diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index bd7a3dc8b241149b1fb8c2381e1b344bb872e488..d465e69b99ab726d099384397904c340a36f4129 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -1,115 +1,115 @@
-# Valid bootstrap options (required): ubuntu, coreos, centos, none
-bootstrap_os: none
-
-# Directory where the binaries will be installed
-bin_dir: /usr/local/bin
-
-# Kubernetes configuration dirs and system namespace.
-# Those are where all the additional config stuff goes
-# the kubernetes normally puts in /srv/kubernets.
-# This puts them in a sane location and namespace.
-# Editting those values will almost surely break something.
-kube_config_dir: /etc/kubernetes
-kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
-kube_manifest_dir: "{{ kube_config_dir }}/manifests"
-system_namespace: kube-system
-
-# Logging directory (sysvinit systems)
-kube_log_dir: "/var/log/kubernetes"
-
-# This is where all the cert scripts and certs will be located
-kube_cert_dir: "{{ kube_config_dir }}/ssl"
-
-# This is where all of the bearer tokens will be stored
-kube_token_dir: "{{ kube_config_dir }}/tokens"
-
-# This is where to save basic auth file
-kube_users_dir: "{{ kube_config_dir }}/users"
-
-kube_api_anonymous_auth: false
-
-## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.5.3
-
-# Where the binaries will be downloaded.
-# Note: ensure that you've enough disk space (about 1G)
-local_release_dir: "/tmp/releases"
-# Random shifts for retrying failed ops like pushing/downloading
-retry_stagger: 5
-
-# This is the group that the cert creation scripts chgrp the
-# cert files to. Not really changable...
-kube_cert_group: kube-cert
-
-# Cluster Loglevel configuration
-kube_log_level: 2
-
-# Users to create for basic auth in Kubernetes API via HTTP
-kube_api_pwd: "changeme"
-kube_users:
-  kube:
-    pass: "{{kube_api_pwd}}"
-    role: admin
-  root:
-    pass: "{{kube_api_pwd}}"
-    role: admin
-
-# Choose network plugin (calico, weave or flannel)
-# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
-kube_network_plugin: calico
-
-# Kubernetes internal network for services, unused block of space.
-kube_service_addresses: 10.233.0.0/18
-
-# internal network. When used, it will assign IP
-# addresses from this range to individual pods.
-# This network must be unused in your network infrastructure!
-kube_pods_subnet: 10.233.64.0/18
-
-# internal network node size allocation (optional). This is the size allocated
-# to each node on your network.  With these defaults you should have
-# room for 4096 nodes with 254 pods per node.
-kube_network_node_prefix: 24
-
-# The port the API Server will be listening on.
-kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
-kube_apiserver_port: 443 # (https)
-kube_apiserver_insecure_port: 8080 # (http)
-
-# DNS configuration.
-# Kubernetes cluster name, also will be used as DNS domain
-cluster_name: cluster.local
-# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
-ndots: 2
-# Can be dnsmasq_kubedns, kubedns or none
-dns_mode: dnsmasq_kubedns
-# Can be docker_dns, host_resolvconf or none
-resolvconf_mode: docker_dns
-# Deploy netchecker app to verify DNS resolve as an HTTP service
-deploy_netchecker: false
-# Ip address of the kubernetes skydns service
-skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
-dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
-dns_domain: "{{ cluster_name }}"
-
-# Path used to store Docker data
-docker_daemon_graph: "/var/lib/docker"
-
-## A string of extra options to pass to the docker daemon.
-## This string should be exactly as you wish it to appear.
-## An obvious use case is allowing insecure-registry access
-## to self hosted registries like so:
-docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} --iptables=false"
-docker_bin_dir: "/usr/bin"
-
-# Settings for containerized control plane (etcd/kubelet/secrets)
-etcd_deployment_type: docker
-kubelet_deployment_type: docker
-cert_management: script
-vault_deployment_type: docker
-
-# K8s image pull policy (imagePullPolicy)
-k8s_image_pull_policy: IfNotPresent
-
-# Monitoring apps for k8s
-efk_enabled: false
+# # Valid bootstrap options (required): ubuntu, coreos, centos, none
+# bootstrap_os: none
+
+# # Directory where the binaries will be installed
+# bin_dir: /usr/local/bin
+
+# # Kubernetes configuration dirs and system namespace.
