diff --git a/roles/kubernetes/master/tasks/pre-upgrade.yml b/roles/kubernetes/master/tasks/pre-upgrade.yml
index 948b944c5..10093a08f 100644
--- a/roles/kubernetes/master/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/master/tasks/pre-upgrade.yml
@@ -55,11 +55,13 @@
   set_fact:
     needs_etcd_migration: "{{ kube_apiserver_storage_backend == 'etcd3' and data_migrated.stdout_lines|length == 0 and old_data_exists.rc == 0 }}"
 
-- name: "Pre-upgrade | Write invalid image to kube-apiserver manifest if necessary"
+- name: "Pre-upgrade | Write invalid image to kube-apiserver manifest if necessary on all kube-masters"
   replace:
     dest: /etc/kubernetes/manifests/kube-apiserver.manifest
     regexp: '(\s+)image:\s+.*?$'
     replace: '\1image: kill.apiserver.using.fake.image.in:manifest'
+  delegate_to: "{{item}}"
+  with_items: "{{groups['kube-master']}}"
   register: kube_apiserver_manifest_replaced
   when: (secret_changed|default(false) or etcd_secret_changed|default(false) or needs_etcd_migration|bool) and kube_apiserver_manifest.stat.exists
 
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 1f0479200..4ecc660f9 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -68,7 +68,6 @@
     - { role: kubernetes/master, tags: master }
     - { role: network_plugin, tags: network }
     - { role: upgrade/post-upgrade, tags: post-upgrade }
-    - { role: kubernetes-apps/network_plugin, tags: network }
 
 #Finally handle worker upgrades, based on given batch size
 - hosts: kube-node:!kube-master
@@ -80,6 +79,14 @@
     - { role: kubernetes/node, tags: node }
     - { role: network_plugin, tags: network }
     - { role: upgrade/post-upgrade, tags: post-upgrade }
+    - { role: kargo-defaults}
+
+- hosts: kube-master
+  any_errors_fatal: true
+  roles:
+    - { role: kargo-defaults}
+    - { role: kubernetes-apps/network_plugin, tags: network }
+    - { role: kubernetes-apps/policy_controller, tags: policy-controller }
 
 - hosts: calico-rr
   any_errors_fatal: true