diff --git a/cmd/kube-aggregator/pkg/cmd/server/start.go b/cmd/kube-aggregator/pkg/cmd/server/start.go
index 74e01e6a0f..2377c7bfe4 100644
--- a/cmd/kube-aggregator/pkg/cmd/server/start.go
+++ b/cmd/kube-aggregator/pkg/cmd/server/start.go
@@ -45,10 +45,7 @@ import (
 const defaultEtcdPathPrefix = "/registry/kube-aggregator.kubernetes.io/"
 
 type AggregatorOptions struct {
-	Etcd           *genericoptions.EtcdOptions
-	SecureServing  *genericoptions.SecureServingOptions
-	Authentication *genericoptions.DelegatingAuthenticationOptions
-	Authorization  *genericoptions.DelegatingAuthorizationOptions
+	RecommendedOptions *genericoptions.RecommendedOptions
 
 	// ProxyClientCert/Key are the client cert used to identify this proxy. Backing APIServices use
 	// this to confirm the proxy's identity
@@ -62,18 +59,15 @@ type AggregatorOptions struct {
 // NewCommandStartMaster provides a CLI handler for 'start master' command
 func NewCommandStartAggregator(out, err io.Writer) *cobra.Command {
 	o := &AggregatorOptions{
-		Etcd:           genericoptions.NewEtcdOptions(api.Scheme),
-		SecureServing:  genericoptions.NewSecureServingOptions(),
-		Authentication: genericoptions.NewDelegatingAuthenticationOptions(),
-		Authorization:  genericoptions.NewDelegatingAuthorizationOptions(),
+		RecommendedOptions: genericoptions.NewRecommendedOptions(api.Scheme),
 
 		StdOut: out,
 		StdErr: err,
 	}
-	o.Etcd.StorageConfig.Type = storagebackend.StorageTypeETCD3
-	o.Etcd.StorageConfig.Prefix = defaultEtcdPathPrefix
-	o.Etcd.StorageConfig.Codec = api.Codecs.LegacyCodec(v1alpha1.SchemeGroupVersion)
-	o.SecureServing.ServingOptions.BindPort = 443
+	o.RecommendedOptions.Etcd.StorageConfig.Type = storagebackend.StorageTypeETCD3
+	o.RecommendedOptions.Etcd.StorageConfig.Prefix = defaultEtcdPathPrefix
+	o.RecommendedOptions.Etcd.StorageConfig.Codec = api.Codecs.LegacyCodec(v1alpha1.SchemeGroupVersion)
+	o.RecommendedOptions.SecureServing.ServingOptions.BindPort = 443
 
 	cmd := &cobra.Command{
 		Short: "Launch a API aggregator and proxy server",
@@ -86,10 +80,7 @@ func NewCommandStartAggregator(out, err io.Writer) *cobra.Command {
 	}
 
 	flags := cmd.Flags()
-	o.Etcd.AddFlags(flags)
-	o.SecureServing.AddFlags(flags)
-	o.Authentication.AddFlags(flags)
-	o.Authorization.AddFlags(flags)
+	o.RecommendedOptions.AddFlags(flags)
 	flags.StringVar(&o.ProxyClientCertFile, "proxy-client-cert-file", o.ProxyClientCertFile, "client certificate used identify the proxy to the API server")
 	flags.StringVar(&o.ProxyClientKeyFile, "proxy-client-key-file", o.ProxyClientKeyFile, "client certificate key used identify the proxy to the API server")
 
@@ -106,30 +97,24 @@ func (o *AggregatorOptions) Complete() error {
 
 func (o AggregatorOptions) RunAggregator() error {
 	// TODO have a "real" external address
-	if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost"); err != nil {
+	if err := o.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost"); err != nil {
 		return fmt.Errorf("error creating self-signed certificates: %v", err)
 	}
 
-	genericAPIServerConfig := genericapiserver.NewConfig().
+	serverConfig := genericapiserver.NewConfig().
 		WithSerializer(api.Codecs)
 
-	if err := o.SecureServing.ApplyTo(genericAPIServerConfig); err != nil {
-		return fmt.Errorf("failed to configure https: %s", err)
-	}
-	if err := o.Authentication.ApplyTo(genericAPIServerConfig); err != nil {
+	if err := o.RecommendedOptions.ApplyTo(serverConfig); err != nil {
 		return err
 	}
-	if err := o.Authorization.ApplyTo(genericAPIServerConfig); err != nil {
-		return err
-	}
-	genericAPIServerConfig.LongRunningFunc = filters.BasicLongRunningRequestCheck(
+	serverConfig.LongRunningFunc = filters.BasicLongRunningRequestCheck(
 		sets.NewString("watch", "proxy"),
 		sets.NewString("attach", "exec", "proxy", "log", "portforward"),
 	)
 
 	var err error
 	privilegedLoopbackToken := uuid.NewRandom().String()
-	if genericAPIServerConfig.LoopbackClientConfig, err = genericAPIServerConfig.SecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
+	if serverConfig.LoopbackClientConfig, err = serverConfig.SecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil {
 		return err
 	}
 
@@ -143,8 +128,8 @@ func (o AggregatorOptions) RunAggregator() error {
 	}
 
 	config := apiserver.Config{
-		GenericConfig:       genericAPIServerConfig,
-		RESTOptionsGetter:   &restOptionsFactory{storageConfig: &o.Etcd.StorageConfig},
+		GenericConfig:       serverConfig,
+		RESTOptionsGetter:   &restOptionsFactory{storageConfig: &o.RecommendedOptions.Etcd.StorageConfig},
 		CoreAPIServerClient: coreAPIServerClient,
 	}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
new file mode 100644
index 0000000000..d713450182
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/server"
+)
+
+// RecommendedOptions contains the recommended options for running an API server
+// If you add something to this list, it should be in a logical grouping
+type RecommendedOptions struct {
+	Etcd           *EtcdOptions
+	SecureServing  *SecureServingOptions
+	Authentication *DelegatingAuthenticationOptions
+	Authorization  *DelegatingAuthorizationOptions
+}
+
+func NewRecommendedOptions(scheme *runtime.Scheme) *RecommendedOptions {
+	return &RecommendedOptions{
+		Etcd:           NewEtcdOptions(scheme),
+		SecureServing:  NewSecureServingOptions(),
+		Authentication: NewDelegatingAuthenticationOptions(),
+		Authorization:  NewDelegatingAuthorizationOptions(),
+	}
+}
+
+func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) {
+	o.Etcd.AddFlags(fs)
+	o.SecureServing.AddFlags(fs)
+	o.Authentication.AddFlags(fs)
+	o.Authorization.AddFlags(fs)
+}
+
+func (o *RecommendedOptions) ApplyTo(config *server.Config) error {
+	if err := o.SecureServing.ApplyTo(config); err != nil {
+		return err
+	}
+	if err := o.Authentication.ApplyTo(config); err != nil {
+		return err
+	}
+	if err := o.Authorization.ApplyTo(config); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/vendor/BUILD b/vendor/BUILD
index 076bf29415..423594fc35 100644
--- a/vendor/BUILD
+++ b/vendor/BUILD
@@ -14093,6 +14093,7 @@ go_library(
         "k8s.io/apiserver/pkg/server/options/authorization.go",
         "k8s.io/apiserver/pkg/server/options/doc.go",
         "k8s.io/apiserver/pkg/server/options/etcd.go",
+        "k8s.io/apiserver/pkg/server/options/recommended.go",
         "k8s.io/apiserver/pkg/server/options/server_run_options.go",
         "k8s.io/apiserver/pkg/server/options/serving.go",
     ],