diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 00a1fd74d3018d7397b5e603201d2531269f723e..b76ec5b07c46a1d9838a5852a63f2932c07a17dc 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -26,8 +26,7 @@
     - rbac_enabled or item.type not in kubedns_rbac_resources
   tags: dnsmasq
 
-# see https://github.com/kubernetes/kubernetes/issues/45084
-# TODO: this is only needed for "old" kube-dns
+# see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns
 - name: Kubernetes Apps | Patch system:kube-dns ClusterRole
   command: >
     {{bin_dir}}/kubectl patch clusterrole system:kube-dns
@@ -40,7 +39,9 @@
                  }
                ]
              }'
-  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled
+  when:
+    - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
+    - rbac_enabled and kubedns_version|version_compare("1.11.0", "<", strict=True)
   tags: dnsmasq
 
 - name: Kubernetes Apps | Start Resources