diff --git a/puppet-manifests/src/manifests/ansible_bootstrap.pp b/puppet-manifests/src/manifests/ansible_bootstrap.pp
index fc282b558..77de095b4 100644
--- a/puppet-manifests/src/manifests/ansible_bootstrap.pp
+++ b/puppet-manifests/src/manifests/ansible_bootstrap.pp
@@ -9,6 +9,7 @@ Exec {
 
 include ::platform::config::bootstrap
 include ::platform::users::bootstrap
+include ::platform::sysctl::bootstrap
 include ::platform::ldap::bootstrap
 include ::platform::drbd::bootstrap
 include ::platform::postgresql::bootstrap
diff --git a/puppet-manifests/src/manifests/bootstrap.pp b/puppet-manifests/src/manifests/bootstrap.pp
index 566a3c9e5..e4339ff55 100644
--- a/puppet-manifests/src/manifests/bootstrap.pp
+++ b/puppet-manifests/src/manifests/bootstrap.pp
@@ -9,6 +9,7 @@ Exec {
 
 include ::platform::config::bootstrap
 include ::platform::users::bootstrap
+include ::platform::sysctl::bootstrap
 include ::platform::ldap::bootstrap
 include ::platform::drbd::bootstrap
 include ::platform::postgresql::bootstrap
diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
index beeb11220..60b13f8e0 100644
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@@ -368,6 +368,7 @@ class platform::kubernetes::master
   contain ::platform::kubernetes::coredns
   contain ::platform::kubernetes::firewall
 
+  Class['::platform::sysctl::controller::reserve_ports'] -> Class[$name]
   Class['::platform::etcd'] -> Class[$name]
   Class['::platform::docker::config'] -> Class[$name]
   # Ensure DNS is configured as name resolution is required when
diff --git a/puppet-manifests/src/modules/platform/manifests/sysctl.pp b/puppet-manifests/src/modules/platform/manifests/sysctl.pp
index 3926e9199..79a7106b2 100644
--- a/puppet-manifests/src/modules/platform/manifests/sysctl.pp
+++ b/puppet-manifests/src/modules/platform/manifests/sysctl.pp
@@ -84,10 +84,30 @@ class platform::sysctl
 }
 
 
+class platform::sysctl::controller::reserve_ports
+  inherits ::platform::sysctl::params {
+
+  # Reserve ports in the ephemeral port range:
+  #
+  # Incorporate the reserved keystone port (35357) from
+  # /usr/lib/sysctl.d/openstack-keystone.conf
+  #
+  # Helm v2.13.1 hardcodes the following Tiller ports when installed in the
+  # k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
+  # from the ephemeral port range. This will avoid potential port conflicts
+  # that will cause the tiller pod to crash when the port is assigned to
+  # another client/server
+  sysctl::value { 'net.ipv4.ip_local_reserved_ports':
+    value => '35357,44134-44136'
+  }
+}
+
+
 class platform::sysctl::controller
   inherits ::platform::sysctl::params {
 
   include ::platform::sysctl
+  include ::platform::sysctl::controller::reserve_ports
 
   # Engineer VM page cache tunables to prevent significant IO delays that may
   # occur if we flush a buildup of dirty pages.  Engineer VM settings to make
@@ -129,20 +149,6 @@ class platform::sysctl::controller
   sysctl::value { 'kernel.shmmax':
     value => '167772160'
   }
-
-  # Reserve ports in the ephemeral port range:
-  #
-  # Incorporate the reserved keystone port (35357) from
-  # /usr/lib/sysctl.d/openstack-keystone.conf
-  #
-  # Helm v2.13.1 hardcodes the following Tiller ports when installed in the
-  # k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
-  # from the ephemeral port range. This will avoid potential port conflicts
-  # that will cause the tiller pod to crash when the port is assigned to
-  # another client/server
-  sysctl::value { 'net.ipv4.ip_local_reserved_ports':
-    value => '35357,44134-44136'
-  }
 }
 
 
@@ -159,3 +165,8 @@ class platform::sysctl::storage {
 class platform::sysctl::controller::runtime {
   include ::platform::sysctl::controller
 }
+
+
+class platform::sysctl::bootstrap {
+  include ::platform::sysctl::controller::reserve_ports
+}