diff --git a/cmd/kubeadm/app/cmd/phases/init/waitcontrolplane.go b/cmd/kubeadm/app/cmd/phases/init/waitcontrolplane.go
index ec6a4c04420..aa687fb8669 100644
--- a/cmd/kubeadm/app/cmd/phases/init/waitcontrolplane.go
+++ b/cmd/kubeadm/app/cmd/phases/init/waitcontrolplane.go
@@ -19,6 +19,7 @@ package phases
 import (
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"text/template"
 	"time"
@@ -100,6 +101,13 @@ func runWaitControlPlanePhase(c workflow.RunData) error {
 		return errors.New("couldn't initialize a Kubernetes cluster")
 	}
 
+	// Deletes the kubelet boostrap kubeconfig file, so the credential used for TLS bootstrap is removed from disk
+	// This is done only on success.
+	bootstrapKubeConfigFile := kubeadmconstants.GetBootstrapKubeletKubeConfigPath()
+	if err := os.Remove(bootstrapKubeConfigFile); err != nil {
+		klog.Warningf("[wait-control-plane] could not delete the file %q: %v", bootstrapKubeConfigFile, err)
+	}
+
 	return nil
 }