diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index ccc3850e6..214026fe6 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -131,3 +131,6 @@ bin_dir: /usr/local/bin
 
 ## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics.
 #etcd_metrics: basic
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
+# kube_read_only_port: 10255
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 8540aa159..c58fb0f93 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -89,3 +89,6 @@ kube_override_hostname: >-
 
 # cAdvisor port
 kube_cadvisor_port: 0
+
+# The read-only port for the Kubelet to serve on with no authentication/authorization.
+kube_read_only_port: 0
diff --git a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2 b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
index 0846cdb82..68c14c0ce 100644
--- a/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
@@ -31,6 +31,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --cgroup-driver={{ kubelet_cgroup_driver|default(kubelet_cgroup_driver_detected) }} \
 --docker-disable-shared-pid={{ kubelet_disable_shared_pid }} \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.8', '<') %}
 --experimental-fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
 {% else %}
diff --git a/roles/kubernetes/node/templates/kubelet.standard.env.j2 b/roles/kubernetes/node/templates/kubelet.standard.env.j2
index 959769b3a..43dcb9451 100644
--- a/roles/kubernetes/node/templates/kubelet.standard.env.j2
+++ b/roles/kubernetes/node/templates/kubelet.standard.env.j2
@@ -20,6 +20,7 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
 --tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
 --tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
 --anonymous-auth=false \
+--read-only-port={{ kube_read_only_port }} \
 {% if kube_version | version_compare('v1.6', '>=') %}
 {# flag got removed with 1.7.0 #}
 {% if kube_version | version_compare('v1.7', '<') %}