diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index 28b4a0980dc26ad01fe917738ecc8df80d688dfc..65e06c01e5ca058d0acdf1a11eae57d481c837e7 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -41,6 +41,9 @@ kube_scheduler_bind_address: 0.0.0.0
 # discovery_timeout modifies the discovery timeout
 discovery_timeout: 5m0s
 
+# Instruct first master to refresh kubeadm token
+kubeadm_refresh_token: true
+
 # audit support
 kubernetes_audit: false
 # path to audit log file
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index a6baac2a66e2e231d720af5597710115038a930f..3cbd2feb82c27b22ebeaa8249e2d7022227296d1 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -146,6 +146,7 @@
   when:
     - inventory_hostname == groups['kube-master']|first
     - kubeadm_token is defined
+    - kubeadm_refresh_token
   tags:
     - kubeadm_token