diff --git a/nodeup/pkg/model/BUILD.bazel b/nodeup/pkg/model/BUILD.bazel
index e8e852c8e3..5db193b264 100644
--- a/nodeup/pkg/model/BUILD.bazel
+++ b/nodeup/pkg/model/BUILD.bazel
@@ -102,12 +102,15 @@ go_test(
         "//pkg/apis/nodeup:go_default_library",
         "//pkg/configbuilder:go_default_library",
         "//pkg/flagbuilder:go_default_library",
+        "//pkg/pki:go_default_library",
         "//pkg/testutils:go_default_library",
         "//upup/pkg/fi:go_default_library",
         "//upup/pkg/fi/nodeup/nodetasks:go_default_library",
         "//util/pkg/exec:go_default_library",
         "//util/pkg/hashing:go_default_library",
+        "//util/pkg/vfs:go_default_library",
         "//vendor/github.com/blang/semver:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index ccabf859d9..9174f4d51e 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -328,8 +328,7 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	}
 
 	// APIServer aggregation options
-	// TODO fix Test_KubeAPIServer_Builder so we can remove the conditional
-	if b.IsKubernetesGTE("1.7") {
+	{
 		cert, err := b.KeyStore.FindCert("apiserver-aggregator-ca")
 		if err != nil {
 			return nil, fmt.Errorf("apiserver aggregator CA cert lookup failed: %v", err.Error())
diff --git a/nodeup/pkg/model/kube_apiserver_test.go b/nodeup/pkg/model/kube_apiserver_test.go
index ae76b22e90..735913ed33 100644
--- a/nodeup/pkg/model/kube_apiserver_test.go
+++ b/nodeup/pkg/model/kube_apiserver_test.go
@@ -18,13 +18,17 @@ package model
 
 import (
 	"bytes"
+	"crypto/x509"
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
+	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+	"k8s.io/kops/util/pkg/vfs"
 )
 
 func Test_KubeAPIServer_Builder(t *testing.T) {
@@ -39,6 +43,7 @@ func Test_KubeAPIServer_Builder(t *testing.T) {
 		t.Fatalf("error loading model %q: %v", basedir, err)
 		return
 	}
+	nodeUpModelContext.KeyStore = &fakeKeyStore{T: t}
 
 	builder := KubeAPIServerBuilder{NodeupModelContext: nodeUpModelContext}
 
@@ -60,6 +65,64 @@ func Test_KubeAPIServer_Builder(t *testing.T) {
 		}
 	}
 }
+
+type fakeKeyStore struct {
+	T *testing.T
+}
+
+func (k fakeKeyStore) FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, fi.KeysetFormat, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) CreateKeypair(signer string, name string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) MirrorTo(basedir vfs.Path) error {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) CertificatePool(name string, createIfMissing bool) (*fi.CertificatePool, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) FindCertificatePool(name string) (*fi.CertificatePool, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) FindCertificateKeyset(name string) (*kops.Keyset, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) FindCert(name string) (*pki.Certificate, error) {
+	assert.Equal(k.T, "apiserver-aggregator-ca", name)
+	return &pki.Certificate{}, nil
+}
+
+func (k fakeKeyStore) ListKeysets() ([]*kops.Keyset, error) {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) AddCert(name string, cert *pki.Certificate) error {
+	panic("implement me")
+}
+
+func (k fakeKeyStore) DeleteKeysetItem(item *kops.Keyset, id string) error {
+	panic("implement me")
+}
+
 func Test_KubeAPIServer_BuildFlags(t *testing.T) {
 	grid := []struct {
 		config   kops.KubeAPIServerConfig
diff --git a/nodeup/pkg/model/tests/apiServer/auditDynamicConfiguration/cluster.yaml b/nodeup/pkg/model/tests/apiServer/auditDynamicConfiguration/cluster.yaml
index 04e13ff66c..185a800322 100644
--- a/nodeup/pkg/model/tests/apiServer/auditDynamicConfiguration/cluster.yaml
+++ b/nodeup/pkg/model/tests/apiServer/auditDynamicConfiguration/cluster.yaml
@@ -25,7 +25,7 @@ spec:
       ExperimentalCriticalPodAnnotation: "true"
       AllowExtTrafficLocalEndpoints: "false"
     podManifestPath: "/etc/kubernetes/manifests"
-  kubernetesVersion: v1.6.0
+  kubernetesVersion: v1.12.0
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
   networkCIDR: 172.20.0.0/16