diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index e2fe061494282b62add4d42345be8b6d5cb89b34..8f79f3297653c0ebdb5d843f393208aaed8d1a8e 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -192,14 +192,3 @@ persistent_volumes_enabled: false
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
-
-## Add options for metrics-server
-#apiserver_custom_flags:
-#  - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
-#  - --requestheader-allowed-names=aggregator
-#  - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
-#  - --requestheader-group-headers=X-Remote-Group
-#  - --requestheader-username-headers=X-Remote-User
-#  - --enable-aggregator-routing=true
-#  - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
-#  - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 39974846d543df3c2bd5336b29f9512d7d008708..751ce93921998874c2a187bf7ffed3164e7aea15 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -100,6 +100,16 @@ spec:
 {% if kube_feature_gates %}
     - --feature-gates={{ kube_feature_gates|join(',') }}
 {% endif %}
+{% if kube_version | version_compare('1.9', '>=') %}
+    - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+    - --requestheader-allowed-names=system:aggregator-proxy-client
+    - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+    - --requestheader-group-headers=X-Remote-Group
+    - --requestheader-username-headers=X-Remote-User
+    - --enable-aggregator-routing=true
+    - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
+    - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
+{% endif %}
 {% if apiserver_custom_flags is string %}
     - {{ apiserver_custom_flags }}
 {% else %}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 61668992d798bbdbec7a88d18487ecff4614b2ae..8cfc0728acc15e48596b4ec1dc2a823ad71c0000 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
     # kube-controller-manager
     gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
     # metrics aggregator
-    gen_key_and_cert "aggregator-proxy-client" "/CN=aggregator"
+    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
 
     for host in $MASTERS; do
         cn="${host%%.*}"