Update of k3s metrics port to 4443
NOTE: This has already been done, so no further action is needed, and the information below is only to show what has been done.
Due to port collision, port 10250 could not be used anymore for k3s metrics server, and had to be changed to port 4443. This could be changed in the file /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml with commands
sudo sed -i 's/10250/4443/g' /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml
kubectl -n kube-system rollout status deployment metrics-server
but then the system would change this file back to using port 10250 again after k3s restart.
We have therefore applied a the following solution that allows for using a customized deployment file, while the original deployment file is skipped.
Disable only the stock Deployment
sudo mv /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml \
/var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml.skip
Drop your 4443 Deployment at top level
sudo cp /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml.skip \
/var/lib/rancher/k3s/server/manifests/metrics-server-deployment-4443.yaml
No need for "sed" since current deployment file (before k3s restart) uses port 4443 and is working well.
Restart (or wait) so the new manifest is applied
sudo systemctl restart k3s
kubectl get svc,deployment -n kube-system | grep metrics-server
kubectl top nodes
Further checks
Deployment container args & ports
kubectl -n kube-system get deploy metrics-server \
-o jsonpath='{.spec.template.spec.containers[0].args}' | tr ' ' '\n' | grep secure-port
# → --secure-port=4443
kubectl -n kube-system get deploy metrics-server \
-o jsonpath='{.spec.template.spec.containers[0].ports[0]}' ; echo
# → map shows: "name":"https","containerPort":4443
Both outputs must say 4443.
Service forwards to 4443
kubectl -n kube-system get svc metrics-server \
-o jsonpath='{.spec.ports[0].port}→{.spec.ports[0].targetPort}{"\n"}'
# Expected: 443→https (or 443→4443 if you hard-coded it)
# Resolve the named targetPort:
kubectl -n kube-system get ep metrics-server \
-o jsonpath='{.subsets[0].ports[0].port}{"\n"}'
# → 4443
If endpoints reports 4443, the Service is wired correctly.
End-to-end scrape check
kubectl top nodes # must return CPU / memory numbers
If this returns data, the API Aggregator → Service → Pod chain is functioning on 4443.
Look for 4443 in logs (extra)
kubectl -n kube-system logs deploy/metrics-server | grep -m1 4443
# Typical line: "Serving securely on 0.0.0.0:4443"
Last updated