The problem is with your kube-apiserver version.

Version 1.6.7 was not supporting the flag --enable-admission-plugins=. The --admission-control flag has been deprecated in version 1.10 (pull request: https://github.com/kubernetes/kubernetes/pull/58123 )

I'm not sure how you managed to have this version on a cluster with kubernetes version 1.13.0, the image which kubeapi should use is: k8s.gcr.io/kube-apiserver:v1.13.0

Seems it could be renamed to:

--admission-control string                                Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, ImagePolicyWebhook, InitialResources, LimitPodHardAntiAffinityTopology, LimitRanger, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, OwnerReferencesPermissionEnforcement, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, ResourceQuota, SecurityContextDeny, ServiceAccount. (default "AlwaysAdmit")

So the docs seem outdated... https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-controller

But I still don't know why kops is using this possibly deprecated flag..

Probably because I'm using an older version of the api-server... And it's probably not deprecated, it just a flag that was changed in a future version.