diff --git a/cluster.yml b/cluster.yml
index 05c913828f5cca54275e0db9fcb580fb8d53a463..0e014371e61a4157203ec615545fb6246cdbb696 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -82,11 +82,16 @@
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: network_plugin, tags: network }
 
-- hosts: kube-master
+- hosts: kube-master[0]
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
+
+- hosts: kube-master
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
 
diff --git a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
index 23b63ee8a08cd69c9533b5754e4126594e8973b7..d475cc8bf5c756789cb548f6ffec9d6b0f255664 100644
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@@ -8,7 +8,6 @@
   command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
   register: default_token_data
   changed_when: false
-  run_once: true
 
 - name: Rotate Tokens | Test if default certificate is expired
   uri:
@@ -19,7 +18,6 @@
     headers:
       Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
   register: check_secret
-  run_once: true
   failed_when: false
 
 - name: Rotate Tokens | Determine if certificate is expired
@@ -35,16 +33,13 @@
     | grep kubernetes.io/service-account-token
     | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
   register: tokens_to_delete
-  run_once: true
   when: needs_rotation
 
 - name: Rotate Tokens | Delete expired tokens
   command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
   with_items: "{{ tokens_to_delete.stdout_lines }}"
-  run_once: true
   when: needs_rotation
 
 - name: Rotate Tokens | Delete pods in system namespace
   command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
-  run_once: true
   when: needs_rotation
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 652ae9a0885f9e46f8256eb16b8f73e87232b88d..3044a629d9404f6ac51a4f2cefb7a79b24e31778 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -85,11 +85,16 @@
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: kubespray-defaults}
 
-- hosts: kube-master
+- hosts: kube-master[0]
   any_errors_fatal: true
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
+
+- hosts: kube-master
+  any_errors_fatal: true
+  roles:
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
     - { role: kubernetes/client, tags: client }