diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index 8ac3d73e481cbcd547fb25f7049ca71edd4cf063..3524e11ac27787d4b68836abec91af2afe4b317f 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -58,6 +58,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       local containerVolumeMount = container.volumeMountsType;
       local podSelector = daemonset.mixin.spec.template.spec.selectorType;
       local toleration = daemonset.mixin.spec.template.spec.tolerationsType;
+      local containerEnv = container.envType;
 
       local podLabels = { app: 'node-exporter' };
 
@@ -82,7 +83,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       local nodeExporter =
         container.new('node-exporter', $._config.imageRepos.nodeExporter + ':' + $._config.versions.nodeExporter) +
         container.withArgs([
-          '--web.listen-address=127.0.0.1:9101',
+          '--web.listen-address=127.0.0.1:9100',
           '--path.procfs=/host/proc',
           '--path.sysfs=/host/sys',
 
@@ -96,15 +97,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
         container.mixin.resources.withRequests({ cpu: '102m', memory: '180Mi' }) +
         container.mixin.resources.withLimits({ cpu: '102m', memory: '180Mi' });
 
+      local ip = containerEnv.fromFieldPath('IP', 'status.podIP');
       local proxy =
         container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
         container.withArgs([
-          '--secure-listen-address=:9100',
-          '--upstream=http://127.0.0.1:9101/',
+          '--secure-listen-address=$(IP):9100',
+          '--upstream=http://127.0.0.1:9100/',
         ]) +
+        // Keep `hostPort` here, rather than in the node-exporter container
+        // because Kubernetes mandates that if you define a `hostPort` then
+        // `containerPort` must match. In our case, we are splitting the
+        // host port and container port between the two containers.
+        // We'll keep the port specification here so that the named port
+        // used by the service is tied to the proxy container. We *could*
+        // forgo declaring the host port, however it is important to declare
+        // it so that the scheduler can decide if the pod is schedulable.
         container.withPorts(containerPort.new(9100) + containerPort.withHostPort(9100) + containerPort.withName('https')) +
         container.mixin.resources.withRequests({ cpu: '10m', memory: '20Mi' }) +
-        container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' });
+        container.mixin.resources.withLimits({ cpu: '20m', memory: '40Mi' }) +
+        container.withEnv([ip]);
 
       local c = [nodeExporter, proxy];