diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index d856d064c..65e8c6590 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -131,3 +131,6 @@ bin_dir: /usr/local/bin
 
 # The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
 #kube_read_only_port: 10255
+
+# Does coreos need auto upgrade, default is true
+#coreos_auto_upgrade: true
\ No newline at end of file
diff --git a/roles/bootstrap-os/defaults/main.yml b/roles/bootstrap-os/defaults/main.yml
index c191ebd2b..5d2f7321a 100644
--- a/roles/bootstrap-os/defaults/main.yml
+++ b/roles/bootstrap-os/defaults/main.yml
@@ -4,3 +4,6 @@ pip_python_coreos_modules:
   - six
 
 override_system_hostname: true
+
+
+coreos_auto_upgrade: true
diff --git a/roles/bootstrap-os/tasks/bootstrap-coreos.yml b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
index d446cf282..ef82b7bde 100644
--- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
@@ -62,3 +62,8 @@
   with_items: "{{pip_python_coreos_modules}}"
   environment:
     PATH: "{{ ansible_env.PATH }}:{{ bin_dir }}"
+
+- name: Bootstrap | Disable auto-upgrade
+  shell: "systemctl stop locksmithd.service && systemctl mask --now locksmithd.service"
+  when:
+    - not coreos_auto_upgrade