diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
index 8213ef04e4cc..eb4f4c64adf1 100644
--- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
+++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
@@ -241,7 +241,10 @@ func (r *KubeadmConfigReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 			}
 		}
 	}()
-
+	// Ensure the bootstrap secret associated with this KubeadmConfig has the correct ownerReference.
+	if err := r.ensureBootstrapSecretOwnersRef(ctx, scope); err != nil {
+		return ctrl.Result{}, err
+	}
 	switch {
 	// Wait for the infrastructure to be ready.
 	case !cluster.Status.InfrastructureReady:
@@ -1022,3 +1025,32 @@ func (r *KubeadmConfigReconciler) storeBootstrapData(ctx context.Context, scope
 	conditions.MarkTrue(scope.Config, bootstrapv1.DataSecretAvailableCondition)
 	return nil
 }
+
+// Ensure the bootstrap secret has the configOwner as a controller OwnerReference.
+func (r *KubeadmConfigReconciler) ensureBootstrapSecretOwnersRef(ctx context.Context, scope *Scope) error {
+	secret := &corev1.Secret{}
+	err := r.Client.Get(ctx, client.ObjectKey{Namespace: scope.Config.Namespace, Name: scope.Config.Name}, secret)
+	if err != nil {
+		// If the secret has not been created yet return early.
+		if apierrors.IsNotFound(err) {
+			return nil
+		}
+		return errors.Wrapf(err, "failed to add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	patchHelper, err := patch.NewHelper(secret, r.Client)
+	if err != nil {
+		return errors.Wrapf(err, "failed to add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	secret.OwnerReferences = util.EnsureOwnerRef(secret.OwnerReferences, metav1.OwnerReference{
+		APIVersion: scope.ConfigOwner.GetAPIVersion(),
+		Kind:       scope.ConfigOwner.GetKind(),
+		UID:        scope.ConfigOwner.GetUID(),
+		Name:       scope.ConfigOwner.GetName(),
+		Controller: pointer.Bool(true),
+	})
+	err = patchHelper.Patch(ctx, secret)
+	if err != nil {
+		return errors.Wrapf(err, "could not add KubeadmConfig %s as ownerReference to bootstrap Secret %s", scope.ConfigOwner.GetName(), secret.GetName())
+	}
+	return nil
+}
diff --git a/bootstrap/kubeadm/internal/controllers/token.go b/bootstrap/kubeadm/internal/controllers/token.go
index f1e509f9a2b1..9c61c7f9199e 100644
--- a/bootstrap/kubeadm/internal/controllers/token.go
+++ b/bootstrap/kubeadm/internal/controllers/token.go
@@ -81,7 +81,7 @@ func getToken(ctx context.Context, c client.Client, token string) (*corev1.Secre
 	}
 
 	if secret.Data == nil {
-		return nil, errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubadm config to re-create", secretName)
+		return nil, errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubeadm config to re-create", secretName)
 	}
 	return secret, nil
 }