/post-upgrade/tasks/main.yml
+++ b/roles/upgrade/post-upgrade/tasks/main.yml
@@ -2,4 +2,4 @@
 - name: Uncordon node
   command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}"
   delegate_to: "{{ groups['kube-master'][0] }}"
-  when: (needs_cordoning|default(false)) and ( {%- if inventory_hostname in groups['kube-node'] -%} true {%- else -%} false {%- endif -%} )
+  when: needs_cordoning|default(false)