diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index 69fc2c9f0..0e4c54160 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -35,8 +35,6 @@ resolveconf_cloud_init_conf: /etc/resolveconf_cloud_init.conf
 # All inventory hostnames will be written into each /etc/hosts file.
 populate_inventory_to_hosts_file: true
 
-preinstall_selinux_state: permissive
-
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
 
 etc_hosts_localhost_entries:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 9b196946e..0ed4976a2 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -3,6 +3,9 @@
 # This change obseletes editing ansible.cfg file depending on bastion existence
 ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}"
 
+# selinux state
+preinstall_selinux_state: permissive
+
 kube_api_anonymous_auth: true
 
 # Default value, but will be set to true automatically if detected