diff --git a/Tiltfile b/Tiltfile
index 4e2b4386a6f2..d8251557a038 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -56,16 +56,38 @@ def deploy_capi():
     version = settings.get("capi_version")
     local("kubectl apply -f https://github.com/kubernetes-sigs/cluster-api/releases/download/{}/cluster-api-components.yaml".format(version))
     if settings.get("feature_gates"):
-        args_str = str(local('kubectl get deployments capi-controller-manager -n capi-system -o jsonpath={.spec.template.spec.containers[1].args}'))
-        if settings.get("feature_gates") not in args_str:
-            args = args_str[1:-1].split() # "[arg1 arg2 ...]" trim off the first and last, then split
-            args.append("{}".format(settings.get("feature_gates")))
-            patch = [{
-                "op": "replace",
-                "path": "/spec/template/spec/containers/1/args",
-                "value": args,
-            }]
-            local("kubectl patch deployment capi-controller-manager -n capi-system  --type json -p='{}'".format(str(encode_json(patch)).replace("\n", "")))
+        for namespace in ["capi-system", "capi-webhook-system"]:
+            patch_args_with_features(namespace, "capi-controller-manager")
+        patch_args_with_features("capi-kubeadm-bootstrap-system", "capi-kubeadm-bootstrap-controller-manager")
+        patch_capi_manager_role_with_exp_infra_rbac()
+
+
+def patch_args_with_features(namespace, name):
+    args_str = str(local('kubectl get deployments {} -n {} -o jsonpath={{.spec.template.spec.containers[1].args}}'.format(name, namespace)))
+    if settings.get("feature_gates") not in args_str:
+        args = args_str[1:-1].split() # "[arg1 arg2 ...]" trim off the first and last, then split
+        args.append("{}".format(settings.get("feature_gates")))
+        patch = [{
+            "op": "replace",
+            "path": "/spec/template/spec/containers/1/args",
+            "value": args,
+        }]
+        local("kubectl patch deployment {} -n {} --type json -p='{}'".format(name, namespace, str(encode_json(patch)).replace("\n", "")))
+
+
+# patch the CAPI manager role to also provide access to experimental infrastructure
+def patch_capi_manager_role_with_exp_infra_rbac():
+    api_groups_str = str(local('kubectl get clusterrole capi-manager-role -o jsonpath={.rules[1].apiGroups}'))
+    exp_infra_group = "exp.infrastructure.cluster.x-k8s.io"
+    if exp_infra_group not in api_groups_str:
+        groups = api_groups_str[1:-1].split() # "[arg1 arg2 ...]" trim off the first and last, then split
+        groups.append(exp_infra_group)
+        patch = [{
+            "op": "replace",
+            "path": "/rules/1/apiGroups",
+            "value": groups,
+        }]
+        local("kubectl patch clusterrole capi-manager-role --type json -p='{}'".format(str(encode_json(patch)).replace("\n", "")))
 
 
 # Users may define their own Tilt customizations in tilt.d. This directory is excluded from git and these files will
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index bfdd888fc8ad..932e5f42a527 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -112,3 +112,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - infrastructure.cluster.x-k8s.io
+  resources:
+  - azuremachinetemplates
+  - azuremachinetemplates/status
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/controllers/azurecluster_controller.go b/controllers/azurecluster_controller.go
index d14ce28ae200..b1ebaec277b4 100644
--- a/controllers/azurecluster_controller.go
+++ b/controllers/azurecluster_controller.go
@@ -52,6 +52,7 @@ func (r *AzureClusterReconciler) SetupWithManager(mgr ctrl.Manager, options cont
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azureclusters,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azureclusters/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azuremachinetemplates;azuremachinetemplates/status,verbs=get;list;watch
 
