diff --git a/cluster/common.sh b/cluster/common.sh
index ac9b2ac364..a0eca5fe2c 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -59,6 +59,7 @@ KUBE_CI_VERSION_REGEX="^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-(be
 #   KUBE_KEY
 #   CA_CERT
 function create-kubeconfig() {
+  KUBECONFIG=${KUBECONFIG:-$DEFAULT_KUBECONFIG}
   local kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
   SECONDARY_KUBECONFIG=${SECONDARY_KUBECONFIG:-}
   OVERRIDE_CONTEXT=${OVERRIDE_CONTEXT:-}
@@ -67,7 +68,6 @@ function create-kubeconfig() {
       CONTEXT=$OVERRIDE_CONTEXT
   fi
 
-  export KUBECONFIG=${KUBECONFIG:-$DEFAULT_KUBECONFIG}
   # KUBECONFIG determines the file we write to, but it may not exist yet
   if [[ ! -e "${KUBECONFIG}" ]]; then
     mkdir -p $(dirname "${KUBECONFIG}")
@@ -104,21 +104,21 @@ function create-kubeconfig() {
     )
   fi
 
-  "${kubectl}" config set-cluster "${CONTEXT}" "${cluster_args[@]}"
+  KUBECONFIG="${KUBECONFIG}" "${kubectl}" config set-cluster "${CONTEXT}" "${cluster_args[@]}"
   if [[ -n "${user_args[@]:-}" ]]; then
-    "${kubectl}" config set-credentials "${CONTEXT}" "${user_args[@]}"
+    KUBECONFIG="${KUBECONFIG}" "${kubectl}" config set-credentials "${CONTEXT}" "${user_args[@]}"
   fi
-  "${kubectl}" config set-context "${CONTEXT}" --cluster="${CONTEXT}" --user="${CONTEXT}"
+  KUBECONFIG="${KUBECONFIG}" "${kubectl}" config set-context "${CONTEXT}" --cluster="${CONTEXT}" --user="${CONTEXT}"
 
   if [[ "${SECONDARY_KUBECONFIG}" != "true" ]];then
-      "${kubectl}" config use-context "${CONTEXT}"  --cluster="${CONTEXT}"
+      KUBECONFIG="${KUBECONFIG}" "${kubectl}" config use-context "${CONTEXT}"  --cluster="${CONTEXT}"
   fi
 
   # If we have a bearer token, also create a credential entry with basic auth
   # so that it is easy to discover the basic auth password for your cluster
   # to use in a web browser.
   if [[ ! -z "${KUBE_BEARER_TOKEN:-}" && ! -z "${KUBE_USER:-}" && ! -z "${KUBE_PASSWORD:-}" ]]; then
-    "${kubectl}" config set-credentials "${CONTEXT}-basic-auth" "--username=${KUBE_USER}" "--password=${KUBE_PASSWORD}"
+    KUBECONFIG="${KUBECONFIG}" "${kubectl}" config set-credentials "${CONTEXT}-basic-auth" "--username=${KUBE_USER}" "--password=${KUBE_PASSWORD}"
   fi
 
    echo "Wrote config for ${CONTEXT} to ${KUBECONFIG}"
@@ -128,8 +128,16 @@ function create-kubeconfig() {
 # Assumed vars:
 #   KUBECONFIG
 #   CONTEXT
+#
+# To explicitly name the context being removed, use OVERRIDE_CONTEXT
 function clear-kubeconfig() {
   export KUBECONFIG=${KUBECONFIG:-$DEFAULT_KUBECONFIG}
+  OVERRIDE_CONTEXT=${OVERRIDE_CONTEXT:-}
+
+  if [[ "$OVERRIDE_CONTEXT" != "" ]];then
+      CONTEXT=$OVERRIDE_CONTEXT
+  fi
+
   local kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
   "${kubectl}" config unset "clusters.${CONTEXT}"
   "${kubectl}" config unset "users.${CONTEXT}"
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index d42b0bbbd8..c6bf3ca622 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -900,7 +900,18 @@ function check-cluster() {
   export CONTEXT="${PROJECT}_${INSTANCE_PREFIX}"
   (
    umask 077
+
+   # Update the user's kubeconfig to include credentials for this apiserver.
    create-kubeconfig
+
+   if [[ "${FEDERATION:-}" == "true" ]]; then
+       # Create a kubeconfig with credentials for this apiserver. We will later use
+       # this kubeconfig to create a secret which the federation control plane can
+       # use to talk to this apiserver.
+       KUBECONFIG_DIR=$(dirname ${KUBECONFIG:-$DEFAULT_KUBECONFIG})
+       KUBECONFIG="${KUBECONFIG_DIR}/federation/kubernetes-apiserver/${CONTEXT}/kubeconfig" \
+         create-kubeconfig
+   fi
   )
 
