diff --git a/pkg/daemons/control/auth.go b/pkg/daemons/control/auth.go
new file mode 100644
index 0000000000..b7364c419e
--- /dev/null
+++ b/pkg/daemons/control/auth.go
@@ -0,0 +1,30 @@
+package control
+
+import (
+	"github.com/rancher/k3s/pkg/authenticator/basicauth"
+	"github.com/rancher/k3s/pkg/authenticator/passwordfile"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/group"
+	"k8s.io/apiserver/pkg/authentication/request/union"
+)
+
+func basicAuthenticator(basicAuthFile string) (authenticator.Request, error) {
+	if basicAuthFile == "" {
+		return nil, nil
+	}
+	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
+	if err != nil {
+		return nil, err
+	}
+	return basicauth.New(basicAuthenticator), nil
+}
+
+func combineAuthenticators(auths ...authenticator.Request) authenticator.Request {
+	var authenticators []authenticator.Request
+	for _, auth := range auths {
+		if auth != nil {
+			authenticators = append(authenticators, auth)
+		}
+	}
+	return group.NewAuthenticatedGroupAdder(union.New(authenticators...))
+}
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index 20d2fabf6f..e5932b5b41 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -102,8 +102,13 @@ func Server(ctx context.Context, cfg *config.Control) error {
 		return err
 	}
 
+	basicAuth, err := basicAuthenticator(runtime.PasswdFile)
+	if err != nil {
+		return err
+	}
+
+	runtime.Authenticator = combineAuthenticators(basicAuth, auth)
 	runtime.Handler = handler
-	runtime.Authenticator = auth
 
 	if !cfg.NoScheduler {
 		if err := scheduler(cfg, runtime); err != nil {
@@ -195,7 +200,6 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["service-account-key-file"] = runtime.ServiceKey
 	argsMap["service-account-issuer"] = version.Program
 	argsMap["api-audiences"] = "unknown"
-	argsMap["basic-auth-file"] = runtime.PasswdFile
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey