diff --git a/kubernetes/files/calico/network-environment.pool b/kubernetes/files/calico/network-environment.pool
index c834b3f..5607e65 100644
--- a/kubernetes/files/calico/network-environment.pool
+++ b/kubernetes/files/calico/network-environment.pool
@@ -4,7 +4,7 @@
 DEFAULT_IPV4={{ pool.address }}
 
 # The Kubernetes master IP
-KUBERNETES_MASTER={{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
+KUBERNETES_MASTER={{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
 
 # IP and port of etcd instance used by Calico
 ETCD_ENDPOINTS={% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
diff --git a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
index 81acb95..6cfac36 100644
--- a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
+++ b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
@@ -1,4 +1,5 @@
-{%- from "kubernetes/map.jinja" import common with context -%}
+{%- from "kubernetes/map.jinja" import master with context %}
+{%- from "kubernetes/map.jinja" import common with context %}
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -29,5 +30,19 @@
           args:
             - "-v=5"
             - "-logtostderr"
-            - "-kubeproxyinit"
+            - "-kubeproxyinit=false"
             - "-endpoint=0.0.0.0:{{ common.addons.netchecker.port }}"
+            - "-etcd-endpoints={% for member in master.etcd.members %}https://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}"
+{%- if master.etcd.get('ssl', {}).get('enabled') %}
+            - "-etcd-key=/var/lib/etcd/etcd-client.key"
+            - "-etcd-cert=/var/lib/etcd/etcd-client.pem"
+            - "-etcd-ca=/var/lib/etcd/ca.pem"
+{%- endif %}
+          volumeMounts:
+          - mountPath: /var/lib/etcd/
+            name: etcd-certs
+            readOnly: true
+      volumes:
+      - hostPath:
+          path: /var/lib/etcd
+        name: etcd-certs
diff --git a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
index d65c770..9ec6761 100644
--- a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
+++ b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
@@ -8,7 +8,7 @@
 clusters:
 - cluster:
     certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
-    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
+    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
   name: {{ common.cluster_name }}
 contexts:
 - context:
diff --git a/kubernetes/files/kube-proxy/proxy.kubeconfig b/kubernetes/files/kube-proxy/proxy.kubeconfig
index 773c177..307daf8 100644
--- a/kubernetes/files/kube-proxy/proxy.kubeconfig
+++ b/kubernetes/files/kube-proxy/proxy.kubeconfig
@@ -8,7 +8,7 @@
 clusters:
 - cluster:
     certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
-    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
+    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
   name: {{ common.cluster_name }}
 contexts:
 - context:
diff --git a/kubernetes/files/kube-scheduler/scheduler.kubeconfig b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
index 26ba1de..8a87e39 100644
--- a/kubernetes/files/kube-scheduler/scheduler.kubeconfig
+++ b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
@@ -7,7 +7,7 @@
 clusters:
 - cluster:
     certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
-    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.port|default('443') }}
+    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
   name: {{ common.cluster_name }}
 contexts:
 - context:
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig.master b/kubernetes/files/kubelet/kubelet.kubeconfig.master
index 7cd76dc..3c70ded 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig.master
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig.master
@@ -7,7 +7,7 @@
 clusters:
 - cluster:
     certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
-    server: https://{{ master.apiserver.address }}:{{ master.apiserver.get('secure_port', '443') }}
