diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
index f2d058252e5..cf5ed9b73da 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
+	"strings"
 	"sync"
 	"testing"
 
@@ -319,6 +320,19 @@ func TestImpersonationFilter(t *testing.T) {
 		}
 
 		actualUser = user
+
+		if _, ok := req.Header[authenticationapi.ImpersonateUserHeader]; ok {
+			t.Fatal("user header still present")
+		}
+		if _, ok := req.Header[authenticationapi.ImpersonateGroupHeader]; ok {
+			t.Fatal("group header still present")
+		}
+		for key := range req.Header {
+			if strings.HasPrefix(key, authenticationapi.ImpersonateUserExtraHeaderPrefix) {
+				t.Fatalf("extra header still present: %v", key)
+			}
+		}
+
 	})
 	handler := func(delegate http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
@@ -360,7 +374,9 @@ func TestImpersonationFilter(t *testing.T) {
 			t.Errorf("%s: unexpected error: %v", tc.name, err)
 			continue
 		}
-		req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
+		if len(tc.impersonationUser) > 0 {
+			req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
+		}
 		for _, group := range tc.impersonationGroups {
 			req.Header.Add(authenticationapi.ImpersonateGroupHeader, group)
 		}