diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
index c7ab648cf2..71ebb95f1f 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
@@ -225,6 +225,7 @@ spec:
     - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
     - --bind-address=127.0.0.1
     - --use-service-account-credentials=true
+    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
     image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
     livenessProbe:
       failureThreshold: 8
@@ -300,6 +301,7 @@ spec:
         - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
         - --bind-address=127.0.0.1
         - --use-service-account-credentials=true
+        - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
         image: k8s.gcr.io/kube-controller-manager-amd64:v1.7.4
         livenessProbe:
           failureThreshold: 8
diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
index d685b39fc8..91ffa338ee 100644
--- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
+++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go
@@ -202,6 +202,19 @@ func controllerManagerCertificatesVolumeSource() v1.VolumeSource {
 						},
 					},
 				},
+				{
+					Secret: &v1.SecretProjection{
+						LocalObjectReference: v1.LocalObjectReference{
+							Name: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
+						},
+						Items: []v1.KeyToPath{
+							{
+								Key:  v1.TLSCertKey,
+								Path: kubeadmconstants.FrontProxyCACertName,
+							},
+						},
+					},
+				},
 			},
 		},
 	}