diff --git a/.gitlab-ci/lint.yml b/.gitlab-ci/lint.yml
index 7d02149e878d1ee950acf36c3f7e3a7ca3d7618f..170aa02ed49a0b05d6c2dab595e58b48ff3978bb 100644
--- a/.gitlab-ci/lint.yml
+++ b/.gitlab-ci/lint.yml
@@ -11,7 +11,7 @@ ansible-lint:
   stage: unit-tests
   # lint every yml/yaml file that looks like it contains Ansible plays
   script: |-
-    grep -Rl '^- hosts: \|^  hosts: \|^- name: ' --include \*.yml --include \*.yaml . | xargs -P 4 -n 25 ansible-lint -v
+    grep -Rl '^- hosts: \|^  hosts: ' --include \*.yml --include \*.yaml . | xargs -P 4 -n 25 ansible-lint -v
   except: ['triggers', 'master']
 
 syntax-check:
diff --git a/cluster.yml b/cluster.yml
index d1ccb317c60e84f1eccde1283d9ae8a37fffb6a5..cc48fe45965494a7da10379bf4d9eabc09a5fd22 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -109,5 +109,10 @@
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps, tags: apps }
-    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
   environment: "{{proxy_env}}"
+
+- hosts: k8s-cluster
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
+    - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }
diff --git a/roles/recover_control_plane/etcd/tasks/prepare.yml b/roles/recover_control_plane/etcd/tasks/prepare.yml
index 964ba35dd1dd22503eeee83c80f87d319e590a46..0f00f0338bcc3bec0f7a60e0eeed3bf121b7bbc4 100644
--- a/roles/recover_control_plane/etcd/tasks/prepare.yml
+++ b/roles/recover_control_plane/etcd/tasks/prepare.yml
@@ -1,5 +1,6 @@
 ---
 - name: Delete old certificates
+  # noqa 302 - rm is ok here for now
   shell: "rm /etc/ssl/etcd/ssl/*{{ item }}* /etc/kubernetes/ssl/etcd/*{{ item }}*"
   with_items: "{{ old_etcds.split(',') }}"
   register: delete_old_cerificates
diff --git a/roles/recover_control_plane/etcd/tasks/recover_lost_quorum.yml b/roles/recover_control_plane/etcd/tasks/recover_lost_quorum.yml
index 07d40789504e3d98154f6b13f2c3f3a35796ca43..beb8b0daf9c82862d6006e9a3ea51755c2477053 100644
--- a/roles/recover_control_plane/etcd/tasks/recover_lost_quorum.yml
+++ b/roles/recover_control_plane/etcd/tasks/recover_lost_quorum.yml
@@ -20,7 +20,9 @@
     state: stopped
 
 - name: Remove etcd data-dir
-  shell: "rm -rf {{ etcd_data_dir }}"
+  file:
+    path: "{{ etcd_data_dir }}"
+    state: absent
 
 - name: Restore etcd snapshot
   shell: "{{ bin_dir }}/etcdctl snapshot restore /tmp/snapshot.db --name {{ etcd_member_name }} --initial-cluster {{ etcd_member_name }}={{ etcd_peer_url }} --initial-cluster-token k8s_etcd --initial-advertise-peer-urls {{ etcd_peer_url }} --data-dir {{ etcd_data_dir }}"
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 395ca049bd4502850447eda6ffc2dec3bfb47601..4cdbaeb72b09a202107fb5c5dd18b1984927b7e7 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -112,10 +112,17 @@
   roles:
     - { role: kubespray-defaults}
     - { role: network_plugin/calico/rr, tags: network }
+  environment: "{{proxy_env}}"
 
 - hosts: kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps, tags: apps }
+  environment: "{{proxy_env}}"
+
+- hosts: k8s-cluster
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf }