diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index df212452688..2668f420d82 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -507,6 +507,13 @@ func BuildGenericConfig(
 			versionedInformers.Core().V1().Services().Lister(),
 		)
 	}
+	// resolve kubernetes.default.svc locally
+	localHost, err := url.Parse(genericConfig.LoopbackClientConfig.Host)
+	if err != nil {
+		lastErr = err
+		return
+	}
+	serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
 
 	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, sharedInformers)
 	if err != nil {
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/resolvers.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/resolvers.go
index adeb1f4ee5b..532bc7f6157 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/resolvers.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/resolvers.go
@@ -61,3 +61,23 @@ type aggregatorClusterRouting struct {
 func (r *aggregatorClusterRouting) ResolveEndpoint(namespace, name string) (*url.URL, error) {
 	return proxy.ResolveCluster(r.services, namespace, name)
 }
+
+// NewLoopbackServiceResolver returns a ServiceResolver that routes the kubernetes/default service to loopback.
+func NewLoopbackServiceResolver(delegate ServiceResolver, host *url.URL) ServiceResolver {
+	return &loopbackResolver{
+		delegate: delegate,
+		host:     host,
+	}
+}
+
+type loopbackResolver struct {
+	delegate ServiceResolver
+	host     *url.URL
+}
+
+func (r *loopbackResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
+	if namespace == "default" && name == "kubernetes" {
+		return r.host, nil
+	}
+	return r.delegate.ResolveEndpoint(namespace, name)
+}