I found intresting thing, when i run kube-apiserver without --requestheader-client-ca-file args, then kube-scheduler will failed to start and the error message is kube-system/extension-apiserver-authentication failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file;
But about requestheader-client-ca-file as doc describe is Note: front-proxy certificates are required only if you run kube-proxy to support an extension API server. in PKI certificates and requirements | Kubernetes
what makes me confused is that why schudler relied on front-proxy certificate ?
If I run apiserver with --requestheader-client-ca-file=/xxxx/kubernetes/front-ca.pem, scheduler then start successfully