diff --git a/federation/cmd/federation-controller-manager/app/controllermanager.go b/federation/cmd/federation-controller-manager/app/controllermanager.go
index abc1db454da..b1227bd55f8 100644
--- a/federation/cmd/federation-controller-manager/app/controllermanager.go
+++ b/federation/cmd/federation-controller-manager/app/controllermanager.go
@@ -44,6 +44,11 @@ import (
 	"github.com/spf13/pflag"
 )
 
+const (
+	// "federation-apiserver-secret" is a reserved secret name which stores the kubeconfig for federation-apiserver.
+	FederationAPIServerSecretName = "federation-apiserver-secret"
+)
+
 // NewControllerManagerCommand creates a *cobra.Command object with default parameters
 func NewControllerManagerCommand() *cobra.Command {
 	s := options.NewCMServer()
@@ -71,7 +76,9 @@ func Run(s *options.CMServer) error {
 	} else {
 		glog.Errorf("unable to register configz: %s", err)
 	}
-	restClientCfg, err := clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig)
+	// Create the config to talk to federation-apiserver.
+	kubeconfigGetter := clustercontroller.KubeconfigGetterForSecret(FederationAPIServerSecretName)
+	restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(s.Master, kubeconfigGetter)
 	if err != nil {
 		return err
 	}
diff --git a/federation/pkg/federation-controller/cluster/cluster_client.go b/federation/pkg/federation-controller/cluster/cluster_client.go
index 785d459d4e1..7f9157878d8 100644
--- a/federation/pkg/federation-controller/cluster/cluster_client.go
+++ b/federation/pkg/federation-controller/cluster/cluster_client.go
@@ -47,6 +47,19 @@ const (
 // This is to inject a different kubeconfigGetter in tests.
 // We dont use the standard one which calls NewInCluster in tests to avoid having to setup service accounts and mount files with secret tokens.
 var KubeconfigGetterForCluster = func(c *federation_v1alpha1.Cluster) clientcmd.KubeconfigGetter {
+	return func() (*clientcmdapi.Config, error) {
+		secretRefName := ""
+		if c.Spec.SecretRef != nil {
+			secretRefName = c.Spec.SecretRef.Name
+		} else {
+			glog.Infof("didnt find secretRef for cluster %s. Trying insecure access", c.Name)
+		}
+		return KubeconfigGetterForSecret(secretRefName)()
+	}
+}
+
+// KubeconfigGettterForSecret is used to get the kubeconfig from the given secret.
+var KubeconfigGetterForSecret = func(secretName string) clientcmd.KubeconfigGetter {
 	return func() (*clientcmdapi.Config, error) {
 		// Get the namespace this is running in from the env variable.
 		namespace := os.Getenv("POD_NAMESPACE")
@@ -59,8 +72,8 @@ var KubeconfigGetterForCluster = func(c *federation_v1alpha1.Cluster) clientcmd.
 			return nil, fmt.Errorf("error in creating in-cluster client: %s", err)
 		}
 		data := []byte{}
-		if c.Spec.SecretRef != nil {
-			secret, err := client.Secrets(namespace).Get(c.Spec.SecretRef.Name)
+		if secretName != "" {
+			secret, err := client.Secrets(namespace).Get(secretName)
 			if err != nil {
 				return nil, fmt.Errorf("error in fetching secret: %s", err)
 			}
@@ -69,8 +82,6 @@ var KubeconfigGetterForCluster = func(c *federation_v1alpha1.Cluster) clientcmd.
 			if !ok {
 				return nil, fmt.Errorf("secret does not have data with key: %s", KubeconfigSecretDataKey)
 			}
-		} else {
-			glog.Infof("didnt find secretRef for cluster %s. Trying insecure access", c.Name)
 		}
 		return clientcmd.Load(data)
 	}