diff --git a/services/maintenance/disable-k3s-traefik-rbac.yaml b/services/maintenance/disable-k3s-traefik-rbac.yaml
new file mode 100644
index 00000000..3bf0113a
--- /dev/null
+++ b/services/maintenance/disable-k3s-traefik-rbac.yaml
@@ -0,0 +1,39 @@
+# services/maintenance/disable-k3s-traefik-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: disable-k3s-traefik
+rules:
+  - apiGroups: ["k3s.cattle.io"]
+    resources: ["addons"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["helm.cattle.io"]
+    resources: ["helmcharts", "helmchartconfigs"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: [""]
+    resources: ["services", "serviceaccounts"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterroles", "clusterrolebindings"]
+    verbs: ["get", "list", "watch", "delete"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: disable-k3s-traefik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: disable-k3s-traefik
+subjects:
+  - kind: ServiceAccount
+    name: disable-k3s-traefik
+    namespace: maintenance
diff --git a/services/maintenance/k3s-traefik-cleanup-rbac.yaml b/services/maintenance/k3s-traefik-cleanup-rbac.yaml
index 45710c51..9adef8ba 100644
--- a/services/maintenance/k3s-traefik-cleanup-rbac.yaml
+++ b/services/maintenance/k3s-traefik-cleanup-rbac.yaml
@@ -12,9 +12,15 @@ kind: ClusterRole
 metadata:
   name: k3s-traefik-cleanup
 rules:
+  - apiGroups: ["k3s.cattle.io"]
+    resources: ["addons"]
+    verbs: ["get", "list", "watch", "delete"]
   - apiGroups: ["helm.cattle.io"]
     resources: ["helmcharts", "helmchartconfigs"]
     verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "delete"]
   - apiGroups: [""]
     resources: ["services", "serviceaccounts"]
     verbs: ["get", "list", "watch", "delete"]
diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml
index 70ec255d..a7b6d82a 100644
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - ariadne-serviceaccount.yaml
   - ariadne-rbac.yaml
   - disable-k3s-traefik-serviceaccount.yaml
+  - disable-k3s-traefik-rbac.yaml
   - k3s-traefik-cleanup-rbac.yaml
   - metis-serviceaccount.yaml
   - metis-rbac.yaml
diff --git a/services/maintenance/scripts/disable_k3s_traefik.sh b/services/maintenance/scripts/disable_k3s_traefik.sh
index 7b8cebdc..b3597021 100644
--- a/services/maintenance/scripts/disable_k3s_traefik.sh
+++ b/services/maintenance/scripts/disable_k3s_traefik.sh
@@ -54,11 +54,28 @@ restart_k3s() {
   chroot "${host_root}" /bin/systemctl restart k3s
 }
 
-ensure_disable_flag
-remove_manifest
+cleanup_cluster_objects() {
+  kubectl -n kube-system delete addon traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl -n kube-system delete helmchart traefik traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl -n kube-system delete job helm-install-traefik helm-install-traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl -n kube-system delete deployment traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl -n kube-system delete service traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl -n kube-system delete serviceaccount traefik helm-traefik helm-traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl delete clusterrole traefik-ingress-controller traefik-kube-system --ignore-not-found --wait=false >/dev/null 2>&1 || true
+  kubectl delete clusterrolebinding helm-kube-system-traefik helm-kube-system-traefik-crd traefik-ingress-controller traefik-kube-system --ignore-not-found --wait=false >/dev/null 2>&1 || true
+}
 
-if [ "${changed}" -eq 1 ]; then
-  restart_k3s
-fi
+while true; do
+  changed=0
+  ensure_disable_flag
+  remove_manifest
 
-sleep infinity
+  if [ "${changed}" -eq 1 ]; then
+    restart_k3s
+    sleep 15
+    remove_manifest
+  fi
+
+  cleanup_cluster_objects
+  sleep 300
+done
diff --git a/services/maintenance/scripts/k3s_traefik_cleanup.sh b/services/maintenance/scripts/k3s_traefik_cleanup.sh
index 81ba3377..3ea268bd 100755
--- a/services/maintenance/scripts/k3s_traefik_cleanup.sh
+++ b/services/maintenance/scripts/k3s_traefik_cleanup.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+kubectl -n kube-system delete addon traefik --ignore-not-found --wait=false
 kubectl -n kube-system delete helmchart traefik traefik-crd --ignore-not-found --wait=false
+kubectl -n kube-system delete job helm-install-traefik helm-install-traefik-crd --ignore-not-found --wait=false
 kubectl -n kube-system delete deployment traefik --ignore-not-found --wait=false
 kubectl -n kube-system delete service traefik --ignore-not-found --wait=false
 kubectl -n kube-system delete serviceaccount traefik helm-traefik helm-traefik-crd --ignore-not-found --wait=false