diff --git a/Dockerfile b/Dockerfile
index 8857a8fe..46626d53 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -50,5 +50,10 @@ COPY --from=cfg /etc/passwd /etc/passwd
 COPY --from=cfg /etc/group /etc/group
 COPY ./Cargo.lock /Cargo.lock
 USER 65533:65533
+# Default port, should be used when tls is not enabled
 EXPOSE 3000
+# Readiness probe port, always http
+EXPOSE 8081
+# To be used when tls is enabled
+EXPOSE 8443
 ENTRYPOINT ["/policy-server"]
diff --git a/cli-docs.md b/cli-docs.md
index fe44c467..341f8c64 100644
--- a/cli-docs.md
+++ b/cli-docs.md
@@ -64,7 +64,7 @@ This document contains the help content for the `policy-server` command-line pro
   Default value: `3000`
 * `--readiness-probe-port <READINESS_PROBE_PORT>` — Expose readiness endpoint on READINESS_PROBE_PORT
 
-  Default value: `3000`
+  Default value: `8081`
 * `--sigstore-cache-dir <SIGSTORE_CACHE_DIR>` — Directory used to cache sigstore data
 
   Default value: `sigstore-data`
diff --git a/src/cli.rs b/src/cli.rs
index 10af68ab..8df6cb52 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -71,7 +71,7 @@ pub(crate) fn build_cli() -> Command {
         Arg::new("readiness-probe-port")
             .long("readiness-probe-port")
             .value_name("READINESS_PROBE_PORT")
-            .default_value("3000")
+            .default_value("8081")
             .env("KUBEWARDEN_READINESS_PROBE_PORT")
             .help("Expose readiness endpoint on READINESS_PROBE_PORT"),