diff --git a/core/controlplane/config/templates/cloud-config-controller b/core/controlplane/config/templates/cloud-config-controller
index dec8f6207..fa3a3bb66 100644
--- a/core/controlplane/config/templates/cloud-config-controller
+++ b/core/controlplane/config/templates/cloud-config-controller
@@ -826,6 +826,18 @@ write_files:
         kubectl delete --cascade=true --ignore-not-found=true -f $(echo "$@" | tr ' ' ',')
       }
 
+      # forceapply - remove and retry if apply fails (does not rely on the kubectl --force method)
+      # this is needed for allowing the updating of pod disruption budgets
+      forceapply() {
+        set +e
+        if ! kubectl apply -f $(echo "$@" | tr ' ' ','); then
+          set -e
+          kubectl delete --ignore-not-found=true -f $(echo "$@" | tr ' ' ',')
+          kubectl create -f $(echo "$@" | tr ' ' ',')
+        fi
+        set -e
+      }
+
       while ! kubectl get ns kube-system; do
         echo Waiting until kube-system created.
         sleep 3
@@ -932,6 +944,9 @@ write_files:
         {{ if .KubeResourcesAutosave.Enabled }}"${mfdir}/kube-resources-autosave-de.yaml"{{ end }} \
         {{ if .KubernetesDashboard.Enabled }}"${mfdir}/kubernetes-dashboard-de.yaml"{{ end }}
 
+      # Pod Disruption Budgets
+      forceapply "${mfdir}/kube-dns-pdb.yaml"
+
       # Services
       applyall \
         "${mfdir}/heapster-svc.yaml" \
@@ -3872,6 +3887,19 @@ write_files:
             port: 53
             protocol: TCP
 
+  - path: /srv/kubernetes/manifests/kube-dns-pdb.yaml
+    content: |
+      apiVersion: policy/v1beta1
+      kind: PodDisruptionBudget
+      metadata:
+        name: kube-dns
+        namespace: kube-system
+      spec:
+        maxUnavailable: 1
+        selector:
+          matchLabels:
+            k8s-app: kube-dns
+
   - path: /srv/kubernetes/manifests/heapster-sa.yaml
     content: |
         apiVersion: v1