diff --git a/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template b/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template
index 775a100b38..f71cf876e2 100644
--- a/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template
+++ b/upup/models/cloudup/resources/addons/node-termination-handler.aws/k8s-1.11.yaml.template
@@ -117,20 +117,18 @@ spec:
         kubernetes.io/os: linux
     spec:
       nodeSelector: null
+      {{ if not UseServiceAccountExternalPermissions }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
-              {{ if not UseServiceAccountExternalPermissions }}
               - key: node-role.kubernetes.io/control-plane
                 operator: Exists
-              {{ end }}
             - matchExpressions:
-              {{ if not UseServiceAccountExternalPermissions }}
               - key: node-role.kubernetes.io/master
                 operator: Exists
-              {{ end }}
+      {{ end }}
       priorityClassName: system-cluster-critical
       serviceAccountName: aws-node-termination-handler
       securityContext: