diff --git a/plugin/pkg/client/auth/exec/exec.go b/plugin/pkg/client/auth/exec/exec.go
index e405e3dc..9747d507 100644
--- a/plugin/pkg/client/auth/exec/exec.go
+++ b/plugin/pkg/client/auth/exec/exec.go
@@ -290,8 +290,8 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 	// also configured to allow client certificates for authentication. For requests
 	// like "kubectl get --token (token) pods" we should assume the intention is to
 	// use the provided token for authentication. The same can be said for when the
-	// user specifies basic auth.
-	if c.HasTokenAuth() || c.HasBasicAuth() {
+	// user specifies basic auth or cert auth.
+	if c.HasTokenAuth() || c.HasBasicAuth() || c.HasCertAuth() {
 		return nil
 	}
 
@@ -299,7 +299,7 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 		return &roundTripper{a, rt}
 	})
 
-	if c.TLS.GetCert != nil {
+	if c.HasCertCallback() {
 		return errors.New("can't add TLS certificate callback: transport.Config.TLS.GetCert already set")
 	}
 	c.TLS.GetCert = a.cert
diff --git a/plugin/pkg/client/auth/exec/exec_test.go b/plugin/pkg/client/auth/exec/exec_test.go
index 6698fb4e..b1fa9f4d 100644
--- a/plugin/pkg/client/auth/exec/exec_test.go
+++ b/plugin/pkg/client/auth/exec/exec_test.go
@@ -1206,6 +1206,13 @@ func TestAuthorizationHeaderPresentCancelsExecAction(t *testing.T) {
 				config.Password = "zelda"
 			},
 		},
+		{
+			name: "cert auth",
+			setTransportConfig: func(config *transport.Config) {
+				config.TLS.CertData = []byte("some-cert-data")
+				config.TLS.KeyData = []byte("some-key-data")
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {