diff --git a/roles/rke2/tasks/config_rke2.yml b/roles/rke2/tasks/config_rke2.yml
index 79dcf5fbdd99dd5b3d7c1fa5fd30d412a1be7d8b..18040a845833c7948224ad2481a747c40118c175 100644
--- a/roles/rke2/tasks/config_rke2.yml
+++ b/roles/rke2/tasks/config_rke2.yml
@@ -16,24 +16,6 @@
     - group_vars
     - group_vars/all
 
-- name: slurp token if upgrade
-  block:
-  - name: Load token
-    slurp:
-      src: "/var/lib/rancher/rke2/server/node-token"
-    register: slurped_token
-    when: upgrade and ('master' in group_names)
-  - name: Decode token and store as fact at dummy master_host with host variable
-    add_host:
-      name: "MASTER_HOST"
-      token: "{{ slurped_token.content | b64decode | trim }}"
-    when: upgrade and ('master' in group_names)
-  - name: set token
-    delegate_to: localhost
-    set_fact:
-      token: "{{ hostvars['MASTER_HOST']['token'].split('server:')[1] }}"
-    when: upgrade and ('master' in group_names)
-
 - name: store token
   delegate_to: localhost
   become: false
@@ -42,6 +24,7 @@
     dest: group_vars/all/token.yml
     content: |-
       token: {{ token }}
+  when: not upgrade
 
 - name: read token
   include_vars: group_vars/all/token.yml
diff --git a/roles/rke2/templates/config.yaml.j2 b/roles/rke2/templates/config.yaml.j2
index 88e5966a05be4578fe184cd581838a0580ad9ee8..dee9cac0b1b70d0a8e41702e51237407ab8e94c0 100644
--- a/roles/rke2/templates/config.yaml.j2
+++ b/roles/rke2/templates/config.yaml.j2
@@ -38,7 +38,7 @@ cloud-provider-name: "{{ cloud_provider_name }}"
 resolv-conf: "{{ resolv_conf_server }}"
 {# disable-cloud-controller: true #}
 write-kubeconfig-mode: "0644"
-kube-apiserver-arg: "--enable-admission-plugins=NodeRestriction,PodSecurityPolicy,PodNodeSelector,PodTolerationRestriction,DenyServiceExternalIPs"
+kube-apiserver-arg: "--enable-admission-plugins=NodeRestriction,PodSecurityPolicy,PodNodeSelector,PodTolerationRestriction --feature-gates=JobTrackingWithFinalizers=true,PodSecurity=true"
 
 {% if cni is defined and cni | length > 0 %}
 cni: "{{ cni }}"
@@ -48,6 +48,7 @@ cni: multus,calico,cilium
 cni: calico
 {% elif manifests_config['config-rke2-cilium'].enabled%}
 cni: cilium
+{# disable-kube-proxy: true #TODO also for agents #}
 {% endif %}
 
 {% if tls_san is defined and tls_san | length > 0 %}