diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
index 575fad0db84..b63b648d18a 100644
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -117,6 +117,7 @@ contain-pod-resources
 contention-profiling
 controllermanager-arg-overrides
 controller-start-interval
+core-kubeconfig
 cors-allowed-origins
 cpu-cfs-quota
 cpu-percent
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go b/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go
index 0f006d61917..a0a2ded4fc9 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go
@@ -30,7 +30,8 @@ import (
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	kubeclientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/pkg/api"
-	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/kube-aggregator/pkg/apiserver"
 
 	"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1alpha1"
@@ -46,6 +47,10 @@ type AggregatorOptions struct {
 	ProxyClientCertFile string
 	ProxyClientKeyFile  string
 
+	// CoreAPIKubeconfig is a filename for a kubeconfig file to contact the core API server wtih
+	// If it is not set, the in cluster config is used
+	CoreAPIKubeconfig string
+
 	StdOut io.Writer
 	StdErr io.Writer
 }
@@ -81,7 +86,9 @@ func NewCommandStartAggregator(out, err io.Writer) *cobra.Command {
 	o.RecommendedOptions.AddFlags(flags)
 	flags.StringVar(&o.ProxyClientCertFile, "proxy-client-cert-file", o.ProxyClientCertFile, "client certificate used identify the proxy to the API server")
 	flags.StringVar(&o.ProxyClientKeyFile, "proxy-client-key-file", o.ProxyClientKeyFile, "client certificate key used identify the proxy to the API server")
-
+	flags.StringVar(&o.CoreAPIKubeconfig, "core-kubeconfig", o.CoreAPIKubeconfig, ""+
+		"kubeconfig file pointing at the 'core' kubernetes server with enough rights to get,list,watch "+
+		" services,endpoints.  If not set, the in-cluster config is used")
 	return cmd
 }
 
@@ -110,10 +117,21 @@ func (o AggregatorOptions) RunAggregator() error {
 		sets.NewString("attach", "exec", "proxy", "log", "portforward"),
 	)
 
-	kubeconfig, err := restclient.InClusterConfig()
+	var kubeconfig *rest.Config
+	var err error
+	if len(o.CoreAPIKubeconfig) > 0 {
+		loadingRules := &clientcmd.ClientConfigLoadingRules{ExplicitPath: o.CoreAPIKubeconfig}
+		loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+
+		kubeconfig, err = loader.ClientConfig()
+
+	} else {
+		kubeconfig, err = rest.InClusterConfig()
+	}
 	if err != nil {
 		return err
 	}
+
 	coreAPIServerClient, err := kubeclientset.NewForConfig(kubeconfig)
 	if err != nil {
 		return err
diff --git a/vendor/BUILD b/vendor/BUILD
index 87a3b14870a..efb39ec3755 100644
--- a/vendor/BUILD
+++ b/vendor/BUILD
@@ -16810,6 +16810,7 @@ go_library(
         "//vendor:k8s.io/client-go/kubernetes",
         "//vendor:k8s.io/client-go/pkg/api",
         "//vendor:k8s.io/client-go/rest",
+        "//vendor:k8s.io/client-go/tools/clientcmd",
         "//vendor:k8s.io/kube-aggregator/pkg/apis/apiregistration/v1alpha1",
         "//vendor:k8s.io/kube-aggregator/pkg/apiserver",
     ],