kube-apiserver without need-management-kas-access label could still access mgmt KAS

For HOSTEDCP-1062 , components without a label `hypershift.openshift.io/need-management-kas-access: "true"` can not access the management cluster KAS resources. 
But for `kube-apiserver` in HCP, there isn't the targe label `hypershift.openshift.io/need-management-kas-access: "true"` but it can access the mgmt KAS


jiezhao-mac:hypershift jiezhao$ oc get pods -n clusters-jie-test | grep kube-apiserver
kube-apiserver-6799b6cfd8-wk8pv                      3/3     Running   0          178m
jiezhao-mac:hypershift jiezhao$ 
jiezhao-mac:hypershift jiezhao$ oc get pods kube-apiserver-6799b6cfd8-wk8pv -n clusters-jie-test -o yaml | grep hypershift.openshift.io/need-management-kas-access
jiezhao-mac:hypershift jiezhao$ 

jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/kube-apiserver-6799b6cfd8-wk8pv curl --connect-timeout 2 -Iks https://10.0.142.255:6443 -v
Defaulted container "apply-bootstrap" out of: apply-bootstrap, kube-apiserver, audit-logs, init-bootstrap (init), wait-for-etcd (init)
* Rebuilt URL to: https://10.0.142.255:6443/
..
< HTTP/2 403 
HTTP/2 403 
...
< 
* Connection #0 to host 10.0.142.255 left intact

refer test case: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-65141

https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-65141 

router pod has the label and can access mgmt KAS. My expectation is that router pod shouldn't have the label and shouldn't access mgmt KAS.

$ oc get pods router-667cb7f844-lx8mv -n clusters-jie-test -o yaml | grep hypershift.openshift.io/need-management-kas-access
hypershift.openshift.io/need-management-kas-access: "true"
jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/router-667cb7f844-lx8mv curl --connect-timeout 2 -Iks 
https://10.0.142.255:6443
-v
Rebuilt URL to: 
https://10.0.142.255:6443/
Trying 10.0.142.255...
...
< HTTP/2 403
HTTP/2 403