diff --git a/test/integration/concierge_whoami_test.go b/test/integration/concierge_whoami_test.go
index 7a986d855..a9e18d8c9 100644
--- a/test/integration/concierge_whoami_test.go
+++ b/test/integration/concierge_whoami_test.go
@@ -39,10 +39,21 @@ func TestWhoAmI_Kubeadm_Parallel(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
 
+	adminClient := testlib.NewKubernetesClientset(t)
+
 	whoAmI, err := testlib.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
 		Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
 	require.NoError(t, err, testlib.Sdump(err))
 
+	var wantGroups []string
+	if testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 28) {
+		wantGroups = []string{"system:masters", "system:authenticated"}
+	} else {
+		// See https://github.com/kubernetes/enhancements/issues/4214. Admin kubeconfigs from kubeadm
+		// which previously had system:masters now have kubeadm:cluster-admins instead.
+		wantGroups = []string{"kubeadm:cluster-admins", "system:authenticated"}
+	}
+
 	// this user info is based off of the bootstrap cert user created by kubeadm
 	require.Equal(t,
 		&identityv1alpha1.WhoAmIRequest{
@@ -50,10 +61,7 @@ func TestWhoAmI_Kubeadm_Parallel(t *testing.T) {
 				KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
 					User: identityv1alpha1.UserInfo{
 						Username: "kubernetes-admin",
-						Groups: []string{
-							"system:masters",
-							"system:authenticated",
-						},
+						Groups:   wantGroups,
 					},
 				},
 			},