diff --git a/admin/hooks-1.32.sh b/admin/hooks-1.32.sh
index 87449dee..bb6470b2 100644
--- a/admin/hooks-1.32.sh
+++ b/admin/hooks-1.32.sh
@@ -2,7 +2,10 @@
 
 # All things BEFORE the first controller / control plane upgrade
 pre_control_plane_upgrade_cluster() {
-  echo
+  if [ "$PLATFORM" != "gke" ];then
+    # patch multus DS to ONLY run pods on 1.31 controllers
+    kubectl patch ds kube-multus-ds -n kube-system -p '{"spec": {"template": {"spec": {"nodeSelector": {"node.kubernetes.io/kubezero.version": "v1.31.6"}}}}}' || true
+  }
 }
 
 
@@ -16,7 +19,16 @@ post_control_plane_upgrade_cluster() {
 pre_cluster_upgrade_final() {
   set +e
 
-  echo
+  if [ "$PLATFORM" != "gke" ];then
+    # cleanup multus
+    kubectl delete clusterrolebinding multus
+    kubectl delete clusterrole multus
+    kubectl delete serviceaccount multus -n kube-system
+    kubectl delete cm multus-cni-config -n kube-system
+    kubectl delete ds kube-multus-ds -n kube-system
+    kubectl delete NetworkAttachmentDefinition cilium
+    kubectl delete crd network-attachment-definitions.k8s.cni.cncf.io
+  fi
 
   set -e
 }
diff --git a/admin/libhelm.sh b/admin/libhelm.sh
index 712efbc5..928a463f 100644
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@@ -95,6 +95,20 @@ function ensure_kubezero_secret_key() {
 }
 
 
+function ensure_kubezero_secret_key() {
+  local secret="$(kubectl get secret -n $ns $secret -o yaml)"
+  local key
+  local val
+
+  for key in $1; do
+    val=$(echo $secret | yq ".data.\"$key\""
+    if [ "$val" == "null" ]; then
+      set_kubezero_secret $key ""
+    fi
+  done
+}
+
+
 function set_kubezero_secret() {
   local key="$1"
   local val="$2"
diff --git a/charts/kubezero-network/values.yaml b/charts/kubezero-network/values.yaml
index bad4f6c2..11d24f43 100644
--- a/charts/kubezero-network/values.yaml
+++ b/charts/kubezero-network/values.yaml
@@ -43,7 +43,7 @@ cilium:
     binPath: "/usr/libexec/cni"
     logFile: /var/log/cilium-cni.log
     #-- Ensure this is false if multus is enabled
-    exclusive: false
+    exclusive: true
 
   cluster:
     # This should match the second octet of clusterPoolIPv4PodCIDRList
@@ -91,9 +91,11 @@ cilium:
     - key: node-role.kubernetes.io/control-plane
       effect: NoSchedule
     # the operator removes the taints,
-    # so we need to break chicken egg on single controller
+    # so we need to break chicken egg
     - key: node.cilium.io/agent-not-ready
       effect: NoSchedule
+    - key: node.kubernetes.io/not-ready
+      effect: NoSchedule
 
     nodeSelector:
       node-role.kubernetes.io/control-plane: ""
diff --git a/charts/kubezero/templates/network.yaml b/charts/kubezero/templates/network.yaml
index 61dfddf5..df6a3a02 100644
--- a/charts/kubezero/templates/network.yaml
+++ b/charts/kubezero/templates/network.yaml
@@ -1,6 +1,6 @@
 {{- define "network-values" }}
 multus:
-  enabled: true
+  enabled: false
   clusterNetwork: "cilium"
 
 # {{- if eq .Values.global.platform "aws" }}
diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml
index 8b6e3b98..36b70606 100644
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@@ -32,7 +32,7 @@ addons:
 network:
   enabled: true
   retain: true
-  targetRevision: 0.5.8
+  targetRevision: 0.5.9
   cilium:
     cluster: {}