diff --git a/pkg/apis/kops/model/features.go b/pkg/apis/kops/model/features.go
index ac12e09277..609b236e8c 100644
--- a/pkg/apis/kops/model/features.go
+++ b/pkg/apis/kops/model/features.go
@@ -34,6 +34,14 @@ func UseKopsControllerForNodeBootstrap(cluster *kops.Cluster) bool {
 	}
 }
 
+// UseKopsControllerForNodeConfig checks if nodeup should use kops-controller to get nodeup.Config.
+func UseKopsControllerForNodeConfig(cluster *kops.Cluster) bool {
+	if cluster.IsGossip() {
+		return false
+	}
+	return UseKopsControllerForNodeBootstrap(cluster)
+}
+
 // UseCiliumEtcd is true if we are using the Cilium etcd cluster.
 func UseCiliumEtcd(cluster *kops.Cluster) bool {
 	if cluster.Spec.Networking.Cilium == nil {
diff --git a/pkg/model/bootstrapscript.go b/pkg/model/bootstrapscript.go
index 3a53549c6f..2ec2540887 100644
--- a/pkg/model/bootstrapscript.go
+++ b/pkg/model/bootstrapscript.go
@@ -131,7 +131,7 @@ func (b *BootstrapScript) buildEnvironmentVariables(cluster *kops.Cluster) (map[
 		env["GOSSIP_DNS_CONN_LIMIT"] = os.Getenv("GOSSIP_DNS_CONN_LIMIT")
 	}
 
-	if os.Getenv("S3_ENDPOINT") != "" && (!model.UseKopsControllerForNodeBootstrap(cluster) || b.ig.HasAPIServer()) {
+	if os.Getenv("S3_ENDPOINT") != "" && (!model.UseKopsControllerForNodeConfig(cluster) || b.ig.HasAPIServer()) {
 		env["S3_ENDPOINT"] = os.Getenv("S3_ENDPOINT")
 		env["S3_REGION"] = os.Getenv("S3_REGION")
 		env["S3_ACCESS_KEY_ID"] = os.Getenv("S3_ACCESS_KEY_ID")
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index d15d88aca4..4134426ef2 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -698,10 +698,14 @@ func ReadableStatePaths(cluster *kops.Cluster, role Subject) ([]string, error) {
 
 	case *NodeRoleNode:
 		// Give access to keys for client certificates as needed.
-		if !model.UseKopsControllerForNodeBootstrap(cluster) {
+		if !model.UseKopsControllerForNodeConfig(cluster) {
 			paths = append(paths,
 				"/cluster-completed.spec",
 				"/igconfig/node/*",
+			)
+		}
+		if !model.UseKopsControllerForNodeBootstrap(cluster) {
+			paths = append(paths,
 				"/secrets/dockerconfig",
 				"/pki/private/kube-proxy/*",
 			)
diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go
index 959975f6c8..99cb8d1e2f 100644
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@@ -1426,7 +1426,7 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 		}
 	}
 
-	useConfigServer := apiModel.UseKopsControllerForNodeBootstrap(cluster) && !ig.HasAPIServer()
+	useConfigServer := apiModel.UseKopsControllerForNodeConfig(cluster) && !ig.HasAPIServer()
 	if useConfigServer {
 		host := "kops-controller.internal." + cluster.ObjectMeta.Name
 		if cluster.UsesNoneDNS() {