diff --git a/pkg/assets/builder.go b/pkg/assets/builder.go
index 89f998fe34..d04ebaeb5c 100644
--- a/pkg/assets/builder.go
+++ b/pkg/assets/builder.go
@@ -148,6 +148,17 @@ func (a *AssetBuilder) RemapImage(image string) (string, error) {
 		}
 	}
 
+	if strings.HasPrefix(image, "kope/kops-controller:") {
+		// To use user-defined DNS Controller:
+		// 1. DOCKER_REGISTRY=[your docker hub repo] make kops-controller-push
+		// 2. export KOPSCONTROLLER_IMAGE=[your docker hub repo]
+		// 3. make kops and create/apply cluster
+		override := os.Getenv("KOPSCONTROLLER_IMAGE")
+		if override != "" {
+			image = override
+		}
+	}
+
 	if a.AssetsLocation != nil && a.AssetsLocation.ContainerProxy != nil {
 		containerProxy := strings.TrimRight(*a.AssetsLocation.ContainerProxy, "/")
 		normalized := image
diff --git a/upup/models/cloudup/resources/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml.template
new file mode 100644
index 0000000000..c15f3df0a7
--- /dev/null
+++ b/upup/models/cloudup/resources/addons/kops-controller.addons.k8s.io/k8s-1.16.yaml.template
@@ -0,0 +1,95 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: kops-controller
+  namespace: kube-system
+  labels:
+    k8s-addon: kops-controller.addons.k8s.io
+    k8s-app: kops-controller
+    version: v1.14.0-alpha.1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: kops-controller
+  template:
+    metadata:
+      labels:
+        k8s-addon: kops-controller.addons.k8s.io
+        k8s-app: kops-controller
+        version: v1.14.0-alpha.1
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        effect: NoSchedule
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      dnsPolicy: Default  # Don't use cluster DNS (we are likely running before kube-dns)
+      hostNetwork: true
+      serviceAccount: kops-controller
+      containers:
+      - name: kops-controller
+        image: kope/kops-controller:1.14.0-alpha.1
+        command:
+{{ range $arg := KopsControllerArgv }}
+        - "{{ $arg }}"
+{{ end }}
+{{- if .EgressProxy }}
+        env:
+{{ range $name, $value := ProxyEnv }}
+        - name: {{ $name }}
+          value: {{ $value }}
+{{ end }}
+{{- end }}
+        resources:
+          requests:
+            cpu: 50m
+            memory: 50Mi
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kops-controller
+  namespace: kube-system
+  labels:
+    k8s-addon: kops-controller.addons.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-addon: kops-controller.addons.k8s.io
+  name: kops-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-addon: kops-controller.addons.k8s.io
+  name: kops-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kops-controller
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:serviceaccount:kube-system:kops-controller
diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
index a51af6ff5f..4a739e44eb 100644
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -113,6 +113,26 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 	addons.Kind = "Addons"
 	addons.ObjectMeta.Name = "bootstrap"
 
+	{
+		key := "kops-controller.addons.k8s.io"
+		version := "1.14.0-alpha.1"
+
+		{
+			location := key + "/k8s-1.16.yaml"
+			id := "k8s-1.16"
+
+			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+				Name:              fi.String(key),
+				Version:           fi.String(version),
+				Selector:          map[string]string{"k8s-addon": key},
+				Manifest:          fi.String(location),
+				KubernetesVersion: ">=1.16.0-alpha.0",
+				Id:                id,
+			})
+			manifests[key+"-"+id] = "addons/" + location
+		}
+	}
+
 	{
 		key := "core.addons.k8s.io"
 		version := "1.4.0"
diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go
index 99158460fa..ef3fcc5d72 100644
--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@@ -89,6 +89,7 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS
 		return tf.cluster.Spec.KubeDNS
 	}
 
+	dest["KopsControllerArgv"] = tf.KopsControllerArgv
 	dest["DnsControllerArgv"] = tf.DnsControllerArgv
 	dest["ExternalDnsArgv"] = tf.ExternalDnsArgv
 
@@ -247,6 +248,24 @@ func (tf *TemplateFunctions) DnsControllerArgv() ([]string, error) {
 	return argv, nil
 }
 
+// KopsControllerArgv returns the args to kops-controller
+func (tf *TemplateFunctions) KopsControllerArgv() ([]string, error) {
+	var argv []string
+
+	argv = append(argv, "/usr/bin/kops-controller")
+
+	argv = append(argv, "--cloud="+tf.cluster.Spec.CloudProvider)
+	argv = append(argv, "--config="+tf.cluster.Spec.ConfigBase)
+
+	// Disable metrics (avoid port conflicts, also risky because we are host network)
+	argv = append(argv, "--metrics-addr=0")
+
+	// Verbose, but not crazy logging
+	argv = append(argv, "--v=2")
+
+	return argv, nil
+}
+
 func (tf *TemplateFunctions) ExternalDnsArgv() ([]string, error) {
 	var argv []string