diff --git a/metrics-server/.gitignore b/metrics-server/.gitignore
new file mode 100644
index 0000000..87607e0
--- /dev/null
+++ b/metrics-server/.gitignore
@@ -0,0 +1 @@
+metrics-server
diff --git a/metrics-server/deployment.yaml b/metrics-server/deployment.yaml
new file mode 100644
index 0000000..fd8723a
--- /dev/null
+++ b/metrics-server/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: metrics-server
+spec:
+  template:
+    spec:
+      containers:
+      - name: metrics-server
+        command:
+          - /metrics-server
+          - --cert-dir=/tmp
+          - --logtostderr
+          - --secure-port=8443
+          - --kubelet-preferred-address-types=InternalIP
+          - --kubelet-insecure-tls
+        ports:
+          - containerPort: 8443
+            name: https
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["all"]
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsNonRoot: true
+          runAsUser: 10001
diff --git a/metrics-server/kustomization.yaml b/metrics-server/kustomization.yaml
new file mode 100644
index 0000000..a3360a5
--- /dev/null
+++ b/metrics-server/kustomization.yaml
@@ -0,0 +1,13 @@
+commonLabels:
+  variant: test
+resources:
+  - metrics-server/deploy/1.8+/aggregated-metrics-reader.yaml
+  - metrics-server/deploy/1.8+/metrics-apiservice.yaml
+  - metrics-server/deploy/1.8+/metrics-server-deployment.yaml
+  - metrics-server/deploy/1.8+/metrics-server-service.yaml
+
+  - metrics-server/deploy/1.8+/auth-delegator.yaml
+  - metrics-server/deploy/1.8+/auth-reader.yaml
+  - metrics-server/deploy/1.8+/resource-reader.yaml
+patches:
+  - deployment.yaml
diff --git a/metrics-server/script/up b/metrics-server/script/up
index 103c344..376dbb3 100755
--- a/metrics-server/script/up
+++ b/metrics-server/script/up
@@ -15,16 +15,18 @@ CLUSTER_NAME=${1:-metrics-demo}
 # Grab the cluster kubeconfig.
 export KUBECONFIG="tmp/${CLUSTER_NAME}-kubeconfig.yaml"
 
-# Install Helm/tiller and wait for it to be Ready.
-(
-    cd ../helm
-    script/up ${CLUSTER_NAME}
-)
+git clone https://github.com/kubernetes-incubator/metrics-server \
+  || true
+
+# update to metrics-server upstream master at the time this script was updated
+git -C metrics-server \
+  reset --hard ad1de3e56d98f25dc436ba08a6097d44375c8bc6
 
 # Install metrics-server
-NAMESPACE="metrics"
-echo "Install metrics-server via Helm"
-helm upgrade metrics-server --install --namespace ${NAMESPACE} -f ../metrics-server/values.yaml stable/metrics-server
+NAMESPACE=kube-system
+echo "Install metrics-server via kustomize + kubectl"
+kubectl kustomize . | kubectl apply -f -
+
 echo "Waiting for pods to be Ready"
-kubectl wait --for=condition=Ready pods -l "release=metrics-server" -n ${NAMESPACE} --timeout=120s
+kubectl wait --for=condition=Ready pods -l "k8s-app=metrics-server" -n ${NAMESPACE} --timeout=120s
 echo "🎉"
diff --git a/metrics-server/values.yaml b/metrics-server/values.yaml
deleted file mode 100644
index 5c282d2..0000000
--- a/metrics-server/values.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-args:
-  # DOKS currently doesn't resolve node names from within cluster workloads.
-  - --kubelet-preferred-address-types=InternalIP
-  # DOKS currently has self-signed kubelet internal serving certificates.
-  - --kubelet-insecure-tls