Kubernetes aggregation certificates – apiserver client authentication allowed names

Definitions I’m using in this question:

  • Main apiserver: the core kube-apiserver
  • Extension apiserver: an addon like metrics-server

I am reading through the configure aggregation layer guide and I don’t understand the main apiserver’s use of --requestheader-allowed-names. In section Kubernetes Apiserver Client Authentication it says:

The connection must be made using a client certificate whose CN is one of those listed in –requestheader-allowed-names. Note: You can set this option to blank as –requestheader-allowed-names=””. This will indicate to an extension apiserver that any CN is acceptable.

It makes it sound like the main apiserver is responsible for setting this. Surely the extension apiserver would be in control of this and determine what is acceptable? Why configure this on the main apiserver at all? I.e. The client certificate common names are what they are and it’s up to the extension apiserver to accept/reject these?

Or is that doc section mixing options that are passed to both the main and extension apiservers?