diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index 6c0347347a..d1dd8b5807 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -36,6 +36,7 @@ import (
 	"k8s.io/kops/pkg/kubemanifest"
 )
 
+// PathAuthnConfig is the path to the custom webhook authentication config
 const PathAuthnConfig = "/etc/kubernetes/authn.config"
 
 // KubeAPIServerBuilder install kube-apiserver (just the manifest at the moment)
@@ -304,6 +305,21 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		}
 	}
 
+	// @fixup: the admission controller migrated from --admission-control to --enable-admission-plugins, but
+	// most people will still have c.Spec.KubeAPIServer.AdmissionControl references into their configuration we need
+	// to fix up. A PR https://github.com/kubernetes/kops/pull/5221/ introduced the issue and since the command line
+	// flags are mutually exclusive the API refuses to come up.
+	if b.IsKubernetesGTE("1.10") {
+		// @note: note sure if this is the best place to put it, I could place into the validation.go which has the benefit of
+		// fixing up the manifests itself, but that feels VERY hacky
+		// @note: it's fine to use AdmissionControl here and it's not populated by the model, thus the only data could have come from the cluster spec
+		c := b.Cluster.Spec.KubeAPIServer
+		if len(c.AdmissionControl) > 0 {
+			copy(c.EnableAdmissionPlugins, c.AdmissionControl)
+			c.AdmissionControl = []string{}
+		}
+	}
+
 	// build the kube-apiserver flags for the service
 	flags, err := flagbuilder.BuildFlagsList(b.Cluster.Spec.KubeAPIServer)
 	if err != nil {