diff --git a/README.md b/README.md
index 804dc942c8624494df02adf1a2b1d356face5f73..4ada050d3407663a4c160f752ac296a02cd70f95 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,18 @@ CoreOS' Tectonic technology. Otherwise, you can simply make use of
 repository are adapted to work with a [multi-node setup](https://github.com/kubernetes-incubator/bootkube/tree/master/hack/multi-node)
 using [bootkube](https://github.com/kubernetes-incubator/bootkube).
 
+
+> We assume that the kubelet uses token authN and authZ, as otherwise
+> Prometheus needs a client certificate, which gives it full access to the
+> kubelet, rather than just the metrics. Token authN and authZ allows more fine
+> grained and easier access control. Simply start minikube with the following
+> command (you can of course adapt the version and memory to your needs):
+>
+> $ minikube delete && minikube start --kubernetes-version=v1.9.1 --memory=4096 --bootstrapper=kubeadm --extra-config=kubelet.authentication-token-webhook=true --extra-config=kubelet.authorization-mode=Webhook --extra-config=scheduler.address=0.0.0.0 --extra-config=controller-manager.address=0.0.0.0
+>
+> In future versions of minikube and kubeadm this will be the default, but for
+> the time being, we will have to configure it ourselves.
+
 ## Monitoring Kubernetes
 
 The manifests here use the [Prometheus Operator](https://github.com/coreos/prometheus-operator),
diff --git a/hack/cluster-monitoring/minikube-deploy b/hack/cluster-monitoring/minikube-deploy
index ab7e72e4172ac5dc4477db4549e9d4261b5db631..64cb86be7e2ab34634741d5943d43a077ee9bc0d 100755
--- a/hack/cluster-monitoring/minikube-deploy
+++ b/hack/cluster-monitoring/minikube-deploy
@@ -1,6 +1,17 @@
 #!/usr/bin/env bash
 
+# We assume that the kubelet uses token authN and authZ, as otherwise
+# Prometheus needs a client certificate, which gives it full access to the
+# kubelet, rather than just the metrics. Token authN and authZ allows more fine
+# grained and easier access control. Simply start minikube with the following
+# command (you can of course adapt the version and memory to your needs):
+#
+# $ minikube delete && minikube start --kubernetes-version=v1.9.1 --memory=4096 --bootstrapper=kubeadm --extra-config=kubelet.authentication-token-webhook=true --extra-config=kubelet.authorization-mode=Webhook --extra-config=scheduler.address=0.0.0.0 --extra-config=controller-manager.address=0.0.0.0
+#
+# In future versions of minikube and kubeadm this will be the default, but for
+# the time being, we will have to configure it ourselves.
+
 hack/cluster-monitoring/deploy
 
-awk 'FNR==1{print "---"}1' manifests/k8s/minikube/*.yaml | sed s/MINIKUBE_IP/`minikube ip`/g | kubectl --namespace=kube-system apply -f - 
+kubectl --namespace=kube-system apply -f manifests/k8s/kubeadm/
 
diff --git a/manifests/k8s/minikube/kube-controller-manager.yaml b/manifests/k8s/minikube/kube-controller-manager.yaml
deleted file mode 100644
index d33015aabcbee46ac0932f3523739f8bfe663aea..0000000000000000000000000000000000000000
--- a/manifests/k8s/minikube/kube-controller-manager.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  namespace: kube-system
-  name: kube-controller-manager-prometheus-discovery
-  labels:
-    k8s-app: kube-controller-manager
-spec:
-  type: ClusterIP
-  clusterIP: None
-  ports:
-  - name: http-metrics
-    port: 10252
-    targetPort: 10252
-    protocol: TCP
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  namespace: kube-system
-  name: kube-controller-manager-prometheus-discovery
-  labels:
-    k8s-app: kube-controller-manager
-subsets:
-- addresses:
-  - ip: MINIKUBE_IP
-  ports:
-  - name: http-metrics
-    port: 10252
-    protocol: TCP
diff --git a/manifests/k8s/minikube/kube-scheduler.yaml b/manifests/k8s/minikube/kube-scheduler.yaml
deleted file mode 100644
index 8599575c06cf74ac3c0df01e65c0a280d9bb812b..0000000000000000000000000000000000000000
--- a/manifests/k8s/minikube/kube-scheduler.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  namespace: kube-system
-  name: kube-scheduler-prometheus-discovery
-  labels:
-    k8s-app: kube-scheduler
-spec:
-  type: ClusterIP
-  clusterIP: None
-  ports:
-  - name: http-metrics
-    port: 10251
-    targetPort: 10251
-    protocol: TCP
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  namespace: kube-system
-  name: kube-scheduler-prometheus-discovery
-  labels:
-    k8s-app: kube-scheduler
-subsets:
-- addresses:
-  - ip: MINIKUBE_IP
-  ports:
-  - name: http-metrics
-    port: 10251
-    protocol: TCP