Why would kubectl inadvertently send basic auth credentials, when token is already sent?

In our clusters, probably when load is high, we quite often see kubectl rollouts failing with errors like “more than one authentication method found”. All we can see is that kubectl is somehow sending basic auth credentials, but we don’t know why. We’re not specifying basic auth credentials.

What can we examine to see why this might be happening?