diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml
index 84f80610731636debb41024b1e9ed6f997731068..d0edfaff0045bf783ee32b2dea0df20384347b95 100644
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -28,6 +28,9 @@
   template:
     src: admin.conf.j2
     dest: "{{ kube_config_dir }}/admin.conf"
+    owner: root
+    group: "{{ kube_cert_group }}"
+    mode: 0640
   when: not kubeadm_enabled|d(false)|bool
 
 - name: Create kube config dir
@@ -50,7 +53,6 @@
     dest: "{{ artifacts_dir }}/admin.conf"
     flat: yes
     validate_checksum: no
-  become: no
   run_once: yes
   when: kubeconfig_localhost|default(false)
 
diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml
index a27a5772ec98c15dd7f739c6e12a90047002fb05..1c6dc956ca55511f7417dc23805ec2cda6ec8916 100644
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -46,5 +46,16 @@
   delay: 6
 
 - name: Master | set secret_changed
+  command: /bin/true
+  notify:
+    - Master | set secret_changed to true
+    - Master | clear kubeconfig for root user
+
+- name: Master | set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: Master | clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent
diff --git a/roles/kubernetes/secrets/handlers/main.yml b/roles/kubernetes/secrets/handlers/main.yml
index d5fab8e1417c602f8965c70850bce27359eb2534..f6f12a0036047a7079e0a72d6b8b33f04ac62c2e 100644
--- a/roles/kubernetes/secrets/handlers/main.yml
+++ b/roles/kubernetes/secrets/handlers/main.yml
@@ -1,4 +1,15 @@
 ---
 - name: set secret_changed
+  command: /bin/true
+  notify:
+    - set secret_changed to true
+    - clear kubeconfig for root user
+
+- name: set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent