diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
index dffd1d491b..a53fd7ec4c 100644
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@@ -278,6 +278,15 @@ func (c *NodeupModelContext) UseNodeAuthorizer() bool {
 	return c.Cluster.Spec.NodeAuthorization.NodeAuthorizer != nil
 }
 
+// UsesSecondaryIP checks if the CNI in use attaches secondary interfaces to the host.
+func (c *NodeupModelContext) UsesSecondaryIP() bool {
+	if (c.Cluster.Spec.Networking.CNI != nil && c.Cluster.Spec.Networking.CNI.UsesSecondaryIP) || c.Cluster.Spec.Networking.AmazonVPC != nil {
+		return true
+	}
+
+	return false
+}
+
 // UseBootstrapTokens checks if we are using bootstrap tokens
 func (c *NodeupModelContext) UseBootstrapTokens() bool {
 	if c.IsMaster {
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
index 7d627f77b5..c5c0544e69 100644
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@@ -172,16 +172,16 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 	if b.UsesCNI() {
 		flags += " --cni-bin-dir=" + b.CNIBinDir()
 		flags += " --cni-conf-dir=" + b.CNIConfDir()
-		// If we are using the AmazonVPC plugin we need to bind the kubelet to the local ipv4 address
-		if b.Cluster.Spec.Networking.AmazonVPC != nil {
-			sess := session.Must(session.NewSession())
-			metadata := ec2metadata.New(sess)
-			localIpv4, err := metadata.GetMetadata("local-ipv4")
-			if err != nil {
-				return nil, fmt.Errorf("error fetching the local-ipv4 address from the ec2 meta-data: %v", err)
-			}
-			flags += " --node-ip=" + localIpv4
+	}
+
+	if b.UsesSecondaryIP() {
+		sess := session.Must(session.NewSession())
+		metadata := ec2metadata.New(sess)
+		localIpv4, err := metadata.GetMetadata("local-ipv4")
+		if err != nil {
+			return nil, fmt.Errorf("error fetching the local-ipv4 address from the ec2 meta-data: %v", err)
 		}
+		flags += " --node-ip=" + localIpv4
 	}
 
 	if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Kubenet != nil {
diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
index 9951e95ee2..1da95db55e 100644
--- a/pkg/apis/kops/networking.go
+++ b/pkg/apis/kops/networking.go
@@ -50,6 +50,7 @@ type ExternalNetworkingSpec struct {
 // Networking is not managed by kops - we can create options here that directly configure e.g. weave
 // but this is useful for arbitrary network modes or for modes that don't need additional configuration.
 type CNINetworkingSpec struct {
+	UsesSecondaryIP bool `json:"usesSecondaryIP,omitempty"`
 }
 
 // KopeioNetworkingSpec declares that we want Kopeio networking
diff --git a/pkg/apis/kops/v1alpha1/networking.go b/pkg/apis/kops/v1alpha1/networking.go
index 352e4944b8..84ba937741 100644
--- a/pkg/apis/kops/v1alpha1/networking.go
+++ b/pkg/apis/kops/v1alpha1/networking.go
@@ -50,6 +50,7 @@ type ExternalNetworkingSpec struct {
 // Networking is not managed by kops - we can create options here that directly configure e.g. weave
 // but this is useful for arbitrary network modes or for modes that don't need additional configuration.
 type CNINetworkingSpec struct {
+	UsesSecondaryIP bool `json:"usesSecondaryIP,omitempty"`
 }
 
 // KopeioNetworkingSpec declares that we want Kopeio networking
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 40f971c943..4f90028566 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -426,6 +426,7 @@ func Convert_kops_AwsAuthenticationSpec_To_v1alpha1_AwsAuthenticationSpec(in *ko
 }
 
 func autoConvert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetworkingSpec, out *kops.CNINetworkingSpec, s conversion.Scope) error {
+	out.UsesSecondaryIP = in.UsesSecondaryIP
 	return nil
 }
 
@@ -435,6 +436,7 @@ func Convert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetwork
 }
 
 func autoConvert_kops_CNINetworkingSpec_To_v1alpha1_CNINetworkingSpec(in *kops.CNINetworkingSpec, out *CNINetworkingSpec, s conversion.Scope) error {
+	out.UsesSecondaryIP = in.UsesSecondaryIP
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
index 5b64cc1b63..d839296245 100644
--- a/pkg/apis/kops/v1alpha2/networking.go
+++ b/pkg/apis/kops/v1alpha2/networking.go
@@ -50,6 +50,7 @@ type ExternalNetworkingSpec struct {
 // Networking is not managed by kops - we can create options here that directly configure e.g. weave
 // but this is useful for arbitrary network modes or for modes that don't need additional configuration.
 type CNINetworkingSpec struct {
+	UsesSecondaryIP bool `json:"usesSecondaryIP,omitempty"`
 }
 
 // KopeioNetworkingSpec declares that we want Kopeio networking
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 3fd7a4481b..ec684d2e98 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -462,6 +462,7 @@ func Convert_kops_BastionSpec_To_v1alpha2_BastionSpec(in *kops.BastionSpec, out
 }
 
 func autoConvert_v1alpha2_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetworkingSpec, out *kops.CNINetworkingSpec, s conversion.Scope) error {
+	out.UsesSecondaryIP = in.UsesSecondaryIP
 	return nil
 }
 
@@ -471,6 +472,7 @@ func Convert_v1alpha2_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetwork
 }
 
 func autoConvert_kops_CNINetworkingSpec_To_v1alpha2_CNINetworkingSpec(in *kops.CNINetworkingSpec, out *CNINetworkingSpec, s conversion.Scope) error {
+	out.UsesSecondaryIP = in.UsesSecondaryIP
 	return nil
 }