Clarify front-proxy certificate dependency on aggregation layer

singhvishalkr · singhvishalkr · commit 96d03b0887b3 · 2026-05-01T17:32:46.000Z
The note in the kubelet certificates section described the front-proxy CA as something you only need `if you run kube-proxy to support an extension API server`. kube-proxy is the node-level Service networking component and is not involved in extension API server delivery; the actual mechanism is the apiserver aggregation layer. Reword the note to point at the aggregation layer with a link to the matching task page, while keeping the existing extension API server reference. Closes #55622.
diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md
@@ -57,8 +57,9 @@ In this scenario, there are two approaches for certificate usage:
   `kubelet-client.key` are created.
 
 {{< note >}}
-`front-proxy` certificates are required only if you run kube-proxy to support
-[an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
+`front-proxy` certificates are required only when using the
+[aggregation layer](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)
+to enable an [extension (aggregated) API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
 {{< /note >}}
 
 etcd also implements mutual TLS to authenticate clients and peers.
