diff --git a/pkg/kubeconfig/BUILD.bazel b/pkg/kubeconfig/BUILD.bazel
index 4ee20dace1d8e..df416655022bd 100644
--- a/pkg/kubeconfig/BUILD.bazel
+++ b/pkg/kubeconfig/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/apis/kops:go_default_library",
+        "//pkg/apis/kops/util:go_default_library",
         "//pkg/dns:go_default_library",
         "//upup/pkg/fi:go_default_library",
         "//vendor/k8s.io/client-go/rest:go_default_library",
diff --git a/pkg/kubeconfig/create_kubecfg.go b/pkg/kubeconfig/create_kubecfg.go
index 3379c782965c1..1c9ebf5ecfe83 100644
--- a/pkg/kubeconfig/create_kubecfg.go
+++ b/pkg/kubeconfig/create_kubecfg.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog"
 	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/pkg/apis/kops/util"
 	"k8s.io/kops/pkg/dns"
 	"k8s.io/kops/upup/pkg/fi"
 )
@@ -127,7 +128,24 @@ func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.Se
 
 	b.Server = server
 
-	if secretStore != nil {
+	k8sVersion, err := util.ParseKubernetesVersion(cluster.Spec.KubernetesVersion)
+	if err != nil || k8sVersion == nil {
+		klog.Warningf("unable to parse KubernetesVersion %q", cluster.Spec.KubernetesVersion)
+		k8sVersion, _ = util.ParseKubernetesVersion("1.0.0")
+	}
+
+	basicAuthEnabled := false
+	if !util.IsKubernetesGTE("1.18", *k8sVersion) {
+		if cluster.Spec.KubeAPIServer == nil || cluster.Spec.KubeAPIServer.DisableBasicAuth == nil || !*cluster.Spec.KubeAPIServer.DisableBasicAuth {
+			basicAuthEnabled = true
+		}
+	} else if !util.IsKubernetesGTE("1.19", *k8sVersion) {
+		if cluster.Spec.KubeAPIServer != nil && cluster.Spec.KubeAPIServer.DisableBasicAuth != nil && !*cluster.Spec.KubeAPIServer.DisableBasicAuth {
+			basicAuthEnabled = true
+		}
+	}
+
+	if basicAuthEnabled && secretStore != nil {
 		secret, err := secretStore.FindSecret("kube")
 		if err != nil {
 			return nil, err