+# # Those are where all the additional config stuff goes
+# # the kubernetes normally puts in /srv/kubernets.
+# # This puts them in a sane location and namespace.
+# # Editting those values will almost surely break something.
+# kube_config_dir: /etc/kubernetes
+# kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
+# kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+# system_namespace: kube-system
+
+# # Logging directory (sysvinit systems)
+# kube_log_dir: "/var/log/kubernetes"
+
+# # This is where all the cert scripts and certs will be located
+# kube_cert_dir: "{{ kube_config_dir }}/ssl"
+
+# # This is where all of the bearer tokens will be stored
+# kube_token_dir: "{{ kube_config_dir }}/tokens"
+
+# # This is where to save basic auth file
+# kube_users_dir: "{{ kube_config_dir }}/users"
+
+# kube_api_anonymous_auth: false
+
+# ## Change this to use another Kubernetes version, e.g. a current beta release
+# kube_version: v1.5.3
+
+# # Where the binaries will be downloaded.
+# # Note: ensure that you've enough disk space (about 1G)
+# local_release_dir: "/tmp/releases"
+# # Random shifts for retrying failed ops like pushing/downloading
+# retry_stagger: 5
+
+# # This is the group that the cert creation scripts chgrp the
+# # cert files to. Not really changable...
+# kube_cert_group: kube-cert
+
+# # Cluster Loglevel configuration
+# kube_log_level: 2
+
+# # Users to create for basic auth in Kubernetes API via HTTP
+# kube_api_pwd: "changeme"
+# kube_users:
+#   kube:
+#     pass: "{{kube_api_pwd}}"
+#     role: admin
+#   root:
+#     pass: "{{kube_api_pwd}}"
+#     role: admin
+
+# # Choose network plugin (calico, weave or flannel)
+# # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
+# kube_network_plugin: calico
+
+# # Kubernetes internal network for services, unused block of space.
+# kube_service_addresses: 10.233.0.0/18
+
+# # internal network. When used, it will assign IP
+# # addresses from this range to individual pods.
+# # This network must be unused in your network infrastructure!
+# kube_pods_subnet: 10.233.64.0/18
+
+# # internal network node size allocation (optional). This is the size allocated
+# # to each node on your network.  With these defaults you should have
+# # room for 4096 nodes with 254 pods per node.
+# kube_network_node_prefix: 24
+
+# # The port the API Server will be listening on.
+# kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
+# kube_apiserver_port: 443 # (https)
+# kube_apiserver_insecure_port: 8080 # (http)
+
+# # DNS configuration.
+# # Kubernetes cluster name, also will be used as DNS domain
+# cluster_name: cluster.local
+# # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
+# ndots: 2
+# # Can be dnsmasq_kubedns, kubedns or none
+# dns_mode: dnsmasq_kubedns
+# # Can be docker_dns, host_resolvconf or none
+# resolvconf_mode: docker_dns
+# # Deploy netchecker app to verify DNS resolve as an HTTP service
+# deploy_netchecker: false
+# # Ip address of the kubernetes skydns service
+# skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
+# dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
+# dns_domain: "{{ cluster_name }}"
+
+# # Path used to store Docker data
+# docker_daemon_graph: "/var/lib/docker"
+
+# ## A string of extra options to pass to the docker daemon.
+# ## This string should be exactly as you wish it to appear.
+# ## An obvious use case is allowing insecure-registry access
+# ## to self hosted registries like so:
+# docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} --iptables=false"
+# docker_bin_dir: "/usr/bin"
+
+# # Settings for containerized control plane (etcd/kubelet/secrets)
+# etcd_deployment_type: docker
+# kubelet_deployment_type: docker
+# cert_management: script
+# vault_deployment_type: docker
+
+# # K8s image pull policy (imagePullPolicy)
+# k8s_image_pull_policy: IfNotPresent
+
+# # Monitoring apps for k8s
+# efk_enabled: false
diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml
index 8cb22832b018e8ae0feca7bc9d4d7d494497ae78..9760058c4676d4c3f964783aeb99b24aa471d8d7 100644
--- a/roles/kargo-defaults/defaults/main.yaml
+++ b/roles/kargo-defaults/defaults/main.yaml
@@ -111,3 +111,4 @@ vault_deployment_type: docker
 
 # K8s image pull policy (imagePullPolicy)
 k8s_image_pull_policy: IfNotPresent
+efk_enabled: false