diff --git a/cmd/kops/update_cluster.go b/cmd/kops/update_cluster.go
index 869601552b7e6..82f83a8cec97d 100644
--- a/cmd/kops/update_cluster.go
+++ b/cmd/kops/update_cluster.go
@@ -84,7 +84,10 @@ func (o *UpdateClusterOptions) InitDefaults() {
 	o.Target = "direct"
 	o.SSHPublicKey = ""
 	o.OutDir = ""
-	o.CreateKubecfg = false
+
+	// By default we export a kubecfg, but it doesn't have a static/eternal credential in it any more.
+	o.CreateKubecfg = true
+
 	o.RunTasksOptions.InitDefaults()
 }
 
@@ -149,10 +152,6 @@ func RunUpdateCluster(ctx context.Context, f *util.Factory, clusterName string,
 		return nil, fmt.Errorf("cannot use both --admin and --user")
 	}
 
-	if c.CreateKubecfg && c.admin == 0 && c.user == "" {
-		return nil, fmt.Errorf("--create-kube-config requires that either --admin or --user is set")
-	}
-
 	if c.admin != 0 && !c.CreateKubecfg {
 		klog.Info("--admin implies --create-kube-config")
 		c.CreateKubecfg = true
@@ -312,6 +311,7 @@ func RunUpdateCluster(ctx context.Context, f *util.Factory, clusterName string,
 		firstRun = !hasKubecfg
 
 		klog.Infof("Exporting kubecfg for cluster")
+
 		// TODO: Another flag?
 		useKopsAuthenticationPlugin := false
 		conf, err := kubeconfig.BuildKubecfg(
@@ -332,6 +332,10 @@ func RunUpdateCluster(ctx context.Context, f *util.Factory, clusterName string,
 		if err != nil {
 			return nil, err
 		}
+
+		if c.admin == 0 && c.user == "" {
+			klog.Warningf("Exported kubecfg with no user authentication; use --admin, --user or --auth-plugin flags with `kops export kubecfg`")
+		}
 	}
 
 	if !isDryrun {
diff --git a/docs/cli/kops_update_cluster.md b/docs/cli/kops_update_cluster.md
index 9c3f2b176a980..675943ff53c53 100644
--- a/docs/cli/kops_update_cluster.md
+++ b/docs/cli/kops_update_cluster.md
@@ -27,7 +27,7 @@ kops update cluster [flags]
 ```
       --admin duration[=18h0m0s]      Also export a cluster admin user credential with the specified lifetime and add it to the cluster context
       --allow-kops-downgrade          Allow an older version of kops to update the cluster than last used
-      --create-kube-config            Will control automatically creating the kube config file on your local filesystem
+      --create-kube-config            Will control automatically creating the kube config file on your local filesystem (default true)
   -h, --help                          help for cluster
       --internal                      Use the cluster's internal DNS name. Implies --create-kube-config
       --lifecycle-overrides strings   comma separated list of phase overrides, example: SecurityGroups=Ignore,InternetGateway=ExistsAndWarnIfChanges