diff --git a/pkg/kubeapiserver/options/admission.go b/pkg/kubeapiserver/options/admission.go
index a994686732..77f42c3a6f 100644
--- a/pkg/kubeapiserver/options/admission.go
+++ b/pkg/kubeapiserver/options/admission.go
@@ -116,8 +116,13 @@ func (a *AdmissionOptions) ApplyTo(
 
 	if a.PluginNames != nil {
 		// pass PluginNames to generic AdmissionOptions
-		a.GenericAdmission.EnablePlugins = a.PluginNames
+		a.GenericAdmission.EnablePlugins, a.GenericAdmission.DisablePlugins = computePluginNames(a.PluginNames, a.GenericAdmission.RecommendedPluginOrder)
 	}
 
 	return a.GenericAdmission.ApplyTo(c, informers, kubeAPIServerClientConfig, scheme, pluginInitializers...)
 }
+
+// explicitly disable all plugins that are not in the enabled list
+func computePluginNames(explicitlyEnabled []string, all []string) (enabled []string, disabled []string) {
+	return explicitlyEnabled, sets.NewString(all...).Difference(sets.NewString(explicitlyEnabled...)).List()
+}
diff --git a/pkg/kubeapiserver/options/admission_test.go b/pkg/kubeapiserver/options/admission_test.go
index f5a93da7a2..63e41725a4 100644
--- a/pkg/kubeapiserver/options/admission_test.go
+++ b/pkg/kubeapiserver/options/admission_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package options
 
 import (
+	"reflect"
 	"testing"
 )
 
@@ -51,3 +52,37 @@ func TestValidate(t *testing.T) {
 		t.Errorf("Unexpected err: %v", errs)
 	}
 }
+
+func TestComputeEnabledAdmission(t *testing.T) {
+	tests := []struct {
+		name             string
+		all              []string
+		enabled          []string
+		expectedDisabled []string
+	}{
+		{
+			name:             "matches",
+			all:              []string{"one", "two"},
+			enabled:          []string{"one", "two"},
+			expectedDisabled: []string{},
+		},
+		{
+			name:             "choose one",
+			all:              []string{"one", "two"},
+			enabled:          []string{"one"},
+			expectedDisabled: []string{"two"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			actualEnabled, actualDisabled := computePluginNames(tc.enabled, tc.all)
+			if e, a := tc.enabled, actualEnabled; !reflect.DeepEqual(e, a) {
+				t.Errorf("expected %v, got %v", e, a)
+			}
+			if e, a := tc.expectedDisabled, actualDisabled; !reflect.DeepEqual(e, a) {
+				t.Errorf("expected %v, got %v", e, a)
+			}
+		})
+	}
+}