diff --git a/cmd/milo/apiserver/server.go b/cmd/milo/apiserver/server.go
index 224b1ff8..e76211cf 100644
--- a/cmd/milo/apiserver/server.go
+++ b/cmd/milo/apiserver/server.go
@@ -140,7 +140,23 @@ func NewCommand() *cobra.Command {
 	s.Metrics.AddFlags(namedFlagSets.FlagSet("metrics"))
 	logsapi.AddFlags(s.Logs, namedFlagSets.FlagSet("logs"))
 	s.Traces.AddFlags(namedFlagSets.FlagSet("traces"))
-	// Add misc flags for event ttl
+
+	// Add misc flags for event ttl, proxy client certs, etc.
+	miscfs := namedFlagSets.FlagSet("misc")
+	miscfs.DurationVar(&s.EventTTL, "event-ttl", s.EventTTL,
+		"Amount of time to retain events.")
+	miscfs.StringVar(&s.ProxyClientCertFile, "proxy-client-cert-file", s.ProxyClientCertFile,
+		"Client certificate used to prove the identity of the aggregator or kube-apiserver "+
+			"when it must call out during a request. This includes proxying requests to a user "+
+			"api-server and calling out to webhook admission plugins. It is expected that this "+
+			"cert includes a signature from the CA in the --requestheader-client-ca-file flag. "+
+			"That CA is published in the 'extension-apiserver-authentication' configmap in "+
+			"the kube-system namespace. Components receiving calls from kube-aggregator should "+
+			"use that CA to perform their half of the mutual TLS verification.")
+	miscfs.StringVar(&s.ProxyClientKeyFile, "proxy-client-key-file", s.ProxyClientKeyFile,
+		"Private key for the client certificate used to prove the identity of the aggregator or kube-apiserver "+
+			"when it must call out during a request. This includes proxying requests to a user "+
+			"api-server and calling out to webhook admission plugins.")
 
 	verflag.AddFlags(namedFlagSets.FlagSet("global"))
 	globalflag.AddGlobalFlags(namedFlagSets.FlagSet("global"), cmd.Name(), logs.SkipLoggingConfigurationFlags())
diff --git a/config/apiserver/deployment.yaml b/config/apiserver/deployment.yaml
index 04f919eb..02e0668a 100644
--- a/config/apiserver/deployment.yaml
+++ b/config/apiserver/deployment.yaml
@@ -51,6 +51,8 @@ spec:
           - --audit-webhook-config-file=$(AUDIT_WEBHOOK_CONFIG_FILE)
           - --audit-webhook-mode=$(AUDIT_WEBHOOK_MODE)
           - --audit-webhook-initial-backoff=$(AUDIT_WEBHOOK_INITIAL_BACKOFF)
+          - --proxy-client-cert-file=$(PROXY_CLIENT_CERT_FILE)
+          - --proxy-client-key-file=$(PROXY_CLIENT_KEY_FILE)
           - --feature-sessions=true
           - --sessions-provider-url=$(SESSIONS_PROVIDER_URL)
           - --sessions-provider-ca-file=$(SESSIONS_PROVIDER_CA_FILE)
@@ -112,6 +114,10 @@ spec:
             value: ""
           - name: AUDIT_WEBHOOK_INITIAL_BACKOFF
             value: ""
+          - name: PROXY_CLIENT_CERT_FILE
+            value: ""
+          - name: PROXY_CLIENT_KEY_FILE
+            value: ""
           - name: SESSIONS_PROVIDER_URL
             value: ""
           - name: SESSIONS_PROVIDER_CA_FILE