diff --git a/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py b/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
index 76a97aa0d63..b982dc65ec3 100644
--- a/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
+++ b/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
@@ -22,8 +22,9 @@ from charms.reactive import is_state
 from charms.reactive import set_state
 from charms.reactive import when
 from charms.reactive import when_not
+from charms.reactive.helpers import data_changed
 
-from charmhelpers.core import hookenv
+from charmhelpers.core import hookenv, unitdata
 
 from shlex import split
 
@@ -31,6 +32,9 @@ from subprocess import check_call
 from subprocess import check_output
 
 
+db = unitdata.kv()
+
+
 @hook('upgrade-charm')
 def reset_delivery_states():
     ''' Remove the state set when resources are unpacked. '''
@@ -87,15 +91,16 @@ def install_snaps():
 
 @when('tls_client.ca.saved', 'tls_client.client.certificate.saved',
       'tls_client.client.key.saved', 'kubernetes-master.available',
-      'kubernetes-e2e.installed', 'kube-control.auth.available')
+      'kubernetes-e2e.installed', 'e2e.auth.bootstrapped')
 @when_not('kubeconfig.ready')
-def prepare_kubeconfig_certificates(master, kube_control):
+def prepare_kubeconfig_certificates(master):
     ''' Prepare the data to feed to create the kubeconfig file. '''
 
     layer_options = layer.options('tls-client')
     # Get all the paths to the tls information required for kubeconfig.
     ca = layer_options.get('ca_certificate_path')
-    creds = kube_control.get_auth_credentials()
+    creds = db.get('credentials')
+    data_changed('kube-control.creds', creds)
 
     servers = get_kube_api_servers(master)
 
@@ -118,13 +123,23 @@ def prepare_kubeconfig_certificates(master, kube_control):
 def request_credentials(kube_control):
     """ Request authorization creds."""
 
-    # The kube-cotrol interface is created to support RBAC.
-    # At this point we might as well do the right thing and return the hostname
-    # even if it will only be used when we enable RBAC
-    user = 'system:masters'
+    # Ask for a user, although we will be using the 'client_token'
+    user = 'system:e2e'
     kube_control.set_auth_request(user)
 
 
+@when('kube-control.auth.available')
+def catch_change_in_creds(kube_control):
+    """Request a service restart in case credential updates were detected."""
+    user = 'system:e2e'
+    creds = kube_control.get_auth_credentials(user)
+    if creds \
+            and data_changed('kube-control.creds', creds) \
+            and creds['user'] == user:
+        db.set('credentials', creds)
+        set_state('e2e.auth.bootstrapped')
+
+
 @when('kubernetes-e2e.installed', 'kubeconfig.ready')
 def set_app_version():
     ''' Declare the application version to juju '''