diff --git a/roles/kubernetes/control-plane/tasks/main.yml b/roles/kubernetes/control-plane/tasks/main.yml
index 7271f1ca8422f153804ccc7768782dc040bcb82c..7fa3d1b8d2e865abacb1cac4cf69a223b82e28e3 100644
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -3,9 +3,6 @@
   tags:
     - k8s-pre-upgrade
 
-- name: Define nodes already joined to existing cluster and first_kube_control_plane
-  import_tasks: define-first-kube-control.yml
-
 - name: Create webhook token auth config
   template:
     src: webhook-token-auth-config.yaml.j2
@@ -64,6 +61,9 @@
     kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
   when: podsecuritypolicy_enabled
 
+- name: Define nodes already joined to existing cluster and first_kube_control_plane
+  import_tasks: define-first-kube-control.yml
+
 - name: Include kubeadm setup
   import_tasks: kubeadm-setup.yml