diff --git a/internal/cmd/server.go b/internal/cmd/server.go
index 6a39bcc24c..7f6a37e2f2 100644
--- a/internal/cmd/server.go
+++ b/internal/cmd/server.go
@@ -161,10 +161,8 @@ func startRunners(ctx context.Context, cfg *config.Server) (err error) {
 
 	// Setup the Extension Manager
 	var extMgr types.Manager
-	if cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes {
-		if extMgr, err = extensionregistry.NewManager(cfg); err != nil {
-			return err
-		}
+	if extMgr, err = extensionregistry.NewManager(cfg, cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes); err != nil {
+		return err
 	}
 
 	runners := []struct {
diff --git a/internal/extension/registry/extension_manager.go b/internal/extension/registry/extension_manager.go
index aa041bd93b..0506e71d59 100644
--- a/internal/extension/registry/extension_manager.go
+++ b/internal/extension/registry/extension_manager.go
@@ -59,10 +59,14 @@ type Manager struct {
 }
 
 // NewManager returns a new Manager
-func NewManager(cfg *config.Server) (extTypes.Manager, error) {
-	cli, err := k8scli.New(k8sclicfg.GetConfigOrDie(), k8scli.Options{Scheme: envoygateway.GetScheme()})
-	if err != nil {
-		return nil, err
+func NewManager(cfg *config.Server, inK8s bool) (extTypes.Manager, error) {
+	var cli k8scli.Client
+	var err error
+	if inK8s {
+		cli, err = k8scli.New(k8sclicfg.GetConfigOrDie(), k8scli.Options{Scheme: envoygateway.GetScheme()})
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	var extension *egv1a1.ExtensionManager
@@ -271,6 +275,9 @@ func setupGRPCOpts(ctx context.Context, client k8scli.Client, ext *egv1a1.Extens
 	if ext.Service == nil {
 		return nil, errors.New("the registered extension doesn't have a service config")
 	}
+	if ext.Service.TLS != nil && client == nil {
+		return nil, errors.New("the registered extension's service config has TLS enabled but no k8s client was provided")
+	}
 
 	var opts []grpc.DialOption
 	if ext.Service.TLS != nil {