diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1e1dda97fb33b44929b5e66628a6e2f1711f15b5
--- /dev/null
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
@@ -0,0 +1,28 @@
+---
+- name: Backup old certs and keys
+  copy:
+    src: "{{ kube_cert_dir }}/{{ item }}"
+    dest: "{{ kube_cert_dir }}/{{ item }}.old"
+    mode: preserve
+    remote_src: yes
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+    - apiserver-kubelet-client.crt
+    - apiserver-kubelet-client.key
+    - front-proxy-client.crt
+    - front-proxy-client.key
+  ignore_errors: yes
+
+- name: Backup old confs
+  copy:
+    src: "{{ kube_config_dir }}/{{ item }}"
+    dest: "{{ kube_config_dir }}/{{ item }}.old"
+    mode: preserve
+    remote_src: yes
+  with_items:
+    - admin.conf
+    - controller-manager.conf
+    - kubelet.conf
+    - scheduler.conf
+  ignore_errors: yes
diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml b/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
deleted file mode 100644
index 03ebe25365c93baca0eaa446353946a30d5706e5..0000000000000000000000000000000000000000
--- a/roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-- name: Backup old certs and keys
-  copy:
-    src: "{{ kube_cert_dir }}/{{ item.src }}"
-    dest: "{{ kube_cert_dir }}/{{ item.dest }}"
-    mode: 0640
-    remote_src: yes
-  with_items:
-    - {src: apiserver.crt, dest: apiserver.crt.old}
-    - {src: apiserver.key, dest: apiserver.key.old}
-    - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
-    - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
-    - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
-    - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
-  ignore_errors: yes
diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index 55dbac6953baa95ab64cb3573ddd306c0a482b77..0802c616a0933bae040b9e86befbb24d6661f28e 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -18,6 +18,11 @@
     get_mime: no
   register: kubeadm_already_run
 
+- name: kubeadm | Backup kubeadm certs / kubeconfig
+  import_tasks: kubeadm-backup.yml
+  when:
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | aggregate all SANs
   set_fact:
     apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}"
@@ -68,12 +73,6 @@
 - name: kubeadm | set kubeadm version
   import_tasks: kubeadm-version.yml
 
-- name: kubeadm | Certificate management with kubeadm
-  import_tasks: kubeadm-certificate.yml
-  when:
-    - not upgrade_cluster_setup
-    - kubeadm_already_run.stat.exists
-
 - name: kubeadm | Check if apiserver.crt contains all needed SANs
   command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
   with_items: "{{ apiserver_sans }}"