only the control-plane master gets the ability to set taints

tasks/control-plane-aux-setup.yml

@@ -5,17 +5,3 @@
   args:
     creates: /etc/kubernetes/kubelet.conf
   tags: ["skip_ansible_lint"]
-
-- name: Allow pods on control plane (if configured).
-  command: "kubectl taint nodes {{ inventory_hostname_short }} node-role.kubernetes.io/control-plane-"
-  register: taint_removed
-  until: >
-    ("untainted" in taint_removed.stdout) or
-    ("not found" in taint_removed.stdout)
-  changed_when: "'untainted' in taint_removed.stdout"
-  failed_when: false
-  retries: 100
-  delay: 5
-  when:
-    - kubernetes_allow_pods_on_control_plane | bool
-    - join_ctrl_plane.changed

tasks/control-plane-setup.yml

@@ -190,11 +190,3 @@
   register: weave_result
   changed_when: "'created' in weave_result.stdout"
   when: kubernetes_pod_network.cni == 'weave'
-
-# TODO: Check if taint exists with something like `kubectl describe nodes`
-# instead of using kubernetes_init_stat.stat.exists check.
-- name: Allow pods on control plane (if configured).
-  command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-"
-  when:
-    - kubernetes_allow_pods_on_control_plane | bool
-    - not kubernetes_init_stat.stat.exists

tasks/main.yml

@@ -110,3 +110,17 @@
   when:
     - kubernetes_allow_pods_on_control_plane | bool
     - not kubernetes_init_stat.stat.exists
+
+- name: Allow pods on control plane (if configured).
+  command: "kubectl taint nodes --all node-role.kubernetes.io/control-plane-"
+  register: taint_removed
+  until: >
+    ("untainted" in taint_removed.stdout) or
+    ("not found" in taint_removed.stdout)
+  changed_when: "'untainted' in taint_removed.stdout"
+  failed_when: false
+  retries: 100
+  delay: 5
+  when:
+    - join_ctrl_plane.changed
+    - inventory_hostname == groups['k8s_control_plane'][0]