 func (r *AzureClusterReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, reterr error) {
 	ctx := context.TODO()
diff --git a/templates/cluster-template-machinepool.yaml b/templates/cluster-template-machinepool.yaml
index 2e27ad9284a5..3273800115fe 100644
--- a/templates/cluster-template-machinepool.yaml
+++ b/templates/cluster-template-machinepool.yaml
@@ -1,40 +1,38 @@
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-kind: KubeadmConfigTemplate
+kind: KubeadmConfig
 metadata:
   name: ${CLUSTER_NAME}-mp-0
 spec:
-  template:
-    spec:
-      files:
-      - content: |
-          {
-            "cloud": "AzurePublicCloud",
-            "tenantId": "${AZURE_TENANT_ID}",
-            "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-            "aadClientId": "${AZURE_CLIENT_ID}",
-            "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-            "resourceGroup": "${CLUSTER_NAME}",
-            "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-            "location": "${AZURE_LOCATION}",
-            "vmType": "standard",
-            "vnetName": "${CLUSTER_NAME}-vnet",
-            "vnetResourceGroup": "${CLUSTER_NAME}",
-            "subnetName": "${CLUSTER_NAME}-node-subnet",
-            "routeTableName": "${CLUSTER_NAME}-node-routetable",
-            "loadBalancerSku": "standard",
-            "maximumLoadBalancerRuleCount": 250,
-            "useManagedIdentityExtension": false,
-            "useInstanceMetadata": true
-          }
-        owner: root:root
-        path: /etc/kubernetes/azure.json
-        permissions: "0644"
-      joinConfiguration:
-        nodeRegistration:
-          kubeletExtraArgs:
-            cloud-config: /etc/kubernetes/azure.json
-            cloud-provider: azure
-          name: '{{ ds.meta_data["local_hostname"] }}'
+  files:
+  - content: |
+      {
+        "cloud": "AzurePublicCloud",
+        "tenantId": "${AZURE_TENANT_ID}",
+        "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
+        "aadClientId": "${AZURE_CLIENT_ID}",
+        "aadClientSecret": "${AZURE_CLIENT_SECRET}",
+        "resourceGroup": "${CLUSTER_NAME}",
+        "securityGroupName": "${CLUSTER_NAME}-node-nsg",
+        "location": "${AZURE_LOCATION}",
+        "vmType": "standard",
+        "vnetName": "${CLUSTER_NAME}-vnet",
+        "vnetResourceGroup": "${CLUSTER_NAME}",
+        "subnetName": "${CLUSTER_NAME}-node-subnet",
+        "routeTableName": "${CLUSTER_NAME}-node-routetable",
+        "loadBalancerSku": "standard",
+        "maximumLoadBalancerRuleCount": 250,
+        "useManagedIdentityExtension": false,
+        "useInstanceMetadata": true
+      }
+    owner: root:root
+    path: /etc/kubernetes/azure.json
+    permissions: "0644"
+  joinConfiguration:
+    nodeRegistration:
+      kubeletExtraArgs:
+        cloud-config: /etc/kubernetes/azure.json
+        cloud-provider: azure
+      name: '{{ ds.meta_data["local_hostname"] }}'
 ---
 apiVersion: cluster.x-k8s.io/v1alpha3
 kind: Cluster
@@ -140,7 +138,7 @@ spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-          kind: KubeadmConfigTemplate
+          kind: KubeadmConfig
           name: ${CLUSTER_NAME}-mp-0
       clusterName: ${CLUSTER_NAME}
       infrastructureRef:
@@ -154,17 +152,15 @@ kind: AzureMachinePool
 metadata:
   name: ${CLUSTER_NAME}-amp-0
 spec:
+  location: ${AZURE_LOCATION}
   template:
-    spec:
-      location: ${AZURE_LOCATION}
-      template:
-        osDisk:
-          diskSizeGB: 30
-          managedDisk:
-            storageAccountType: Premium_LRS
-          osType: Linux
-        sshPublicKey: ${AZURE_SSH_PUBLIC_KEY}
-        vmSize: ${AZURE_NODE_MACHINE_TYPE}
+    osDisk:
+      diskSizeGB: 30
+      managedDisk:
+        storageAccountType: Premium_LRS
+      osType: Linux
+    sshPublicKey: ${AZURE_SSH_PUBLIC_KEY}
+    vmSize: ${AZURE_NODE_MACHINE_TYPE}
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
 kind: AzureCluster