+    server: https://{{ master.apiserver.address }}:{{ master.apiserver.secure_port }}
   name: {{ common.cluster_name }}
 contexts:
 - context:
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig.pool b/kubernetes/files/kubelet/kubelet.kubeconfig.pool
index 37ce67e..3228ea6 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig.pool
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig.pool
@@ -7,7 +7,7 @@
 clusters:
 - cluster:
     certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
-    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
+    server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
   name: {{ common.cluster_name }}
 contexts:
 - context:
diff --git a/kubernetes/files/manifest/kube-apiserver.manifest b/kubernetes/files/manifest/kube-apiserver.manifest
index 353cea1..b363766 100644
--- a/kubernetes/files/manifest/kube-apiserver.manifest
+++ b/kubernetes/files/manifest/kube-apiserver.manifest
@@ -24,7 +24,7 @@
       --basic-auth-file=/srv/kubernetes/basic_auth.csv
       --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
       --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
-      --secure-port={{ master.apiserver.get('secure_port', '443') }}
+      --secure-port={{ master.apiserver.secure_port }}
       --bind-address={{ master.apiserver.address }}
       --token-auth-file=/srv/kubernetes/known_tokens.csv
       --apiserver-count={{ master.apiserver.get('count', 1) }}
@@ -43,17 +43,17 @@
       httpGet:
         host: 127.0.0.1
         path: /healthz
-        port: {{ master.apiserver.get('insecure_port', '8080') }}
+        port: {{ master.apiserver.insecure_port }}
         scheme: HTTP
       initialDelaySeconds: 15
       timeoutSeconds: 15
     ports:
-    - containerPort: {{ master.apiserver.get('secure_port', '443') }}
-      hostPort: {{ master.apiserver.get('secure_port', '443') }}
+    - containerPort: {{ master.apiserver.secure_port }}
+      hostPort: {{ master.apiserver.secure_port }}
       name: https
       protocol: TCP
-    - containerPort: {{ master.apiserver.get('insecure_port', '8080') }}
-      hostPort: {{ master.apiserver.get('insecure_port', '8080') }}
+    - containerPort: {{ master.apiserver.insecure_port }}
+      hostPort: {{ master.apiserver.insecure_port }}
       name: local
       protocol: TCP
     resources:
diff --git a/kubernetes/files/manifest/kube-proxy.manifest.pool b/kubernetes/files/manifest/kube-proxy.manifest.pool
index 7044c7c..2fb1118 100644
--- a/kubernetes/files/manifest/kube-proxy.manifest.pool
+++ b/kubernetes/files/manifest/kube-proxy.manifest.pool
@@ -19,7 +19,8 @@
       --logtostderr=true
       --v={{ pool.get('verbosity', 2) }}
       --kubeconfig=/etc/kubernetes/proxy.kubeconfig
-      --master={%- if pool.apiserver.insecure.enabled %}http://{{ pool.apiserver.host }}:8080{%- else %}https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}{%- endif %}
+      --master={%- if pool.apiserver.insecure.enabled %}http://{{
+pool.apiserver.host }}:{{ pool.apiserver.insecure_port }}{%- else %}https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}{%- endif %}
 {%- if pool.network.engine == 'calico' %}
       --proxy-mode=iptables
 {%- endif %}
diff --git a/kubernetes/files/opencontrail/4.0/contrail-kubernetes.conf b/kubernetes/files/opencontrail/4.0/contrail-kubernetes.conf
index 16a68d5..14aafbe 100644
--- a/kubernetes/files/opencontrail/4.0/contrail-kubernetes.conf
+++ b/kubernetes/files/opencontrail/4.0/contrail-kubernetes.conf
@@ -2,7 +2,7 @@
 [KUBERNETES]
 kubernetes_api_server={{ master.apiserver.insecure_address }}
 kubernetes_api_port={{ master.apiserver.insecure_port }}
-kubernetes_api_secure_port=443
+kubernetes_api_secure_port={{ master.apiserver.secure_port }}
 service_subnets={{ master.network.get('service_subnets', '10.96.0.0/12') }}
 pod_subnets={{ master.network.get('pod_subnets', '10.32.0.0/12') }}
