diff --git a/roles/rke2/tasks/fix_selinux.yml b/roles/rke2/tasks/fix_selinux.yml
index 8b2ba35c2802662cedec0c8ea37bd0b238c50d3e..5dc3e1b46416f1ddb078e05591191ca8b118b32d 100644
--- a/roles/rke2/tasks/fix_selinux.yml
+++ b/roles/rke2/tasks/fix_selinux.yml
@@ -9,13 +9,14 @@
 - name: kill the openstack ccm pods to make sure they boot in permissive mode
   shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml rollout restart -n kube-system ds openstack-cloud-controller-manager "
   register: openstack_ccm_ready
-  when: ( 'master' in group_names )
+  when: ( 'master' in group_names and not upgrade)
   ignore_errors: True
 
 
 - name: Wait for openstack-cloud-controller deamon set to be ready
   shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml wait --namespace=kube-system --for=condition=Ready ds openstack-cloud-controller-manager --timeout=120s"
   register: openstack_ccm_ready
+  when: not upgrade
   ignore_errors: True
 
 - name: Enable SELinux