diff --git a/files/etc/NetworkManager/conf.d/calico.conf b/files/etc/NetworkManager/conf.d/calico.conf
index 490d153..b4ac62a 100644
--- a/files/etc/NetworkManager/conf.d/calico.conf
+++ b/files/etc/NetworkManager/conf.d/calico.conf
@@ -1,2 +1,3 @@
+# https://docs.tigera.io/calico/latest/operations/troubleshoot/troubleshooting#configure-networkmanager
 [keyfile]
-unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali
\ No newline at end of file
+unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali
diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml
index b2c6f65..fe13d52 100644
--- a/files/etc/kubernetes/psa.yaml
+++ b/files/etc/kubernetes/psa.yaml
@@ -15,7 +15,7 @@ plugins:
     exemptions:
       usernames: []
       runtimeClasses: []
-      namespaces: [kube-system, system-upgrade, cis-operator-system]
+      namespaces: [kube-system, cis-operator-system]
 - name: EventRateLimit
   configuration:
     apiVersion: eventratelimit.admission.k8s.io/v1alpha1
diff --git a/tasks/install_server.yml b/tasks/install_server.yml
index 1d53902..a9d0b9e 100644
--- a/tasks/install_server.yml
+++ b/tasks/install_server.yml
@@ -89,6 +89,18 @@
     - kubernetes_master|bool
     - kubernetes_cri == "k3s"
 
+- name: Make link from /etc/rancher/k3s/k3s.yaml to /etc/kubernetes/admin.conf
+  file:
+    src: "/etc/rancher/k3s/k3s.yaml"
+    state: link
+    dest: "/etc/kubernetes/admin.conf"
+    force: yes
+    owner: root
+    group: root
+  when:
+    - kubernetes_master|bool
+    - kubernetes_cri == "k3s"
+
 #
 # Manque autoconfig de .kube/config local
 #
@@ -100,6 +112,7 @@
 #   when:
 #     - kubernetes_master|bigip_pool
 
+# kubectl get nodes -o custom-columns=NAME:.metadata.name,TAINTS:.spec.taints --no-headers
 - name: Check if a node is still tainted
   ansible.builtin.command: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes '{{ ansible_hostname | lower }}' -o jsonpath='{.spec.taints}'
   register: current_taint
diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2
index bed1d77..2c7c64f 100644
--- a/templates/etc/rancher/k3s/config.yaml.j2
+++ b/templates/etc/rancher/k3s/config.yaml.j2
@@ -40,11 +40,10 @@ selinux: true
 #embedded-registry: true
 disable:
   - traefik
-{% if kubernetes_interface is defined %}
-node-ip: {{ kubernetes_interface.address }}
-#node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
-{% endif %}
+{% if lookup('vars', 'ansible_' + kubernetes_interface ) != ansible_host %}
 node-external-ip: {{ ansible_host }}
+{% endif %}
+node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
 {% if false %}
 # node-external-ip: 1.2.3.4
 #node-label: