Is api server serviceIP iptable rule coded by kube-proxy?

[sfc-gh-hyu]

I am trying to understand in the cluster, who is responsible for setting the serviceIP, is it calico or kube-proxy? I am using kubeadm to start a k8s cluster, and deploy the calico by canal.yaml with bpf dataplane disabled.

We have some serviceIP like 10.96.0.13, and apparently I can see from felix logs that it's trying to code the iptable rule. However, I can also see that when cluster is initially provisioned, kube-flannel is trying to talk to API server with ip 10.96.0.1, and it failed with following logs

I1031 04:09:56.318400       1 main.go:211] CLI flags config: {etcdEndpoints:http://127.0.0.1:4001,http://127.0.0.1:2379 etcdPrefix:/coreos.com/network etcdKeyfile: etcdCertfile: etcdCAFile: etcdUsername: etcdPassword: version:false kubeSubnetMgr:true kubeApiUrl: kubeAnnotationPrefix:flannel.alpha.coreos.com kubeConfigFile: iface:[] ifaceRegex:[] ipMasq:true ifaceCanReach: subnetFile:/run/flannel/subnet.env publicIP: publicIPv6: subnetLeaseRenewMargin:60 healthzIP:0.0.0.0 healthzPort:0 iptablesResyncSeconds:5 iptablesForwardRules:true netConfPath:/etc/kube-flannel/net-conf.json setNodeNetworkUnavailable:true}
W1031 04:09:56.321037       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
E1031 04:10:26.321756       1 main.go:228] Failed to create SubnetManager: error retrieving pod spec for 'kube-system/canal-f99407f9-fg22x': Get "https://10.96.0.1:443/api/v1/namespaces/kube-system/pods/canal-f99407f9-fg22x": dial tcp 10.96.0.1:443: i/o timeout

And then kube-flannel pod is restarted, and then it is able to connect to API server. So it looks to me that in this case, kube-proxy is apparently setting up the iptable rule for api server and 10.96.0.1, and I think calico-node container also needs to talk to API server, but for another cluster serviceIP, like 10.96.0.13, apparently calico-node is setting up the iptable rule. So my question is: is my understanding correct that kube-proxy will only be responsible for setting up 10.96.0.1? If yes, how does calico tell kube-proxy that calico should setup the iptable rule for other services?