diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
index 5b561711d9b50..18404019ef86c 100644
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@@ -265,6 +265,8 @@ type KubeAPIServerConfig struct {
 	EnableAggregatorRouting *bool `json:"enableAggregatorRouting,omitempty" flag:"enable-aggregator-routing"`
 	// Deprecated: AdmissionControl is a list of admission controllers to use
 	AdmissionControl []string `json:"admissionControl,omitempty" flag:"admission-control"`
+	// AppendAdmissionPlugins appends list of enabled admission plugins
+	AppendAdmissionPlugins []string `json:"appendAdmissionPlugins,omitempty" flag:"append-admission-plugins"`
 	// EnableAdmissionPlugins is a list of enabled admission plugins
 	EnableAdmissionPlugins []string `json:"enableAdmissionPlugins,omitempty" flag:"enable-admission-plugins"`
 	// DisableAdmissionPlugins is a list of disabled admission plugins
diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go
index 618c1f756a5fb..a53749c2d81b9 100644
--- a/pkg/apis/kops/v1alpha1/componentconfig.go
+++ b/pkg/apis/kops/v1alpha1/componentconfig.go
@@ -265,6 +265,8 @@ type KubeAPIServerConfig struct {
 	EnableAggregatorRouting *bool `json:"enableAggregatorRouting,omitempty" flag:"enable-aggregator-routing"`
 	// Deprecated: AdmissionControl is a list of admission controllers to use
 	AdmissionControl []string `json:"admissionControl,omitempty" flag:"admission-control"`
+	// AppendAdmissionPlugins appends list of enabled admission plugins
+	AppendAdmissionPlugins []string `json:"appendAdmissionPlugins,omitempty" flag:"append-admission-plugins"`
 	// EnableAdmissionPlugins is a list of enabled admission plugins
 	EnableAdmissionPlugins []string `json:"enableAdmissionPlugins,omitempty" flag:"enable-admission-plugins"`
 	// DisableAdmissionPlugins is a list of disabled admission plugins
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 22997969f4681..666eaeef0053b 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -2923,6 +2923,7 @@ func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.EnableBootstrapAuthToken = in.EnableBootstrapAuthToken
 	out.EnableAggregatorRouting = in.EnableAggregatorRouting
 	out.AdmissionControl = in.AdmissionControl
+	out.AppendAdmissionPlugins = in.AppendAdmissionPlugins
 	out.EnableAdmissionPlugins = in.EnableAdmissionPlugins
 	out.DisableAdmissionPlugins = in.DisableAdmissionPlugins
 	out.ServiceClusterIPRange = in.ServiceClusterIPRange
@@ -3012,6 +3013,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *ko
 	out.EnableBootstrapAuthToken = in.EnableBootstrapAuthToken
 	out.EnableAggregatorRouting = in.EnableAggregatorRouting
 	out.AdmissionControl = in.AdmissionControl
+	out.AppendAdmissionPlugins = in.AppendAdmissionPlugins
 	out.EnableAdmissionPlugins = in.EnableAdmissionPlugins
 	out.DisableAdmissionPlugins = in.DisableAdmissionPlugins
 	out.ServiceClusterIPRange = in.ServiceClusterIPRange
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
index 13843d2fc861e..6d27934413a3a 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
@@ -1592,6 +1592,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AppendAdmissionPlugins != nil {
+		in, out := &in.AppendAdmissionPlugins, &out.AppendAdmissionPlugins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.EnableAdmissionPlugins != nil {
 		in, out := &in.EnableAdmissionPlugins, &out.EnableAdmissionPlugins
 		*out = make([]string, len(*in))
diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
index 9c0ee0ddd0db7..2cf5adb7449b3 100644
--- a/pkg/apis/kops/v1alpha2/componentconfig.go
+++ b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -265,6 +265,8 @@ type KubeAPIServerConfig struct {
 	EnableAggregatorRouting *bool `json:"enableAggregatorRouting,omitempty" flag:"enable-aggregator-routing"`
 	// Deprecated: AdmissionControl is a list of admission controllers to use
 	AdmissionControl []string `json:"admissionControl,omitempty" flag:"admission-control"`
+	// AppendAdmissionPlugins appends list of enabled admission plugins
+	AppendAdmissionPlugins []string `json:"appendAdmissionPlugins,omitempty" flag:"append-admission-plugins"`
 	// EnableAdmissionPlugins is a list of enabled admission plugins
 	EnableAdmissionPlugins []string `json:"enableAdmissionPlugins,omitempty" flag:"enable-admission-plugins"`
 	// DisableAdmissionPlugins is a list of disabled admission plugins
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 932a8e96a7b7b..ea124cdcb9270 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -3193,6 +3193,7 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.EnableBootstrapAuthToken = in.EnableBootstrapAuthToken
 	out.EnableAggregatorRouting = in.EnableAggregatorRouting
 	out.AdmissionControl = in.AdmissionControl
+	out.AppendAdmissionPlugins = in.AppendAdmissionPlugins
 	out.EnableAdmissionPlugins = in.EnableAdmissionPlugins
 	out.DisableAdmissionPlugins = in.DisableAdmissionPlugins
 	out.ServiceClusterIPRange = in.ServiceClusterIPRange
@@ -3282,6 +3283,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko
 	out.EnableBootstrapAuthToken = in.EnableBootstrapAuthToken
 	out.EnableAggregatorRouting = in.EnableAggregatorRouting
 	out.AdmissionControl = in.AdmissionControl
+	out.AppendAdmissionPlugins = in.AppendAdmissionPlugins
 	out.EnableAdmissionPlugins = in.EnableAdmissionPlugins
 	out.DisableAdmissionPlugins = in.DisableAdmissionPlugins
 	out.ServiceClusterIPRange = in.ServiceClusterIPRange
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
index d661f07ac5fd9..78f7605bc5970 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@@ -1663,6 +1663,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AppendAdmissionPlugins != nil {
+		in, out := &in.AppendAdmissionPlugins, &out.AppendAdmissionPlugins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.EnableAdmissionPlugins != nil {
 		in, out := &in.EnableAdmissionPlugins, &out.EnableAdmissionPlugins
 		*out = make([]string, len(*in))
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
index 6e87994282110..0f46defb06328 100644
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@@ -1845,6 +1845,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.AppendAdmissionPlugins != nil {
+		in, out := &in.AppendAdmissionPlugins, &out.AppendAdmissionPlugins
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.EnableAdmissionPlugins != nil {
 		in, out := &in.EnableAdmissionPlugins, &out.EnableAdmissionPlugins
 		*out = make([]string, len(*in))
diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go
index f8404670cf69c..7531ad7aa0d11 100644
--- a/pkg/model/components/apiserver.go
+++ b/pkg/model/components/apiserver.go
@@ -271,6 +271,7 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 			"NodeRestriction",
 			"ResourceQuota",
 		}
+		c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)
 	}
 	// Based on recommendations from:
 	// https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
@@ -287,6 +288,7 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 			"NodeRestriction",
 			"ResourceQuota",
 		}
+		c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)
 	}
 
 	// We make sure to disable AnonymousAuth from when it was introduced