diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go
index d40c4282fed..afdb9e73ff3 100644
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	cliflag "k8s.io/component-base/cli/flag"
 
@@ -92,6 +93,8 @@ func NewServerRunOptions() *ServerRunOptions {
 		},
 	}
 
+	s.Options.SystemNamespaces = append(s.Options.SystemNamespaces, v1.NamespaceNodeLease)
+
 	return &s
 }
 
diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go
index ba5bf525b44..cb3e6d9ab91 100644
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -291,6 +291,7 @@ func TestAddFlags(t *testing.T) {
 				ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
 			},
 			AggregatorRejectForwardingRedirects: true,
+			SystemNamespaces:                    []string{"kube-system", "kube-public", "default", "kube-node-lease"},
 		},
 
 		Extra: Extra{
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index 58b893312d4..36864718d44 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -239,6 +239,7 @@ func CreateKubeAPIServerConfig(opts options.CompletedOptions) (
 				EventTTL:                opts.EventTTL,
 				EnableLogsSupport:       opts.EnableLogsHandler,
 				ProxyTransport:          proxyTransport,
+				SystemNamespaces:        opts.SystemNamespaces,
 
 				ServiceAccountIssuer:        opts.ServiceAccountIssuer,
 				ServiceAccountMaxExpiration: opts.ServiceAccountTokenMaxExpiration,
diff --git a/pkg/controlplane/apiserver/config.go b/pkg/controlplane/apiserver/config.go
index 43719818914..21109deae8c 100644
--- a/pkg/controlplane/apiserver/config.go
+++ b/pkg/controlplane/apiserver/config.go
@@ -76,6 +76,8 @@ type Extra struct {
 	ServiceAccountJWKSURI    string
 	ServiceAccountPublicKeys []interface{}
 
+	SystemNamespaces []string
+
 	VersionedInformers clientgoinformers.SharedInformerFactory
 }
 
diff --git a/pkg/controlplane/apiserver/options/options.go b/pkg/controlplane/apiserver/options/options.go
index f4ef5be2831..cb7dd4421ef 100644
--- a/pkg/controlplane/apiserver/options/options.go
+++ b/pkg/controlplane/apiserver/options/options.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	peerreconcilers "k8s.io/apiserver/pkg/reconcilers"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
@@ -83,6 +84,8 @@ type Options struct {
 	ServiceAccountTokenMaxExpiration time.Duration
 
 	ShowHiddenMetricsForVersion string
+
+	SystemNamespaces []string
 }
 
 // completedServerRunOptions is a private wrapper that enforces a call of Complete() before Run can be invoked.
@@ -115,6 +118,7 @@ func NewOptions() *Options {
 		EnableLogsHandler:                   true,
 		EventTTL:                            1 * time.Hour,
 		AggregatorRejectForwardingRedirects: true,
+		SystemNamespaces:                    []string{metav1.NamespaceSystem, metav1.NamespacePublic, metav1.NamespaceDefault},
 	}
 
 	// Overwrite the default for storage data format.
diff --git a/pkg/controlplane/apiserver/options/options_test.go b/pkg/controlplane/apiserver/options/options_test.go
index fb928449f96..28c6cce137b 100644
--- a/pkg/controlplane/apiserver/options/options_test.go
+++ b/pkg/controlplane/apiserver/options/options_test.go
@@ -277,6 +277,7 @@ func TestAddFlags(t *testing.T) {
 			ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
 		},
 		AggregatorRejectForwardingRedirects: true,
+		SystemNamespaces:                    []string{"kube-system", "kube-public", "default"},
 	}
 
 	expected.Authentication.OIDC.UsernameClaim = "sub"
diff --git a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go
index a0bf0737156..f83eda2dd62 100644
--- a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go
+++ b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go
@@ -46,8 +46,7 @@ type Controller struct {
 }
 
 // NewController creates a new Controller to ensure system namespaces exist.
-func NewController(clientset kubernetes.Interface, namespaceInformer coreinformers.NamespaceInformer) *Controller {
-	systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease, metav1.NamespaceDefault}
+func NewController(systemNamespaces []string, clientset kubernetes.Interface, namespaceInformer coreinformers.NamespaceInformer) *Controller {
 	interval := 1 * time.Minute
 
 	return &Controller{
diff --git a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go
index 4bc3f051e42..477557a8149 100644
--- a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go
+++ b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go
@@ -30,8 +30,6 @@ import (
 
 // Test_Controller validates the garbage collection logic for the apiserverleasegc controller.
 func Test_Controller(t *testing.T) {
-	systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease}
-
 	tests := []struct {
 		name       string
 		namespaces []string
@@ -107,7 +105,8 @@ func Test_Controller(t *testing.T) {
 				namespaceInformer.Informer().GetIndexer().Add(obj)
 			}
 
-			controller := NewController(clientset, namespaceInformer)
+			systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease, metav1.NamespaceDefault}
+			controller := NewController(systemNamespaces, clientset, namespaceInformer)
 
 			clientset.PrependReactor("create", "namespaces", func(action k8stesting.Action) (bool, runtime.Object, error) {
 				create := action.(k8stesting.CreateAction)
diff --git a/pkg/controlplane/instance.go b/pkg/controlplane/instance.go
index 4089fdcd40c..24d787b7ea5 100644
--- a/pkg/controlplane/instance.go
+++ b/pkg/controlplane/instance.go
@@ -465,7 +465,7 @@ func (c CompletedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	}
 
 	m.GenericAPIServer.AddPostStartHookOrDie("start-system-namespaces-controller", func(hookContext genericapiserver.PostStartHookContext) error {
-		go systemnamespaces.NewController(client, c.ControlPlane.Extra.VersionedInformers.Core().V1().Namespaces()).Run(hookContext.StopCh)
+		go systemnamespaces.NewController(c.ControlPlane.SystemNamespaces, client, c.ControlPlane.Extra.VersionedInformers.Core().V1().Namespaces()).Run(hookContext.StopCh)
 		return nil
 	})