diff --git a/docs/authentication.md b/docs/authentication.md
new file mode 100644
index 0000000000000..f8905f9588b61
--- /dev/null
+++ b/docs/authentication.md
@@ -0,0 +1,34 @@
+# Authentication
+
+Kops has support for configuring authentication systems.  This support is
+currently highly experimental, and should not be used with kubernetes versions
+before 1.8.5 because of a serious bug with apimachinery (#55022)[https://github.com/kubernetes/kubernetes/issues/55022].
+
+## kopeio authentication
+
+If you want to experiment with kopeio authentication, you can use
+`--authentication kopeio`.  However please be aware that kopeio authentication
+has not yet been formally released, and thus there is not a lot of upstream
+documentation.
+
+Alternatively, you can add this block to your cluster:
+
+```
+authentication:
+  kopeio: {}
+```
+
+For example:
+
+```
+apiVersion: kops/v1alpha2
+kind: Cluster
+metadata:
+  name: cluster.example.com
+spec:
+  authentication:
+    kopeio: {}
+  authorization:
+    rbac: {}
+```
+
diff --git a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml
deleted file mode 100644
index 63ad45f259b5d..0000000000000
--- a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml
+++ /dev/null
@@ -1,132 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kopeio-auth
-  labels:
-    k8s-addon: authentication.kope.io
-    role.kubernetes.io/authentication: "1"
-
----
-
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  name: auth-portal
-  namespace: kopeio-auth
-  labels:
-    k8s-addon: authentication.kope.io
-    role.kubernetes.io/authentication: "1"
-spec:
-  template:
-    metadata:
-      labels:
-        app: auth-portal
-    spec:
-      containers:
-      - name: auth-portal
-        image: kopeio/auth-portal:1.0.20170619
-        ports:
-        - containerPort: 8080
-        command:
-        - /auth-portal
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: auth-portal
-  namespace: kopeio-auth
-  labels:
-    k8s-addon: authentication.kope.io
-    role.kubernetes.io/authentication: "1"
-spec:
-  selector:
-    app: auth-portal
-  ports:
-  - port: 80
-    targetPort: 8080
-
----
-
-apiVersion: extensions/v1beta1
-kind: DaemonSet
-metadata:
-  name: auth-api
-  namespace: kopeio-auth
-  labels:
-    k8s-addon: authentication.kope.io
-    role.kubernetes.io/authentication: "1"
-spec:
-  updateStrategy:
-    type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        app: auth-api
-    spec:
-      hostNetwork: true
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/master
-      containers:
-      - name: auth-api
-        image: kopeio/auth-api:1.0.20170619
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 9001
-        command:
-        - /auth-api
-        - --listen=127.0.0.1:9001
-        - --secure-port=9002
-        - --server=https://127.0.0.1:9002
-        - --insecure-skip-tls-verify
-        - --etcd-servers=http://127.0.0.1:4001
-        - --v=8
-        - --storage-backend=etcd2
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: auth-api
-  namespace: kopeio-auth
-spec:
-  selector:
-    app: auth-api
-  ports:
-  - port: 443
-    targetPort: 9002
-
----
-
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
-  name: v1alpha1.auth.kope.io
-spec:
-  insecureSkipTLSVerify: true
-  group: auth.kope.io
-  priority: 150
-  service:
-    name: auth-api
-    namespace: kopeio-auth
-  version: v1alpha1
-
----
-
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
-  name: v1alpha1.config.auth.kope.io
-spec:
-  insecureSkipTLSVerify: true
-  group: config.auth.kope.io
-  priority: 150
-  service:
-    name: auth-api
-    namespace: kopeio-auth
-  version: v1alpha1
diff --git a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml
new file mode 100644
index 0000000000000..62f4cdfcae450
--- /dev/null
+++ b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml
@@ -0,0 +1,185 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-api
+  namespace: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+spec:
+  selector:
+    app: auth-api
+  ports:
+  - port: 443
+    targetPort: 9002
+
+---
+
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: auth-api
+  namespace: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+spec:
+  template:
+    metadata:
+      labels:
+        app: auth-api
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      serviceAccountName: auth-api
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      containers:
+      - name: auth-api
+        image: kopeio/auth-api:1.0.20171125
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9001
+        command:
+        - /auth-api
+        - --listen=127.0.0.1:9001
+        - --secure-port=9002
+        - --etcd-servers=http://127.0.0.1:4001
+        - --v=8
+        - --storage-backend=etcd2
+
+---
+
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1alpha1.auth.kope.io
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+spec:
+  insecureSkipTLSVerify: true
+  group: auth.kope.io
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: auth-api
+    namespace: kopeio-auth
+  version: v1alpha1
+
+---
+
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1alpha1.config.auth.kope.io
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+spec:
+  insecureSkipTLSVerify: true
+  group: config.auth.kope.io
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: auth-api
+    namespace: kopeio-auth
+  version: v1alpha1
+
+---
+
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: auth-api
+  namespace: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kopeio-auth:auth-api:auth-reader
+  namespace: kube-system
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: auth-api
+  namespace: kopeio-auth
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kopeio-auth:system:auth-delegator
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: auth-api
+  namespace: kopeio-auth
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: auth-api
+  namespace: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+rules:
+- apiGroups: ["auth.kope.io"]
+  resources: ["users"]
+  verbs: ["get", "list", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: auth-api
+  namespace: kopeio-auth
+  labels:
+    k8s-addon: authentication.kope.io
+    role.kubernetes.io/authentication: "1"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: auth-api
+subjects:
+- kind: ServiceAccount
+  name: auth-api
+  namespace: kopeio-auth
diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
index 7afd35fda1a8a..15884d8eb4abe 100644
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -625,18 +625,18 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
 
 	if b.cluster.Spec.Authentication != nil && b.cluster.Spec.Authentication.Kopeio != nil {
 		key := "authentication.kope.io"
-		version := "1.0.20170619"
+		version := "1.0.20171125"
 
 		{
-			location := key + "/k8s-1.6.yaml"
-			id := "k8s-1.6"
+			location := key + "/k8s-1.8.yaml"
+			id := "k8s-1.8"
 
 			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
 				Name:              fi.String(key),
 				Version:           fi.String(version),
 				Selector:          authenticationSelector,
 				Manifest:          fi.String(location),
-				KubernetesVersion: ">=1.6.0",
+				KubernetesVersion: ">=1.8.0",
 				Id:                id,
 			})
 			manifests[key+"-"+id] = "addons/" + location