diff --git a/cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml b/cluster/addons/rbac/kubelet-api-auth/kube-apiserver-kubelet-api-admin-binding.yaml
similarity index 100%
rename from cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml
rename to cluster/addons/rbac/kubelet-api-auth/kube-apiserver-kubelet-api-admin-binding.yaml
diff --git a/cluster/addons/rbac/kubelet-api-admin-role.yaml b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
similarity index 100%
rename from cluster/addons/rbac/kubelet-api-admin-role.yaml
rename to cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
diff --git a/cluster/addons/rbac/kubelet-certificate-management.yaml b/cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml
similarity index 100%
rename from cluster/addons/rbac/kubelet-certificate-management.yaml
rename to cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml
diff --git a/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml
new file mode 100644
index 0000000000..8cb0dbea05
--- /dev/null
+++ b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml
@@ -0,0 +1,14 @@
+# This is required so that old clusters don't remove required bindings for 1.5
+# kubelets to function.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-cluster-admin
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:
diff --git a/cluster/addons/rbac/kubelet-binding.yaml b/cluster/addons/rbac/legacy-kubelet-user/kubelet-binding.yaml
similarity index 100%
rename from cluster/addons/rbac/kubelet-binding.yaml
rename to cluster/addons/rbac/legacy-kubelet-user/kubelet-binding.yaml
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index c96c918f6b..63d5b8c2f3 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1768,7 +1768,13 @@ function start-kube-addons {
   local -r dst_dir="/etc/kubernetes/addons"
 
   # prep addition kube-up specific rbac objects
-  setup-addon-manifests "addons" "rbac"
+  setup-addon-manifests "addons" "rbac/kubelet-api-auth"
+  setup-addon-manifests "addons" "rbac/kubelet-cert-rotation"
+  if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then
+    setup-addon-manifests "addons" "rbac/legacy-kubelet-user"
+  else
+    setup-addon-manifests "addons" "rbac/legacy-kubelet-user-disabled"
+  fi
 
   if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
       setup-addon-manifests "addons" "podsecuritypolicies"