diff --git a/pkg/master/master.go b/pkg/master/master.go
index 7d0a90d9270..02c39c5143f 100644
--- a/pkg/master/master.go
+++ b/pkg/master/master.go
@@ -99,7 +99,7 @@ type Config struct {
 	// Defaults to 7080 if not set.
 	ReadOnlyPort int
 	// The port on PublicAddress where a read-write server will be installed.
-	// Defaults to 443 if not set.
+	// Defaults to 6443 if not set.
 	ReadWritePort int
 
 	// If nil, the first result from net.InterfaceAddrs will be used.
@@ -187,12 +187,12 @@ func setDefaults(c *Config) {
 	if c.ReadOnlyPort == 0 {
 		c.ReadOnlyPort = 7080
 	}
+	if c.ReadWritePort == 0 {
+		c.ReadWritePort = 6443
+	}
 	if c.CacheTimeout == 0 {
 		c.CacheTimeout = 5 * time.Second
 	}
-	if c.ReadWritePort == 0 {
-		c.ReadWritePort = 443
-	}
 	for c.PublicAddress == nil {
 		// Find and use the first non-loopback address.
 		// TODO: potentially it'd be useful to skip the docker interface if it
@@ -483,7 +483,7 @@ func (m *Master) init(c *Config) {
 func (m *Master) InstallSwaggerAPI() {
 	// Enable swagger UI and discovery API
 	swaggerConfig := swagger.Config{
-		WebServicesUrl: net.JoinHostPort(m.publicIP.String(), strconv.Itoa(int(m.publicReadWritePort))),
+		WebServicesUrl: net.JoinHostPort(m.publicIP.String(), strconv.Itoa(m.publicReadWritePort)),
 		WebServices:    m.handlerContainer.RegisteredWebServices(),
 		// TODO: Parameterize the path?
 		ApiPath:         "/swaggerapi/",
diff --git a/pkg/master/server/server.go b/pkg/master/server/server.go
index c7a0529b23c..a1d4ca3b3b3 100644
--- a/pkg/master/server/server.go
+++ b/pkg/master/server/server.go
@@ -45,7 +45,7 @@ import (
 
 // APIServer runs a kubernetes api server.
 type APIServer struct {
-	Port                       int
+	WideOpenPort               int
 	Address                    util.IP
 	PublicAddressOverride      util.IP
 	ReadOnlyPort               int
@@ -78,13 +78,13 @@ type APIServer struct {
 // NewAPIServer creates a new APIServer object with default parameters
 func NewAPIServer() *APIServer {
 	s := APIServer{
-		Port:                   8080,
+		WideOpenPort:           8080,
 		Address:                util.IP(net.ParseIP("127.0.0.1")),
 		PublicAddressOverride:  util.IP(net.ParseIP("")),
 		ReadOnlyPort:           7080,
 		APIRate:                10.0,
 		APIBurst:               200,
-		SecurePort:             8443,
+		SecurePort:             6443,
 		APIPrefix:              "/api",
 		EventTTL:               48 * time.Hour,
 		AuthorizationMode:      "AlwaysAllow",
@@ -122,7 +122,7 @@ func NewHyperkubeServer() *hyperkube.Server {
 func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
 	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
 	// arrange these text blocks sensibly. Grrr.
-	fs.IntVar(&s.Port, "port", s.Port, ""+
+	fs.IntVar(&s.WideOpenPort, "port", s.WideOpenPort, ""+
 		"The port to listen on. Default 8080. It is assumed that firewall rules are "+
 		"set up such that this port is not reachable from outside of the cluster. It is "+
 		"further assumed that port 443 on the cluster's public address is proxied to this "+
@@ -209,7 +209,7 @@ func (s *APIServer) Run(_ []string) error {
 
 	// TODO: expose same flags as client.BindClientConfigFlags but for a server
 	clientConfig := &client.Config{
-		Host:    net.JoinHostPort(s.Address.String(), strconv.Itoa(int(s.Port))),
+		Host:    net.JoinHostPort(s.Address.String(), strconv.Itoa(s.WideOpenPort)),
 		Version: s.StorageVersion,
 	}
 	client, err := client.New(clientConfig)
@@ -251,7 +251,7 @@ func (s *APIServer) Run(_ []string) error {
 		APIPrefix:              s.APIPrefix,
 		CorsAllowedOriginList:  s.CorsAllowedOriginList,
 		ReadOnlyPort:           s.ReadOnlyPort,
-		ReadWritePort:          s.Port,
+		ReadWritePort:          s.SecurePort,
 		PublicAddress:          net.IP(s.PublicAddressOverride),
 		Authenticator:          authenticator,
 		Authorizer:             authorizer,
@@ -261,16 +261,16 @@ func (s *APIServer) Run(_ []string) error {
 	}
 	m := master.New(config)
 
-	// We serve on 3 ports.  See docs/reaching_the_api.md
+	// We serve on 3 ports.  See docs/accessing_the_api.md
 	roLocation := ""
 	if s.ReadOnlyPort != 0 {
-		roLocation = net.JoinHostPort(config.PublicAddress.String(), strconv.Itoa(config.ReadOnlyPort))
+		roLocation = net.JoinHostPort(config.PublicAddress.String(), strconv.Itoa(s.ReadOnlyPort))
 	}
 	secureLocation := ""
 	if s.SecurePort != 0 {
 		secureLocation = net.JoinHostPort(config.PublicAddress.String(), strconv.Itoa(s.SecurePort))
 	}
-	rwLocation := net.JoinHostPort(s.Address.String(), strconv.Itoa(int(s.Port)))
+	wideOpenLocation := net.JoinHostPort(s.Address.String(), strconv.Itoa(s.WideOpenPort))
 
 	// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
 
@@ -333,13 +333,13 @@ func (s *APIServer) Run(_ []string) error {
 	}
 
 	http := &http.Server{
-		Addr:           rwLocation,
+		Addr:           wideOpenLocation,
 		Handler:        apiserver.RecoverPanics(m.InsecureHandler),
 		ReadTimeout:    5 * time.Minute,
 		WriteTimeout:   5 * time.Minute,
 		MaxHeaderBytes: 1 << 20,
 	}
-	glog.Infof("Serving insecurely on %s", rwLocation)
+	glog.Infof("Serving insecurely on %s", wideOpenLocation)
 	glog.Fatal(http.ListenAndServe())
 	return nil
 }