   # ensures KUBECONFIG is set
diff --git a/federation/cluster/common.sh b/federation/cluster/common.sh
index 730772c98c..ec1f442d4d 100644
--- a/federation/cluster/common.sh
+++ b/federation/cluster/common.sh
@@ -32,6 +32,7 @@ KUBE_ARCH=${KUBE_ARCH:-amd64}
 KUBE_BUILD_STAGE=${KUBE_BUILD_STAGE:-release-stage}
 
 source "${KUBE_ROOT}/cluster/common.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 
 host_kubectl="${KUBE_ROOT}/cluster/kubectl.sh --namespace=${FEDERATION_NAMESPACE}"
 
@@ -110,6 +111,33 @@ function create-federated-api-objects {
     $template "${manifests_root}/federation-apiserver-"{deployment,secrets}".yaml" | $host_kubectl create -f -
     $template "${manifests_root}/federation-controller-manager-deployment.yaml" | $host_kubectl create -f -
 
+    # Create a kubeconfig with credentails for federation-apiserver. We will
+    # then use this kubeconfig to create a secret which the federation
+    # controller manager can use to talk to the federation-apiserver.
+    # Note that the file name should be "kubeconfig" so that the secret key gets the same name.
+    KUBECONFIG_DIR=$(dirname ${KUBECONFIG:-$DEFAULT_KUBECONFIG})
+    CONTEXT=federated-cluster \
+	   KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \
+           KUBECONFIG="${KUBECONFIG_DIR}/federation/federation-apiserver/kubeconfig" \
+	   create-kubeconfig
+
+    # Create secret with federation-apiserver's kubeconfig
+    $host_kubectl create secret generic federation-apiserver-secret --from-file="${KUBECONFIG_DIR}/federation/federation-apiserver/kubeconfig" --namespace="${FEDERATION_NAMESPACE}"
+
+    # Create secrets with all the kubernetes-apiserver's kubeconfigs.
+    for dir in ${KUBECONFIG_DIR}/federation/kubernetes-apiserver/*; do
+      # We create a secret with the same name as the directory name (which is
+      # same as cluster name in kubeconfig)
+      name=$(basename $dir)
+      $host_kubectl create secret generic ${name} --from-file="${dir}/kubeconfig" --namespace="${FEDERATION_NAMESPACE}"
+    done
+
+    # Update the users kubeconfig to include federation-apiserver credentials.
+    CONTEXT=federated-cluster \
+	   KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \
+	   SECONDARY_KUBECONFIG=true \
+	   create-kubeconfig
+
     # Don't finish provisioning until federation-apiserver pod is running
     for i in {1..30};do
 	#TODO(colhom): in the future this needs to scale out for N pods. This assumes just one pod
@@ -145,11 +173,6 @@ function create-federated-api-objects {
 
 	sleep 4
     done
-    
-    CONTEXT=federated-cluster \
-	   KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \
-	   SECONDARY_KUBECONFIG=true \
-	   create-kubeconfig
 )
 }
 
@@ -208,5 +231,8 @@ function push-federated-images {
     done
 }
 function cleanup-federated-api-objects {
-    $host_kubectl delete pods,svc,rc,deployment,secret -lapp=federated-cluster
+  # Delete all resources with the federated-cluster label.
+  $host_kubectl delete pods,svc,rc,deployment,secret -lapp=federated-cluster
+  # Delete all resources in FEDERATION_NAMESPACE.
+  $host_kubectl delete pods,svc,rc,deployment,secret --namespace=${FEDERATION_NAMESPACE} --all
 }