diff --git a/cluster.yml b/cluster.yml
index c2ba9a7bd17c395c8c39c1084548cb8a281bcb8f..2830c4fb9ce2a0fd613d385b5882c0e500f5201f 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -86,8 +86,8 @@
   roles:
     - { role: kubespray-defaults }
     - { role: kubernetes/kubeadm, tags: kubeadm}
-    - { role: network_plugin, tags: network }
     - { role: kubernetes/node-label, tags: node-label }
+    - { role: network_plugin, tags: network }
 
 - hosts: calico_rr
   gather_facts: False
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 4dd08b7bf4d4f62b963e0080c8e519e7551d37f9..b3067e77197f5d0a70a4cfb68132a3a22178875e 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -10,15 +10,18 @@ dns_prevent_single_point_failure: "{{ 'true' if dns_min_replicas|int > 1 else 'f
 enable_coredns_reverse_dns_lookups: true
 coredns_ordinal_suffix: ""
 # dns_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]
+coredns_deployment_nodeselector: "kubernetes.io/os: linux"
 
 # nodelocaldns
 nodelocaldns_cpu_requests: 100m
 nodelocaldns_memory_limit: 170Mi
-nodelocaldnsdns_memory_requests: 70Mi
+nodelocaldns_memory_requests: 70Mi
+nodelocaldns_ds_nodeselector: "kubernetes.io/os: linux"
 
 # Limits for dns-autoscaler
 dns_autoscaler_cpu_requests: 20m
 dns_autoscaler_memory_requests: 10Mi
+dns_autoscaler_deployment_nodeselector: "kubernetes.io/os: linux"
 
 # Netchecker
 deploy_netchecker: false
diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
index cb96256491fc2c4198ff731b23365a0318b5ffa6..e2e10ebd5f36f67d47005e95907ef2407534cf15 100644
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@@ -25,9 +25,9 @@ spec:
         seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
         createdby: 'kubespray'
     spec:
-      priorityClassName: system-cluster-critical
       nodeSelector:
-        kubernetes.io/os: linux
+        {{ coredns_deployment_nodeselector }}
+      priorityClassName: system-cluster-critical
       serviceAccountName: coredns
       tolerations:
         - key: node-role.kubernetes.io/master
diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
index b49c41264f7240f16f2f7bc0d9f6a89ed8edecf6..e09a87341e16f813a2d47685f1fa74ac194627f3 100644
--- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
@@ -32,6 +32,8 @@ spec:
       annotations:
         seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
     spec:
+      nodeSelector:
+        {{ dns_autoscaler_deployment_nodeselector}}
       priorityClassName: system-cluster-critical
       securityContext:
         supplementalGroups: [ 65534 ]
diff --git a/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2 b/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2
index b92749c8b8e823764a67312bcfc55a81292a1005..4d725577e7edbe8554c3033041fef2369d75b9f4 100644
--- a/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2
@@ -18,6 +18,8 @@ spec:
         prometheus.io/scrape: 'true'
         prometheus.io/port: '9253'
     spec:
+      nodeSelector:
+        {{ nodelocaldns_ds_nodeselector }}
       priorityClassName: system-cluster-critical
       serviceAccountName: nodelocaldns
       hostNetwork: true
@@ -35,7 +37,7 @@ spec:
             memory: {{ nodelocaldns_memory_limit }}
           requests:
             cpu: {{ nodelocaldns_cpu_requests }}
-            memory: {{ nodelocaldnsdns_memory_requests }}
+            memory: {{ nodelocaldns_memory_requests }}
         args: [ "-localip", "{{ nodelocaldns_ip }}", "-conf", "/etc/coredns/Corefile", "-upstreamsvc", "coredns" ]
         securityContext:
           privileged: true
diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
index 93d12c901353196ff441b1d1882199a1316e0a15..4726363841684d40c46908712d8f78e7ca9f17d6 100644
--- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
@@ -4,6 +4,7 @@ calico_policy_controller_cpu_limit: 100m
 calico_policy_controller_memory_limit: 256M
 calico_policy_controller_cpu_requests: 30m
 calico_policy_controller_memory_requests: 64M
+calico_policy_controller_deployment_nodeselector: "kubernetes.io/os: linux"
 
 # SSL
 calico_cert_dir: "/etc/calico/certs"
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
index f861d918d72e217edfec672bd666710164c95a74..47c878d2ead6d62975a6d1c521dc227e13f13381 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -20,7 +20,7 @@ spec:
         k8s-app: calico-kube-controllers
     spec:
       nodeSelector:
-        kubernetes.io/os: linux
+        {{ calico_policy_controller_deployment_nodeselector }}
       hostNetwork: true
       serviceAccountName: calico-kube-controllers
       tolerations:
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index b35416221815455766bafe19e5f4937f358e8e89..ce6d12292bd02740c278b592302037c430fdd56a 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -39,6 +39,9 @@ calico_node_memory_requests: 64M
 calico_node_cpu_requests: 150m
 calico_felix_chaininsertmode: Insert
 
+# Calico daemonset nodeselector
+calico_ds_nodeselector: "kubernetes.io/os: linux"
+
 # Virtual network ID to use for VXLAN traffic. A value of 0 means “use the kernel default”.
 calico_vxlan_vni: 4096
 
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index 4aa342103975f19bd03d2369bef3b3ddbf0381dd..155189b9a9f6253b5750d35414f067e5a23d3deb 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -26,6 +26,8 @@ spec:
         prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}"
 {% endif %}
     spec:
+      nodeSelector:
+        {{ calico_ds_nodeselector }}
       priorityClassName: system-node-critical
       hostNetwork: true
       serviceAccountName: calico-node
diff --git a/scale.yml b/scale.yml
index 5e218791a5e6e5e3fced0342c34b49e28b8dcf91..33b9eeb0cf9daf199520cd933f2a2a0ade187ed1 100644
--- a/scale.yml
+++ b/scale.yml
@@ -96,5 +96,5 @@
   roles:
     - { role: kubespray-defaults }
     - { role: kubernetes/kubeadm, tags: kubeadm }
-    - { role: network_plugin, tags: network }
     - { role: kubernetes/node-label, tags: node-label }
+    - { role: network_plugin, tags: network }