diff --git a/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go b/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go
index d2bb531d765..4937fd1a394 100644
--- a/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go
+++ b/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go
@@ -29,9 +29,9 @@ type ServiceExpansion interface {
 // ProxyGet returns a response of the service by calling it through the proxy.
 func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper {
 	request := c.client.Get().
-		Prefix("proxy").
 		Namespace(c.ns).
 		Resource("services").
+		SubResource("proxy").
 		Name(net.JoinSchemeNamePort(scheme, name, port)).
 		Suffix(path)
 	for k, v := range params {
diff --git a/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go
index 85d2c7207db..247d0682bdf 100644
--- a/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go
+++ b/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go
@@ -29,9 +29,9 @@ type ServiceExpansion interface {
 // ProxyGet returns a response of the service by calling it through the proxy.
 func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper {
 	request := c.client.Get().
-		Prefix("proxy").
 		Namespace(c.ns).
 		Resource("services").
+		SubResource("proxy").
 		Name(net.JoinSchemeNamePort(scheme, name, port)).
 		Suffix(path)
 	for k, v := range params {
diff --git a/pkg/kubectl/cmd/top_test.go b/pkg/kubectl/cmd/top_test.go
index 9541a8805dc..8d27d7e2f9c 100644
--- a/pkg/kubectl/cmd/top_test.go
+++ b/pkg/kubectl/cmd/top_test.go
@@ -35,7 +35,7 @@ import (
 )
 
 const (
-	baseHeapsterServiceAddress = "/api/v1/proxy/namespaces/kube-system/services/http:heapster:"
+	baseHeapsterServiceAddress = "/api/v1/namespaces/kube-system/services/http:heapster:/proxy"
 	baseMetricsAddress         = baseHeapsterServiceAddress + "/apis/metrics"
 	metricsApiVersion          = "v1alpha1"
 )
diff --git a/pkg/metrics/generic_metrics.go b/pkg/metrics/generic_metrics.go
index f17629a0613..3a8251886a6 100644
--- a/pkg/metrics/generic_metrics.go
+++ b/pkg/metrics/generic_metrics.go
@@ -100,9 +100,9 @@ func parseMetrics(data string, output *Metrics) error {
 
 func (g *MetricsGrabber) getMetricsFromPod(podName string, namespace string, port int) (string, error) {
 	rawOutput, err := g.client.Core().RESTClient().Get().
-		Prefix("proxy").
 		Namespace(namespace).
 		Resource("pods").
+		SubResource("proxy").
 		Name(fmt.Sprintf("%v:%v", podName, port)).
 		Suffix("metrics").
 		Do().Raw()
diff --git a/pkg/metrics/kubelet_metrics.go b/pkg/metrics/kubelet_metrics.go
index 2f1b9525cb9..0e6267b513a 100644
--- a/pkg/metrics/kubelet_metrics.go
+++ b/pkg/metrics/kubelet_metrics.go
@@ -66,8 +66,8 @@ func (g *MetricsGrabber) getMetricsFromNode(nodeName string, kubeletPort int) (s
 	var rawOutput []byte
 	go func() {
 		rawOutput, err = g.client.Core().RESTClient().Get().
-			Prefix("proxy").
 			Resource("nodes").
+			SubResource("proxy").
 			Name(fmt.Sprintf("%v:%v", nodeName, kubeletPort)).
 			Suffix("metrics").
 			Do().Raw()
diff --git a/pkg/routes/ui.go b/pkg/routes/ui.go
index 0f8e3164c2b..0d4b85e06c6 100644
--- a/pkg/routes/ui.go
+++ b/pkg/routes/ui.go
@@ -22,7 +22,7 @@ import (
 	"k8s.io/apiserver/pkg/server/mux"
 )
 
-const dashboardPath = "/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard"
+const dashboardPath = "/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy"
 
 // UIRediect redirects /ui to the kube-ui proxy path.
 type UIRedirect struct{}
diff --git a/plugin/pkg/admission/initialresources/data_source.go b/plugin/pkg/admission/initialresources/data_source.go
index 5fd6c118fb1..0d366c18c4c 100644
--- a/plugin/pkg/admission/initialresources/data_source.go
+++ b/plugin/pkg/admission/initialresources/data_source.go
@@ -25,7 +25,7 @@ import (
 )
 
 var (
-	influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/proxy/namespaces/kube-system/services/monitoring-influxdb:api", "Address of InfluxDB which contains metrics required by InitialResources")
+	influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy", "Address of InfluxDB which contains metrics required by InitialResources")
 	user         = flag.String("ir-user", "root", "User used for connecting to InfluxDB")
 	// TODO: figure out how to better pass password here
 	password       = flag.String("ir-password", "root", "Password used for connecting to InfluxDB")
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index f488cb4f0a5..f214bf48e5c 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -140,9 +140,10 @@ func init() {
 			rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("replicationcontrollers/scale").RuleOrDie(),
 			rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("deployments/scale", "replicasets/scale").RuleOrDie(),
 			rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(),
-			// TODO: fix MetricsClient to no longer require root proxy access
-			// TODO: restrict this to the appropriate namespace
+			// TODO: Remove the root /proxy permission in 1.7; MetricsClient no longer requires root proxy access as of 1.6 (fixed in https://github.com/kubernetes/kubernetes/pull/39636)
 			rbac.NewRule("proxy").Groups(legacyGroup).Resources("services").Names("https:heapster:", "http:heapster:").RuleOrDie(),
+			// TODO: restrict this to the appropriate namespace
+			rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(),
 			eventsRule(),
 		},
 	})
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
index 901ea67108a..ed720ca59b2 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -419,6 +419,15 @@ items:
     - services
     verbs:
     - proxy
+  - apiGroups:
+    - ""
+    resourceNames:
+    - 'http:heapster:'
+    - 'https:heapster:'
+    resources:
+    - services/proxy
+    verbs:
+    - get
   - apiGroups:
     - ""
     resources:
diff --git a/test/e2e/framework/kubelet_stats.go b/test/e2e/framework/kubelet_stats.go
index 04571ef8072..ba5810b9231 100644
--- a/test/e2e/framework/kubelet_stats.go
+++ b/test/e2e/framework/kubelet_stats.go
@@ -284,7 +284,7 @@ func getContainerInfo(c clientset.Interface, nodeName string, req *kubeletstats.
 	if err != nil {
 		return nil, err
 	}
-	subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery())
+	subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
 	if err != nil {
 		return nil, err
 	}
@@ -407,7 +407,7 @@ func getOneTimeResourceUsageOnNode(
 }
 
