diff --git a/kube-client/src/client/auth/mod.rs b/kube-client/src/client/auth/mod.rs
index 58b672f4e..76cf97ef1 100644
--- a/kube-client/src/client/auth/mod.rs
+++ b/kube-client/src/client/auth/mod.rs
@@ -474,6 +474,13 @@ fn auth_exec(auth: &ExecConfig) -> Result<ExecCredential, Error> {
             });
         cmd.envs(envs);
     }
+
+    if let Some(envs) = &auth.drop_env {
+        for env in envs {
+            cmd.env_remove(env);
+        }
+    }
+
     let out = cmd.output().map_err(Error::AuthExecStart)?;
     if !out.status.success() {
         return Err(Error::AuthExecRun {
diff --git a/kube-client/src/config/file_config.rs b/kube-client/src/config/file_config.rs
index bdfec434b..21aba9f49 100644
--- a/kube-client/src/config/file_config.rs
+++ b/kube-client/src/config/file_config.rs
@@ -243,6 +243,11 @@ pub struct ExecConfig {
     /// TODO: These are unioned with the host's environment, as well as variables client-go uses to pass argument to the plugin.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub env: Option<Vec<HashMap<String, String>>>,
+    /// drop_env specifies which environment arguments of the host process shouldn't
+    /// pass to the auth plugin.
+    /// This doesn't exist upstream (yet?)
+    #[serde(skip)]
+    pub drop_env: Option<Vec<String>>,
 }
 
 /// NamedContext associates name with context.