only patch system:kube-dns role for old dns

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -26,8 +26,7 @@
     - rbac_enabled or item.type not in kubedns_rbac_resources
   tags: dnsmasq
 
-# see https://github.com/kubernetes/kubernetes/issues/45084
+# see https://github.com/kubernetes/kubernetes/issues/45084, only needed for "old" kube-dns
-# TODO: this is only needed for "old" kube-dns
 - name: Kubernetes Apps | Patch system:kube-dns ClusterRole
   command: >
     {{bin_dir}}/kubectl patch clusterrole system:kube-dns
@@ -40,7 +39,9 @@
                  }
                ]
              }'
-  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled
+  when:
+    - dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
+    - rbac_enabled and kubedns_version|version_compare("1.11.0", "<", strict=True)
   tags: dnsmasq
 
 - name: Kubernetes Apps | Start Resources