diff --git a/cmd/kubeadm/app/util/kubeconfig/kubeconfig_test.go b/cmd/kubeadm/app/util/kubeconfig/kubeconfig_test.go
index f471f763879..e12dbcac5f9 100644
--- a/cmd/kubeadm/app/util/kubeconfig/kubeconfig_test.go
+++ b/cmd/kubeadm/app/util/kubeconfig/kubeconfig_test.go
@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"fmt"
 	"os"
+	"reflect"
 	"testing"
 
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -345,3 +346,184 @@ func TestHasCredentials(t *testing.T) {
 		})
 	}
 }
+
+func TestGetClusterFromKubeConfig(t *testing.T) {
+	tests := []struct {
+		name                string
+		config              *clientcmdapi.Config
+		expectedClusterName string
+		expectedCluster     *clientcmdapi.Cluster
+	}{
+		{
+			name: "cluster is empty",
+			config: &clientcmdapi.Config{
+				CurrentContext: "kubernetes",
+			},
+			expectedClusterName: "",
+			expectedCluster:     nil,
+		},
+		{
+			name: "cluster and currentContext are not empty",
+			config: &clientcmdapi.Config{
+				CurrentContext: "foo",
+				Contexts: map[string]*clientcmdapi.Context{
+					"foo": {AuthInfo: "foo", Cluster: "foo"},
+					"bar": {AuthInfo: "bar", Cluster: "bar"},
+				},
+				Clusters: map[string]*clientcmdapi.Cluster{
+					"foo": {Server: "http://foo:8080"},
+					"bar": {Server: "https://bar:16443"},
+				},
+			},
+			expectedClusterName: "foo",
+			expectedCluster: &clientcmdapi.Cluster{
+				Server: "http://foo:8080",
+			},
+		},
+		{
+			name: "cluster is not empty and currentContext is not in contexts",
+			config: &clientcmdapi.Config{
+				CurrentContext: "foo",
+				Contexts: map[string]*clientcmdapi.Context{
+					"bar": {AuthInfo: "bar", Cluster: "bar"},
+				},
+				Clusters: map[string]*clientcmdapi.Cluster{
+					"foo": {Server: "http://foo:8080"},
+					"bar": {Server: "https://bar:16443"},
+				},
+			},
+			expectedClusterName: "",
+			expectedCluster:     nil,
+		},
+	}
+	for _, rt := range tests {
+		t.Run(rt.name, func(t *testing.T) {
+			clusterName, cluster := GetClusterFromKubeConfig(rt.config)
+			if clusterName != rt.expectedClusterName {
+				t.Errorf("got cluster name = %s, expected %s", clusterName, rt.expectedClusterName)
+			}
+			if !reflect.DeepEqual(cluster, rt.expectedCluster) {
+				t.Errorf("got cluster = %+v, expected %+v", cluster, rt.expectedCluster)
+			}
+		})
+	}
+}
+
+func TestEnsureAuthenticationInfoAreEmbedded(t *testing.T) {
+	file, err := os.CreateTemp("", t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(file.Name())
+	defer file.Close()
+
+	tests := []struct {
+		name    string
+		config  *clientcmdapi.Config
+		wantErr bool
+	}{
+		{
+			name: "get data from file",
+			config: &clientcmdapi.Config{
+				CurrentContext: "kubernetes",
+				Contexts:       map[string]*clientcmdapi.Context{"kubernetes": {AuthInfo: "kubernetes"}},
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{"kubernetes": {
+					ClientCertificate: file.Name(),
+					ClientKey:         file.Name(),
+					TokenFile:         file.Name(),
+				},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "get data from config",
+			config: &clientcmdapi.Config{
+				CurrentContext: "kubernetes",
+				Contexts:       map[string]*clientcmdapi.Context{"kubernetes": {AuthInfo: "kubernetes"}},
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{"kubernetes": {
+					ClientCertificateData: []byte{'f', 'o', 'o'},
+					ClientKeyData:         []byte{'b', 'a', 'r'},
+					Token:                 "k8s",
+				},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "invalid authInfo: no authInfo",
+			config:  nil,
+			wantErr: true,
+		},
+		{
+			name: "get data from file but the file doesn't exist",
+			config: &clientcmdapi.Config{
+				CurrentContext: "kubernetes",
+				Contexts:       map[string]*clientcmdapi.Context{"kubernetes": {AuthInfo: "kubernetes"}},
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{"kubernetes": {
+					ClientCertificate: "unknownfile",
+					ClientKey:         "unknownfile",
+					TokenFile:         "unknownfile",
+				},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, rt := range tests {
+		t.Run(rt.name, func(t *testing.T) {
+			if err := EnsureAuthenticationInfoAreEmbedded(rt.config); (err != nil) != rt.wantErr {
+				t.Errorf("error = %v, wantErr %v", err, rt.wantErr)
+			}
+		})
+	}
+}
+
+func TestEnsureCertificateAuthorityIsEmbedded(t *testing.T) {
+	file, err := os.CreateTemp("", t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(file.Name())
+	defer file.Close()
+
+	tests := []struct {
+		name    string
+		cluster *clientcmdapi.Cluster
+		wantErr bool
+	}{
+		{
+			name: "get data from file",
+			cluster: &clientcmdapi.Cluster{
+				CertificateAuthority: file.Name(),
+			},
+			wantErr: false,
+		},
+		{
+			name: "get data from config",
+			cluster: &clientcmdapi.Cluster{
+				CertificateAuthorityData: []byte{'f', 'o', 'o'},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "cluster is nil",
+			cluster: nil,
+			wantErr: true,
+		},
+		{
+			name: "get data from file but the file doesn't exist",
+			cluster: &clientcmdapi.Cluster{
+				CertificateAuthority: "unknownfile",
+			},
+			wantErr: true,
+		},
+	}
+	for _, rt := range tests {
+		t.Run(rt.name, func(t *testing.T) {
+			if err := EnsureCertificateAuthorityIsEmbedded(rt.cluster); (err != nil) != rt.wantErr {
+				t.Errorf("error = %v, wantErr %v", err, rt.wantErr)
+			}
+		})
+	}
+}