diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 8f79f3297653c0ebdb5d843f393208aaed8d1a8e..e2fe061494282b62add4d42345be8b6d5cb89b34 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -192,3 +192,14 @@ persistent_volumes_enabled: false
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
+
+## Add options for metrics-server
+#apiserver_custom_flags:
+#  - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+#  - --requestheader-allowed-names=aggregator
+#  - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+#  - --requestheader-group-headers=X-Remote-Group
+#  - --requestheader-username-headers=X-Remote-User
+#  - --enable-aggregator-routing=true
+#  - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
+#  - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 9139ce98f07f91b710375ec3a2124fdc301fcd75..8cfc0728acc15e48596b4ec1dc2a823ad71c0000 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -93,6 +93,8 @@ if [ -n "$MASTERS" ]; then
     gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
     # kube-controller-manager
     gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
+    # metrics aggregator
+    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
 
     for host in $MASTERS; do
         cn="${host%%.*}"
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 3870a3e9616bd74836dac28a8abace3bf7948d33..782da6863fafc79133dc45843e13d145cc4c4b04 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,6 +26,8 @@
     - kube-scheduler-key.pem
     - kube-controller-manager.pem
     - kube-controller-manager-key.pem
+    - aggregator-proxy-client.pem
+    - aggregator-proxy-client-key.pem
     - admin-{{ inventory_hostname }}.pem
     - admin-{{ inventory_hostname }}-key.pem
     - node-{{ inventory_hostname }}.pem
@@ -46,6 +48,8 @@
        '{{ kube_cert_dir }}/kube-scheduler-key.pem',
        '{{ kube_cert_dir }}/kube-controller-manager.pem',
        '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
        {% for host in groups['kube-master'] %}
        '{{ kube_cert_dir }}/admin-{{ host }}.pem'
        '{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -66,7 +70,7 @@
       {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
       {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
                       'kube-scheduler-key.pem', 'kube-controller-manager.pem',
-                      'kube-controller-manager-key.pem'] -%}
+                      'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
         {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
         {% if not cert_file in existing_certs -%}
         {%- set gen = True -%}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 619bbe44595762cb39a097d14a897432e83c74b3..9be59fb7b759c6054e5022cf59a418302bf97c6d 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,6 +73,8 @@
                        'kube-scheduler-key.pem',
                        'kube-controller-manager.pem',
                        'kube-controller-manager-key.pem',
+                       'aggregator-proxy-client.pem',
+                       'aggregator-proxy-client-key.pem',
                        {% for node in groups['kube-master'] %}
                        'admin-{{ node }}.pem',
                        'admin-{{ node }}-key.pem',
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index d54bf2b671b22bb8113f4a7fd7c94db2dfe711a8..f488cc61bff9d3f56ae151842a9065c6fc844408 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
     sync_file_hosts: "{{ groups['kube-master'] }}"
     sync_file_is_cert: true
     sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
 
 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
   set_fact: