diff --git a/test/e2e/apimachinery/BUILD b/test/e2e/apimachinery/BUILD
index 21a93f45c6c..96bb4738f9b 100644
--- a/test/e2e/apimachinery/BUILD
+++ b/test/e2e/apimachinery/BUILD
@@ -51,7 +51,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",
         "//vendor/k8s.io/client-go/discovery:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go
index bbf9bfb2e00..26a98fdf2a7 100644
--- a/test/e2e/apimachinery/aggregator.go
+++ b/test/e2e/apimachinery/aggregator.go
@@ -33,11 +33,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/util/cert"
 	apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
 	rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
+	utilversion "k8s.io/kubernetes/pkg/util/version"
 	"k8s.io/kubernetes/test/e2e/framework"
 	samplev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
 
@@ -50,6 +51,8 @@ type aggregatorContext struct {
 	apiserverSigningCert []byte
 }
 
+var serverAggregatorVersion = utilversion.MustParseSemantic("v1.7.0")
+
 var _ = SIGDescribe("Aggregator", func() {
 	f := framework.NewDefaultFramework("aggregator")
 	framework.AddCleanupAction(func() {
@@ -58,6 +61,7 @@ var _ = SIGDescribe("Aggregator", func() {
 
 	It("Should be able to support the 1.7 Sample API Server using the current Aggregator", func() {
 		// Make sure the relevant provider supports Agggregator
+		framework.SkipUnlessServerVersionGTE(serverAggregatorVersion, f.ClientSet.Discovery())
 		framework.SkipUnlessProviderIs("gce", "gke")
 
 		// Testing a 1.7 version of the sample-apiserver
@@ -161,12 +165,8 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	ns := f.Namespace.Name
 	if framework.ProviderIs("gke") {
 		// kubectl create clusterrolebinding user-cluster-admin-binding --clusterrole=cluster-admin --user=user@domain.com
-		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns,
-			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
-		err := framework.WaitForAuthorizationUpdate(client.AuthorizationV1beta1(),
-			serviceaccount.MakeUsername(ns, "default"),
-			"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
-		framework.ExpectNoError(err, "Failed to update authorization: %v", err)
+		authenticated := rbacv1beta1.Subject{Kind: rbacv1beta1.GroupKind, Name: user.AllAuthenticated}
+		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns, authenticated)
 	}
 
 	// kubectl create -f namespace.yaml
@@ -319,16 +319,22 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	framework.ExpectNoError(err, "creating cluster resource rule")
 	urlRule, err := rbacapi.NewRule("get").URLs("*").Rule()
 	framework.ExpectNoError(err, "creating cluster url rule")
-	roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
-	role := rbacapi.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:   "wardler",
-			Labels: roleLabels,
-		},
-		Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
-	}
-	_, err = iclient.Rbac().ClusterRoles().Create(&role)
-	framework.ExpectNoError(err, "creating cluster role %s", "wardler")
+	err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
+		roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
+		role := rbacapi.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "wardler",
+				Labels: roleLabels,
+			},
+			Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
+		}
+		_, err = iclient.Rbac().ClusterRoles().Create(&role)
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	})
+	framework.ExpectNoError(err, "creating cluster role wardler - may not have permissions")
 
 	// kubectl create -f auth-reader.yaml
 	_, err = client.RbacV1beta1().RoleBindings("kube-system").Create(&rbacv1beta1.RoleBinding{