diff --git a/docs/canonicalk8s/_parts/control_plane_join_config.md b/docs/canonicalk8s/_parts/control_plane_join_config.md
index 6e5d50e33..a79068748 100644
--- a/docs/canonicalk8s/_parts/control_plane_join_config.md
+++ b/docs/canonicalk8s/_parts/control_plane_join_config.md
@@ -15,6 +15,18 @@ If omitted defaults to an auto generated certificate.
 The client key to be used for the front proxy.
 If omitted defaults to an auto generated key.
 
+### admin-client-crt
+**Type:** `string`<br>
+
+The admin client certificate to be used for Kubernetes services.
+If omitted defaults to an auto generated certificate.
+
+### admin-client-key
+**Type:** `string`<br>
+
+The admin client key to be used for Kubernetes services.
+If omitted defaults to an auto generated key.
+
 ### kube-proxy-client-crt
 **Type:** `string`<br>
 
diff --git a/src/k8s/go.mod b/src/k8s/go.mod
index 3dadeaa46..e63a52e6a 100644
--- a/src/k8s/go.mod
+++ b/src/k8s/go.mod
@@ -7,7 +7,7 @@ toolchain go1.23.4
 require (
 	dario.cat/mergo v1.0.0
 	github.com/canonical/go-dqlite/v2 v2.0.0
-	github.com/canonical/k8s-snap-api v1.0.16
+	github.com/canonical/k8s-snap-api v1.0.17
 	github.com/canonical/lxd v0.0.0-20250113143058-52441d41dab7
 	github.com/canonical/microcluster/v2 v2.1.1-0.20250127104725-631889214b18
 	github.com/go-logr/logr v1.4.2
diff --git a/src/k8s/go.sum b/src/k8s/go.sum
index 7b2d3bfc1..a90e0ce2c 100644
--- a/src/k8s/go.sum
+++ b/src/k8s/go.sum
@@ -53,8 +53,8 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXe
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/canonical/go-dqlite/v2 v2.0.0 h1:RNFcFVhHMh70muKKErbW35rSzqmAFswheHdAgxW0Ddw=
 github.com/canonical/go-dqlite/v2 v2.0.0/go.mod h1:IaIC8u4Z1UmPjuAqPzA2r83YMaMHRLoKZdHKI5uHCJI=
-github.com/canonical/k8s-snap-api v1.0.16 h1:j1VPvWimgRt3P5uRtD2ZCPGalSFvU5AJ/Jbz60QMoBs=
-github.com/canonical/k8s-snap-api v1.0.16/go.mod h1:LDPoIYCeYnfgOFrwVPJ/4edGU264w7BB7g0GsVi36AY=
+github.com/canonical/k8s-snap-api v1.0.17 h1:r+xr+eQflaP+fadIH2RfBcAyF3Q4UFV9FtJ6TnBFm/k=
+github.com/canonical/k8s-snap-api v1.0.17/go.mod h1:LDPoIYCeYnfgOFrwVPJ/4edGU264w7BB7g0GsVi36AY=
 github.com/canonical/lxd v0.0.0-20250113143058-52441d41dab7 h1:lZCOt9/1KowNdnWXjfA1/51Uj7+R0fKtByos9EVrYn4=
 github.com/canonical/lxd v0.0.0-20250113143058-52441d41dab7/go.mod h1:4Ssm3YxIz8wyazciTLDR9V0aR2GPlGIHb+S0182T5pA=
 github.com/canonical/microcluster/v2 v2.1.1-0.20250127104725-631889214b18 h1:h5VJaUnE4gAKPolBTJ11HMRTEN5JyA+oR4gHkoK//6o=
diff --git a/src/k8s/pkg/k8sd/app/hooks_join.go b/src/k8s/pkg/k8sd/app/hooks_join.go
index 95cbd12b3..6a9715d30 100644
--- a/src/k8s/pkg/k8sd/app/hooks_join.go
+++ b/src/k8s/pkg/k8sd/app/hooks_join.go
@@ -132,6 +132,16 @@ func (a *App) onPostJoin(ctx context.Context, s state.State, initConfig map[stri
 	certificates.FrontProxyClientKey = joinConfig.GetFrontProxyClientKey()
 	certificates.KubeletCert = joinConfig.GetKubeletCert()
 	certificates.KubeletKey = joinConfig.GetKubeletKey()
+	certificates.AdminClientCert = joinConfig.GetAdminClientCert()
+	certificates.AdminClientKey = joinConfig.GetAdminClientKey()
+	certificates.KubeControllerManagerClientCert = joinConfig.GetKubeControllerManagerClientCert()
+	certificates.KubeControllerManagerClientKey = joinConfig.GetKubeControllerManagerClientKey()
+	certificates.KubeSchedulerClientCert = joinConfig.GetKubeSchedulerClientCert()
+	certificates.KubeSchedulerClientKey = joinConfig.GetKubeSchedulerClientKey()
+	certificates.KubeProxyClientCert = joinConfig.GetKubeProxyClientCert()
+	certificates.KubeProxyClientKey = joinConfig.GetKubeProxyClientKey()
+	certificates.KubeletClientCert = joinConfig.GetKubeletClientCert()
+	certificates.KubeletClientKey = joinConfig.GetKubeletClientKey()
 
 	// generate missing certificates
 	if err := certificates.CompleteCertificates(); err != nil {