diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index bed2d8e8d7ffb7bcaab36379f331cac313da9a2f..2d58903bf920f7a6fd842d90f1cddb1334164323 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -48,9 +48,9 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 ## Optional settings for OIDC
 # kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.pem"
 # kube_oidc_username_claim: sub
-# kube_oidc_username_prefix: oidc:
+# kube_oidc_username_prefix: 'oidc:'
 # kube_oidc_groups_claim: groups
-# kube_oidc_groups_prefix: oidc:
+# kube_oidc_groups_prefix: 'oidc:'
 
 ## Variables to control webhook authn/authz
 # kube_webhook_token_auth: false
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 7d205e7a3f9ebf675ff040f1097ad3eb5e30eb1e..f83133cbed35fd9364812b893c6c8afcea94e48f 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -116,9 +116,9 @@ kube_webhook_authorization_url_skip_tls_verify: false
 # kube_oidc_client_id: kubernetes
 ## Optional settings for OIDC
 # kube_oidc_username_claim: sub
-# kube_oidc_username_prefix: oidc:
+# kube_oidc_username_prefix: 'oidc:'
 # kube_oidc_groups_claim: groups
-# kube_oidc_groups_prefix: oidc:
+# kube_oidc_groups_prefix: 'oidc:'
 # Copy oidc CA file to the following path if needed
 # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
 # Optionally include a base64-encoded oidc CA cert