diff --git a/pkg/master/controller.go b/pkg/master/controller.go
index c98adc89b6f..4751deb8859 100644
--- a/pkg/master/controller.go
+++ b/pkg/master/controller.go
@@ -41,9 +41,10 @@ import (
 
 const kubernetesServiceName = "kubernetes"
 
-// Controller is the controller manager for the core bootstrap Kubernetes controller
-// loops, which manage creating the "kubernetes" service, the "default" and "kube-system"
-// namespace, and provide the IP repair check on service IPs
+// Controller is the controller manager for the core bootstrap Kubernetes
+// controller loops, which manage creating the "kubernetes" service, the
+// "default", "kube-system" and "kube-public" namespaces, and provide the IP
+// repair check on service IPs
 type Controller struct {
 	ServiceClient   coreclient.ServicesGetter
 	NamespaceClient coreclient.NamespacesGetter
@@ -84,7 +85,7 @@ func (c *Config) NewBootstrapController(legacyRESTStorage corerest.LegacyRESTSto
 		EndpointReconciler: c.EndpointReconcilerConfig.Reconciler,
 		EndpointInterval:   c.EndpointReconcilerConfig.Interval,
 
-		SystemNamespaces:         []string{metav1.NamespaceSystem},
+		SystemNamespaces:         []string{metav1.NamespaceSystem, metav1.NamespacePublic},
 		SystemNamespacesInterval: 1 * time.Minute,
 
 		ServiceClusterIPRegistry: legacyRESTStorage.ServiceClusterIPAllocator,
diff --git a/plugin/pkg/admission/namespace/lifecycle/admission.go b/plugin/pkg/admission/namespace/lifecycle/admission.go
index a7f86352a80..52a56bd2e4c 100644
--- a/plugin/pkg/admission/namespace/lifecycle/admission.go
+++ b/plugin/pkg/admission/namespace/lifecycle/admission.go
@@ -51,7 +51,7 @@ const (
 
 func init() {
 	admission.RegisterPlugin(PluginName, func(config io.Reader) (admission.Interface, error) {
-		return NewLifecycle(sets.NewString(metav1.NamespaceDefault, metav1.NamespaceSystem))
+		return NewLifecycle(sets.NewString(metav1.NamespaceDefault, metav1.NamespaceSystem, metav1.NamespacePublic))
 	})
 }