diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/BUILD b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/BUILD
index c042514ca3a..76c2fd3dcad 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/BUILD
@@ -16,6 +16,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/errors:go_default_library",
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go
index 3eef6f7e561..7cf0d319345 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/kubeconfig.go
@@ -17,13 +17,14 @@ limitations under the License.
 package config
 
 import (
+	"fmt"
 	"io"
 	"io/ioutil"
-
-	"fmt"
+	"path"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/config/apis/webhookadmission/v1alpha1"
 )
@@ -57,6 +58,10 @@ func LoadConfig(configFile io.Reader) (string, error) {
 			return "", fmt.Errorf("unexpected type: %T", decodedObj)
 		}
 
+		if !path.IsAbs(config.KubeConfigFile) {
+			return "", field.Invalid(field.NewPath("kubeConfigFile"), config.KubeConfigFile, "must be an absolute file path")
+		}
+
 		kubeconfigFile = config.KubeConfigFile
 	}
 	return kubeconfigFile, nil