Update of k3s metrics port to 4443

NOTE: This has already been done, so no further action is needed, and the information below is only to show what has been done.

Due to port collision, port 10250 could not be used anymore for k3s metrics server, and had to be changed to port 4443. This could be changed in the file /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml with commands

sudo sed -i 's/10250/4443/g' /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml
kubectl -n kube-system rollout status deployment metrics-server

but then the system would change this file back to using port 10250 again after k3s restart.

We have therefore applied a the following solution that allows for using a customized deployment file, while the original deployment file is skipped.

  1. Disable only the stock Deployment

sudo mv /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml \
        /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml.skip

  1. Drop your 4443 Deployment at top level

sudo cp /var/lib/rancher/k3s/server/manifests/metrics-server/metrics-server-deployment.yaml.skip \
        /var/lib/rancher/k3s/server/manifests/metrics-server-deployment-4443.yaml

No need for "sed" since current deployment file (before k3s restart) uses port 4443 and is working well.

  1. Restart (or wait) so the new manifest is applied

sudo systemctl restart k3s

kubectl get svc,deployment -n kube-system | grep metrics-server
kubectl top nodes

Further checks

Deployment container args & ports

kubectl -n kube-system get deploy metrics-server \
  -o jsonpath='{.spec.template.spec.containers[0].args}' | tr ' ' '\n' | grep secure-port
# → --secure-port=4443

kubectl -n kube-system get deploy metrics-server \
  -o jsonpath='{.spec.template.spec.containers[0].ports[0]}' ; echo
# → map shows: "name":"https","containerPort":4443

Both outputs must say 4443.

Service forwards to 4443

kubectl -n kube-system get svc metrics-server \
  -o jsonpath='{.spec.ports[0].port}→{.spec.ports[0].targetPort}{"\n"}'
# Expected: 443→https   (or 443→4443 if you hard-coded it)

# Resolve the named targetPort:
kubectl -n kube-system get ep metrics-server \
  -o jsonpath='{.subsets[0].ports[0].port}{"\n"}'
# → 4443

If endpoints reports 4443, the Service is wired correctly.

End-to-end scrape check

kubectl top nodes   # must return CPU / memory numbers

If this returns data, the API Aggregator → Service → Pod chain is functioning on 4443.

Look for 4443 in logs (extra)

kubectl -n kube-system logs deploy/metrics-server | grep -m1 4443
# Typical line: "Serving securely on 0.0.0.0:4443"
PreviousDuring Resource EnrollmentNextIssues with Raspberry Pi

Last updated