 cluster_name={{ master.network.get('cluster_name', 'default') }}
@@ -56,4 +56,4 @@
 auth_token_url={{ master.network.identity.get('auth_token_url', None) }}
 auth_user={{ master.network.identity.get('auth_user', 'admin') }}
 auth_password={{ master.network.identity.get('auth_token_url', 'admin') }}
-auth_tenant={{ master.network.identity.get('auth_token_url', 'admin') }}
\ No newline at end of file
+auth_tenant={{ master.network.identity.get('auth_token_url', 'admin') }}
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index d15ab32..3ecab62 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -86,8 +86,8 @@
         --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
         --etcd-quorum-read=true
         --insecure-bind-address={{ master.apiserver.insecure_address }}
-        --insecure-port={{ master.apiserver.get('insecure_port', '8080') }}
-        --secure-port={{ master.apiserver.get('secure_port', '443') }}
+        --insecure-port={{ master.apiserver.insecure_port }}
+        --secure-port={{ master.apiserver.secure_port }}
         --service-cluster-ip-range={{ master.service_addresses }}
         --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
         --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
@@ -186,7 +186,11 @@
   file.managed:
     - source: salt://{{ master.get('cert_source','_certs/kubernetes') }}/{{ filename }}
     - user: root
+    {%- if pillar.get('haproxy', {}).get('proxy', {}).get('enabled') %}
     - group: haproxy
+    {%- else %}
+    - group: root
+    {%- endif %}
     - mode: 640
     - watch_in:
       - service: master_services
diff --git a/kubernetes/master/setup.sls b/kubernetes/master/setup.sls
index 7c852ec..82af347 100644
--- a/kubernetes/master/setup.sls
+++ b/kubernetes/master/setup.sls
@@ -64,7 +64,7 @@
     - name: {{ label.key }}
     - value: {{ label.value }}
     - node: {{ label.node }}
-    - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.get('insecure_port', '8080') }}
+    - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.insecure_port }}
     {%- if grains.get('noservices') %}
     - onlyif: /bin/false
     {%- endif %}
@@ -75,7 +75,7 @@
   k8s.label_absent:
     - name: {{ label.key }}
     - node: {{ label.node }}
-    - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.get('insecure_port', '8080') }}
+    - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.insecure_port }}
     {%- if grains.get('noservices') %}
     - onlyif: /bin/false
     {%- endif %}
diff --git a/kubernetes/meta/collectd.yml b/kubernetes/meta/collectd.yml
index 38baf4f..50ebbe9 100644
--- a/kubernetes/meta/collectd.yml
+++ b/kubernetes/meta/collectd.yml
@@ -31,7 +31,7 @@
      apiserver:
        expected_code: 200
        expected_content: ok
-       url: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.get('insecure_port', '8080') }}/healthz
+       url: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.insecure_port }}/healthz
        metric_name: k8s_service_health
      scheduler:
        expected_code: 200
@@ -101,7 +101,7 @@
        verify: false
        client_cert: /etc/kubernetes/ssl/kubelet-client.crt
        client_key: /etc/kubernetes/ssl/kubelet-client.key
-       url: https://{{ pool.apiserver.host }}:{{ pool.apiserver.port|default('443') }}/healthz
+       url: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}/healthz
        metric_name: k8s_service_health_vip
   collectd_k8s_get:
    plugin: python
@@ -111,5 +111,5 @@
    verify: false
    client_cert: /etc/kubernetes/ssl/kubelet-client.crt
    client_key: /etc/kubernetes/ssl/kubelet-client.key
-   endpoint: https://{{ pool.apiserver.host }}:{{ pool.apiserver.port|default('443') }}
+   endpoint: https://{{ pool.apiserver.host }}:{{ pool.apiserver.secure_port }}
 {%- endif %}
diff --git a/kubernetes/meta/prometheus.yml b/kubernetes/meta/prometheus.yml
index a8f71cc..df0ee76 100644
