diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index fade43c2632..86926cb2d90 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -243,7 +243,6 @@
   command: "{{ kubectl }} taint node {{ inventory_hostname }} {{ item }}"
   delegate_to: "{{ first_kube_control_plane }}"
   with_items:
-    - "node-role.kubernetes.io/master:NoSchedule-"
     - "node-role.kubernetes.io/control-plane:NoSchedule-"
   when: inventory_hostname in groups['kube_node']
   failed_when: false
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
index 64105719bf2..bc3b8601eba 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -18,8 +18,6 @@ nodeRegistration:
 {% endif %}
 {% if inventory_hostname in groups['kube_control_plane'] and inventory_hostname not in groups['kube_node'] %}
   taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/master
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane
 {% else %}
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2
index fc696ae3eeb..c950d00b391 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2
@@ -21,8 +21,6 @@ nodeRegistration:
   criSocket: {{ cri_socket }}
 {% if inventory_hostname in groups['kube_control_plane'] and inventory_hostname not in groups['kube_node'] %}
   taints:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/master
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane
 {% else %}
diff --git a/roles/upgrade/pre-upgrade/tasks/main.yml b/roles/upgrade/pre-upgrade/tasks/main.yml
index 58dfee0a9fd..5bd84060b67 100644
--- a/roles/upgrade/pre-upgrade/tasks/main.yml
+++ b/roles/upgrade/pre-upgrade/tasks/main.yml
@@ -46,6 +46,31 @@
       false
       {%- endif %}
 
+# Legacy taint: key = node-role.kubernetes.io/master, effect = NoSchedule
+# New taint: key = node-role.kubernetes.io/control-plane, effect = NoSchedule
+#
+# During the upgrade to k8s v1.25 legacy taint is deleted:
+#   https://github.com/kubernetes/kubernetes/commit/ddd046f3dd88186cbc83b57e83144db96eae4af4
+#
+# In order to avoid taint lost we need to ensure node-role.kubernetes.io/control-plane:NoSchedule
+# if node-role.kubernetes.io/master:NoSchedule is set prior to k8s upgrade
+- name: See if node has legacy taints
+  command: >
+    {{ kubectl }} get node {{ kube_override_hostname | default(inventory_hostname) }}
+    -o jsonpath='{.spec.taints[?(@.key=="node-role.kubernetes.io/master")]}'
+  register: kubectl_node_legacy_taints
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  failed_when: false
+  changed_when: false
+
+- name: Migrate node legacy taints
+  command: >
+    {{ kubectl }} taint --overwrite node {{ kube_override_hostname | default(inventory_hostname) }}
+    node-role.kubernetes.io/control-plane:NoSchedule
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  when:
+    - kubectl_node_legacy_taints.stdout | length
+
 - name: Node draining
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   when: