diff --git a/roles/rke2/tasks/fix_selinux.yml b/roles/rke2/tasks/fix_selinux.yml
index 3ef1808bd187878ff01a139f353b37b95a046cf4..32032d94767cc36e2d6769fc8a132c331745c5d3 100644
--- a/roles/rke2/tasks/fix_selinux.yml
+++ b/roles/rke2/tasks/fix_selinux.yml
@@ -1,25 +1,4 @@
-#ausearch -c 'openstack-cloud' --raw | audit2allow -M my-openstackcloud
-#semodule -i my-openstackcloud.pp
 
-#update-ca-trust
-
-#ausearch -c 'tail' --raw | audit2allow -M my-tail
-#semodule -i my-tail.pp
-
-# - name: install SELinux debug RHEL packages
-#   dnf:
-#     name:
-#       - setroubleshoot      
-#       - python3-libselinux
-#       - policycoreutils-python-utils
-#     state: present
-
-#Additional Information:
-#Source Context                system_u:system_r:container_t:s0:c148,c270
-#Target Context                system_u:object_r:cert_t:s0
-#Target Objects                cacert.pem [ file ]
-#Source                        openstack-cloud
-#Source Path                   /bin/openstack-cloud-controller-manager
 - name: Copy SELinux Policies
   template:
     src: ../selinux/my-openstack.te
@@ -33,35 +12,13 @@
     semodule -i /etc/selinux/targeted/policy/my-openstack.pp
 
 
-
-
-#module test 1.0;
-#
-#require {
-#        type cert_t;
-#        type container_t;
-#        class dir read;
-#}
-#
-##============= container_t ==============
-#allow container_t cert_t:dir read;
-
-# - name: uninstall SELinux debug RHEL packages
-#   dnf:
-#     name:
-#       - setroubleshoot      
-#       - python3-libselinux
-#       - policycoreutils-python-utils
-#     state: absent
-#rancher    40814  0.1  0.3 751524 58892 ?        Ssl  05:02   0:16 /bin/openstack-cloud-controller-manager --v=2 --cloud-config=/etc/config/cloud.conf --cluster-name=kubernetes --cloud-provider=openstack --use-service-account-credentials=true --controllers=cloud-node,cloud-node-lifecycle,route,service --bind-address=127.0.0.1 --cluster-name=rke2-cluster-beta
-
-
 - name: Wait for all control-plane pods become created
   shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get po --namespace=kube-system --selector tier=control-plane --output=jsonpath='{.items[*].metadata.name}'"
   register: control_plane_pods_created
   until: item in control_plane_pods_created.stdout
   retries: 10
   delay: 30
+  when: state != 'absent' and 'master' in group_names
   with_items:
     - etcd
     - kube-apiserver
diff --git a/roles/rke2/tasks/rotate_encryption.yml b/roles/rke2/tasks/rotate_encryption.yml
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..67281fa2c635fe7b77a6a2975ad0e0b0a64091e7 100644
--- a/roles/rke2/tasks/rotate_encryption.yml
+++ b/roles/rke2/tasks/rotate_encryption.yml
@@ -0,0 +1,12 @@
+- name: Check status of key encryption
+  shell: "rke2 secrets-encrypt status"
+  register: encryption_status
+
+- debug: var=encryption_status.stdout_lines
+
+- name: Sequentially restart the controlplane nodes
+  serial: 1
+  ansible.builtin.systemd:
+    name: rke2-server
+    state: restarted
+