--- a/kubernetes/meta/prometheus.yml
+++ b/kubernetes/meta/prometheus.yml
@@ -11,6 +11,11 @@
 server:
 {%- if network.get('engine', '') == 'calico' and network.get('prometheus', {}).get('enabled', False) %}
   target:
+    kubernetes:
+      enabled: true
+      api_ip: ${_param:kubernetes_control_address}
+      cert_name: prometheus-server.crt
+      key_name: prometheus-server.key
     static:
       calico:
         endpoint:
diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index 02c41fe..8b1052c 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -25,14 +25,14 @@
           enabled: False
         helm:
           enabled: False
-          tiller_image: gcr.io/kubernetes-helm/tiller:v2.3.0
+          tiller_image: gcr.io/kubernetes-helm/tiller:v2.4.2
         netchecker:
           enabled: False
           interval: 60
           namespace: netchecker
           port: 80
-          agent_image: mirantis/k8s-netchecker-agent:v1.1.0
-          server_image: mirantis/k8s-netchecker-server:v1.1.0
+          agent_image: mirantis/k8s-netchecker-agent:stable
+          server_image: mirantis/k8s-netchecker-server:stable
         calico_policy:
           enabled: False
           image: calico/kube-policy-controller:v0.5.4
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 5133b5d..61464f7 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -49,7 +49,7 @@
           enabled: False
         helm:
           enabled: False
-          tiller_image: gcr.io/kubernetes-helm/tiller:v2.3.0
+          tiller_image: gcr.io/kubernetes-helm/tiller:v2.4.2
         calico_policy:
           enabled: False
           image: calico/kube-policy-controller:v0.5.4
diff --git a/metadata/service/pool/cluster.yml b/metadata/service/pool/cluster.yml
index 26122f0..b529623 100644
--- a/metadata/service/pool/cluster.yml
+++ b/metadata/service/pool/cluster.yml
@@ -13,9 +13,10 @@
         name: ${linux:system:name}
       apiserver:
         host: ${_param:cluster_vip_address}
-        port: 443
+        secure_port: 443
         insecure:
           enabled: True
+        insecure_port: 8080
         members:
            - host: ${_param:cluster_vip_address}
 # Temporary disabled until kubelet HA would be fixed
diff --git a/metadata/service/pool/single.yml b/metadata/service/pool/single.yml
index 4e7a736..0d4085b 100644
--- a/metadata/service/pool/single.yml
+++ b/metadata/service/pool/single.yml
@@ -13,15 +13,16 @@
         name: ${linux:system:name}
       apiserver:
         host: ${_param:master_address}
-        port: 443
+        secure_port: 443
         insecure:
           enabled: True
+        insecure_port: 8080
         members:
           - host: ${_param:master_address}
       address: 0.0.0.0
       cluster_dns: 10.254.0.10
       allow_privileged: True
-      cluster_domain: ${param:kubernetes_cluster_domain}
+      cluster_domain: ${_param:kubernetes_cluster_domain}
       kubelet:
         config: /etc/kubernetes/manifests
         allow_privileged: True
diff --git a/tests/pillar/pool_cluster.sls b/tests/pillar/pool_cluster.sls
index 34e62d5..b9e7840 100644
--- a/tests/pillar/pool_cluster.sls
+++ b/tests/pillar/pool_cluster.sls
@@ -29,8 +29,10 @@
       name: ${linux:system:name}
     apiserver:
       host: 127.0.0.1
+      secure_port: 443
       insecure:
         enabled: True
+      insecure_port: 8080
       members:
         - host: 127.0.0.1
         - host: 127.0.0.1
diff --git a/tests/pillar/pool_contrail4_0.sls b/tests/pillar/pool_contrail4_0.sls
index 0426faf..ea4426a 100644
--- a/tests/pillar/pool_contrail4_0.sls
+++ b/tests/pillar/pool_contrail4_0.sls
@@ -29,8 +29,10 @@
       name: ${linux:system:name}
     apiserver:
       host: 127.0.0.1
+      secure_port: 443
       insecure:
         enabled: True
+      insecure_port: 8080
       members:
         - host: 127.0.0.1
         - host: 127.0.0.1