diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index 6c0347347ac0f..26613a71f1908 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -304,6 +304,20 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		}
 	}
 
+	// @fixup: the admission controller migrated from --admission-control to --enable-admission-plugins, but
+	// most people will still have c.Spec.KubeAPIServer.AdmissionControl references into their configuration we need
+	// to fix up. A PR https://github.com/kubernetes/kops/pull/5221/ introduced the issue and since the command line
+	// flags are mutually exclusive the API refuses to come up.
+	if b.IsKubernetesGTE("1.10") {
+		// @note: note sure if this is the best place to put it, I could place into the validation.go which has the benefit of
+		// fixing up the manifests itself, but that feels VERY hacky
+		// @note: it's fine to use AdmissionControl here and it's not populated by the model, thus the only data could have come from the cluster spec
+		if len(c.Spec.KubeAPIServer.AdmissionControl) > 0 {
+			c.Spec.KubeAPIServer.EnableAdmissionPlugins = append(c.Spec.KubeAPIServer.EnableAdmissionPlugins, c.Spec.KubeAPIServer.AdmissionControl...)
+			c.Spec.KubeAPIServer.AdmissionControl = []string{}
+		}
+	}
+
 	// build the kube-apiserver flags for the service
 	flags, err := flagbuilder.BuildFlagsList(b.Cluster.Spec.KubeAPIServer)
 	if err != nil {