diff --git a/templates/flavors/machinepool/machine-pool-deployment.yaml b/templates/flavors/machinepool/machine-pool-deployment.yaml
index e49f23975a86..e1b5e2a5d3a8 100644
--- a/templates/flavors/machinepool/machine-pool-deployment.yaml
+++ b/templates/flavors/machinepool/machine-pool-deployment.yaml
@@ -14,7 +14,7 @@ spec:
         configRef:
           name: "${CLUSTER_NAME}-mp-0"
           apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-          kind: KubeadmConfigTemplate
+          kind: KubeadmConfig
       infrastructureRef:
         name: "${CLUSTER_NAME}-amp-0"
         apiVersion: exp.infrastructure.cluster.x-k8s.io/v1alpha3
@@ -25,52 +25,50 @@ kind: AzureMachinePool
 metadata:
   name: "${CLUSTER_NAME}-amp-0"
 spec:
+  location: ${AZURE_LOCATION}
   template:
-    spec:
-      location: ${AZURE_LOCATION}
-      template:
-        vmSize: ${AZURE_NODE_MACHINE_TYPE}
-        osDisk:
-          osType: "Linux"
-          diskSizeGB: 30
-          managedDisk:
-            storageAccountType: "Premium_LRS"
-        sshPublicKey: ${AZURE_SSH_PUBLIC_KEY}
+    vmSize: ${AZURE_NODE_MACHINE_TYPE}
+    osDisk:
+      osType: "Linux"
+      diskSizeGB: 30
+      managedDisk:
+        storageAccountType: "Premium_LRS"
+    sshPublicKey: ${AZURE_SSH_PUBLIC_KEY}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-kind: KubeadmConfigTemplate
+kind: KubeadmConfig
 metadata:
   name: "${CLUSTER_NAME}-mp-0"
 spec:
-  template:
-    spec:
-      joinConfiguration:
-        nodeRegistration:
-          name: '{{ ds.meta_data["local_hostname"] }}'
-          kubeletExtraArgs:
-            cloud-provider: azure
-            cloud-config: /etc/kubernetes/azure.json
-      files:
-        - path: /etc/kubernetes/azure.json
-          owner: "root:root"
-          permissions: "0644"
-          content: |
-            {
-              "cloud": "AzurePublicCloud",
-              "tenantId": "${AZURE_TENANT_ID}",
-              "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-              "aadClientId": "${AZURE_CLIENT_ID}",
-              "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-              "resourceGroup": "${CLUSTER_NAME}",
-              "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-              "location": "${AZURE_LOCATION}",
-              "vmType": "standard",
-              "vnetName": "${CLUSTER_NAME}-vnet",
-              "vnetResourceGroup": "${CLUSTER_NAME}",
-              "subnetName": "${CLUSTER_NAME}-node-subnet",
-              "routeTableName": "${CLUSTER_NAME}-node-routetable",
-              "loadBalancerSku": "standard",
-              "maximumLoadBalancerRuleCount": 250,
-              "useManagedIdentityExtension": false,
-              "useInstanceMetadata": true
-            }
\ No newline at end of file
+  # For more information about these values,
+  # refer to the Kubeadm Bootstrap Provider documentation.
+  joinConfiguration:
+    nodeRegistration:
+      name: '{{ ds.meta_data["local_hostname"] }}'
+      kubeletExtraArgs:
+        cloud-provider: azure
+        cloud-config: /etc/kubernetes/azure.json
+  files:
+  - path: /etc/kubernetes/azure.json
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      {
+        "cloud": "AzurePublicCloud",
+        "tenantId": "${AZURE_TENANT_ID}",
+        "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
+        "aadClientId": "${AZURE_CLIENT_ID}",
+        "aadClientSecret": "${AZURE_CLIENT_SECRET}",
+        "resourceGroup": "${CLUSTER_NAME}",
+        "securityGroupName": "${CLUSTER_NAME}-node-nsg",
+        "location": "${AZURE_LOCATION}",
+        "vmType": "standard",
+        "vnetName": "${CLUSTER_NAME}-vnet",
+        "vnetResourceGroup": "${CLUSTER_NAME}",
+        "subnetName": "${CLUSTER_NAME}-node-subnet",
+        "routeTableName": "${CLUSTER_NAME}-node-routetable",
+        "loadBalancerSku": "standard",
+        "maximumLoadBalancerRuleCount": 250,
+        "useManagedIdentityExtension": false,
+        "useInstanceMetadata": true
+      }