diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index f75dd2a..1ace829 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -14,7 +14,10 @@
         "ports.go",
     ],
     importpath = "source.monogon.dev/metropolis/node",
-    visibility = ["//metropolis:__subpackages__"],
+    visibility = [
+        "//metropolis:__subpackages__",
+        "@io_k8s_kubernetes//pkg/registry:__subpackages__",
+    ],
     deps = ["@com_github_vishvananda_netlink//:netlink"],
 )
 
diff --git a/metropolis/node/kubernetes/apiserver.go b/metropolis/node/kubernetes/apiserver.go
index aeaa80e..9c4132d 100644
--- a/metropolis/node/kubernetes/apiserver.go
+++ b/metropolis/node/kubernetes/apiserver.go
@@ -120,6 +120,8 @@
 			pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
 		"--service-account-issuer", "https://metropolis.internal", // TODO: Figure out federation
 		fmt.Sprintf("--service-cluster-ip-range=%v", s.ServiceIPRange.String()),
+		// We use a patch for the allocator that prevents usage of system ports.
+		fmt.Sprintf("--service-node-port-range=1-65535"),
 		args.FileOpt("--tls-cert-file", "server-cert.pem",
 			pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.serverCert})),
 		args.FileOpt("--tls-private-key-file", "server-key.pem",
diff --git a/metropolis/node/ports.go b/metropolis/node/ports.go
index 50e9e9a..afa4b1a 100644
--- a/metropolis/node/ports.go
+++ b/metropolis/node/ports.go
@@ -16,7 +16,9 @@
 
 package node
 
-import "strconv"
+import (
+	"strconv"
+)
 
 // Port is a TCP and/or UDP port number reserved for and used by Metropolis
 // node code.
@@ -60,6 +62,20 @@
 	DebuggerPort Port = 2345
 )
 
+var SystemPorts = []Port{
+	CuratorServicePort,
+	ConsensusPort,
+	DebugServicePort,
+	WireGuardPort,
+	NodeManagement,
+	MetricsPort,
+	MetricsNodeListenerPort,
+	KubernetesAPIPort,
+	KubernetesAPIWrappedPort,
+	KubernetesWorkerLocalAPIPort,
+	DebuggerPort,
+}
+
 func (p Port) String() string {
 	switch p {
 	case CuratorServicePort:
diff --git a/third_party/go/patches/k8s-reserve-metropolis-ports.patch b/third_party/go/patches/k8s-reserve-metropolis-ports.patch
new file mode 100644
index 0000000..7586b10
--- /dev/null
+++ b/third_party/go/patches/k8s-reserve-metropolis-ports.patch
@@ -0,0 +1,24 @@
+diff --git a/pkg/registry/core/service/portallocator/allocator.go b/pkg/registry/core/service/portallocator/allocator.go
+--- a/pkg/registry/core/service/portallocator/allocator.go	(revision f66044f4361b9f1f96f0053dd46cb7dce5e990a8)
++++ b/pkg/registry/core/service/portallocator/allocator.go	(revision f42349f2a3ed203fc06462b9f28e90c0b857cb42)
+@@ -25,6 +25,7 @@
+ 	"k8s.io/kubernetes/pkg/registry/core/service/allocator"
+
+ 	"k8s.io/klog/v2"
++	"source.monogon.dev/metropolis/node"
+ )
+
+ // Interface manages the allocation of ports out of a range. Interface
+@@ -70,6 +71,12 @@
+ 	}
+ 	var err error
+ 	a.alloc, err = allocatorFactory(max, rangeSpec)
++
++	for _, p := range node.SystemPorts {
++		// We ignore errors as these could only happen if the port we try to
++		// allocate is out of range, which we dont really care about.
++		_, _ = a.alloc.Allocate(int(p))
++	}
+ 	return a, err
+ }
+
diff --git a/third_party/go/repositories.bzl b/third_party/go/repositories.bzl
index f9c52c6..8b55efe 100644
--- a/third_party/go/repositories.bzl
+++ b/third_party/go/repositories.bzl
@@ -6525,6 +6525,7 @@
             "//third_party/go/patches:k8s-fix-logs-path.patch",
             "//third_party/go/patches:k8s-drop-legacy-log-path.patch",
             "//third_party/go/patches:k8s-jose-semver-fix.patch",
+            "//third_party/go/patches:k8s-reserve-metropolis-ports.patch",
         ],
         sum = "h1:AyjtHzSysliKR04Km91njmk2yaKmOa3ZISQZCIGUnVI=",
         version = "v1.24.2",