 func getNodeStatsSummary(c clientset.Interface, nodeName string) (*stats.Summary, error) {
-	subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery())
+	subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
 	if err != nil {
 		return nil, err
 	}
diff --git a/test/e2e/framework/metrics_util.go b/test/e2e/framework/metrics_util.go
index 9b94bdcb663..35ac6164315 100644
--- a/test/e2e/framework/metrics_util.go
+++ b/test/e2e/framework/metrics_util.go
@@ -327,6 +327,11 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) {
 	nodes, err := c.Core().Nodes().List(metav1.ListOptions{})
 	ExpectNoError(err)
 
+	subResourceProxyAvailable, err := ServerVersionGTE(SubResourcePodProxyVersion, c.Discovery())
+	if err != nil {
+		return result, err
+	}
+
 	var data string
 	var masterRegistered = false
 	for _, node := range nodes.Items {
@@ -338,14 +343,26 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) {
 		ctx, cancel := context.WithTimeout(context.Background(), SingleCallTimeout)
 		defer cancel()
 
-		rawData, err := c.Core().RESTClient().Get().
-			Context(ctx).
-			Prefix("proxy").
-			Namespace(metav1.NamespaceSystem).
-			Resource("pods").
-			Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
-			Suffix("metrics").
-			Do().Raw()
+		var rawData []byte
+		if subResourceProxyAvailable {
+			rawData, err = c.Core().RESTClient().Get().
+				Context(ctx).
+				Namespace(metav1.NamespaceSystem).
+				Resource("pods").
+				Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
+				SubResource("proxy").
+				Suffix("metrics").
+				Do().Raw()
+		} else {
+			rawData, err = c.Core().RESTClient().Get().
+				Context(ctx).
+				Prefix("proxy").
+				Namespace(metav1.NamespaceSystem).
+				SubResource("pods").
+				Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
+				Suffix("metrics").
+				Do().Raw()
+		}
 
 		ExpectNoError(err)
 		data = string(rawData)
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index fd9f5237b81..a390be8d167 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -234,10 +234,10 @@ func GetPauseImageNameForHostArch() string {
 // TODO(ihmccreery): remove once we don't care about v1.0 anymore, (tentatively
 // in v1.3).
 var SubResourcePodProxyVersion = utilversion.MustParseSemantic("v1.1.0")
-var subResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0")
+var SubResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0")
 
 func GetServicesProxyRequest(c clientset.Interface, request *restclient.Request) (*restclient.Request, error) {
-	subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery())
+	subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
 	if err != nil {
 		return nil, err
 	}
@@ -4809,7 +4809,7 @@ const proxyTimeout = 2 * time.Minute
 func NodeProxyRequest(c clientset.Interface, node, endpoint string) (restclient.Result, error) {
 	// proxy tends to hang in some cases when Node is not ready. Add an artificial timeout for this call.
 	// This will leak a goroutine if proxy hangs. #22165
-	subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery())
+	subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
 	if err != nil {
 		return restclient.Result{}, err
 	}
diff --git a/test/e2e/monitoring.go b/test/e2e/monitoring.go
index 0d0f2c9710d..d3d7426df0b 100644
--- a/test/e2e/monitoring.go
+++ b/test/e2e/monitoring.go
@@ -63,21 +63,42 @@ var (
 
 // Query sends a command to the server and returns the Response
 func Query(c clientset.Interface, query string) (*influxdb.Response, error) {
+	subResourceProxyAvailable, err := framework.ServerVersionGTE(framework.SubResourceServiceAndNodeProxyVersion, c.Discovery())
+	if err != nil {
+		return nil, err
+	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), framework.SingleCallTimeout)
 	defer cancel()
 
-	result, err := c.Core().RESTClient().Get().
-		Prefix("proxy").
-		Namespace("kube-system").
-		Resource("services").
-		Name(influxdbService+":api").
-		Suffix("query").
-		Param("q", query).
-		Param("db", influxdbDatabaseName).
-		Param("epoch", "s").
-		Do().
-		Raw()
+	var result []byte
+	if subResourceProxyAvailable {
+		result, err = c.Core().RESTClient().Get().
+			Context(ctx).
+			Namespace("kube-system").
+			Resource("services").
+			Name(influxdbService+":api").
+			SubResource("proxy").
+			Suffix("query").
+			Param("q", query).
+			Param("db", influxdbDatabaseName).
+			Param("epoch", "s").
+			Do().
+			Raw()
+	} else {
+		result, err = c.Core().RESTClient().Get().
+			Context(ctx).
+			Prefix("proxy").
+			Namespace("kube-system").
+			Resource("services").
+			Name(influxdbService+":api").
+			Suffix("query").
+			Param("q", query).
+			Param("db", influxdbDatabaseName).
+			Param("epoch", "s").
+			Do().
+			Raw()
+	}
 
 	if err != nil {
 		if ctx.Err() != nil {