diff --git a/.gitignore b/.gitignore
index c571c0e56..a00663b5c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,10 +20,6 @@ bin/
 # Vscode files
 .vscode/
 
-tmp/
-
-apiserver.local.config
-
 # OSX trash
 .DS_Store
 api.json
@@ -32,3 +28,6 @@ cover.out
 coverage.txt
 
 kustomize/network/etcd
+apiserver.local.config
+tmp/
+
diff --git a/build/ks-apiserver/Dockerfile b/build/ks-apiserver/Dockerfile
index fad579137..7dff71086 100644
--- a/build/ks-apiserver/Dockerfile
+++ b/build/ks-apiserver/Dockerfile
@@ -10,5 +10,7 @@ RUN apk add --update ca-certificates && \
     adduser -D -g kubesphere -u 1002 kubesphere && \
     chown -R kubesphere:kubesphere /usr/local/bin/ks-apiserver
 
+EXPOSE 9090
+
 USER kubesphere
 CMD ["sh"]
diff --git a/build/ks-controller-manager/Dockerfile b/build/ks-controller-manager/Dockerfile
index 9195238d3..a008492ee 100644
--- a/build/ks-controller-manager/Dockerfile
+++ b/build/ks-controller-manager/Dockerfile
@@ -11,4 +11,7 @@ RUN apk add --update ca-certificates && \
     chown -R kubesphere:kubesphere /usr/local/bin/controller-manager
 
 USER kubesphere
+
+EXPOSE 8443 8080
+
 CMD controller-manager
diff --git a/cmd/controller-manager/app/server.go b/cmd/controller-manager/app/server.go
index b5d706dad..035dde02f 100644
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -156,7 +156,8 @@ func Run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 
 	run := func(ctx context.Context) {
 		klog.V(0).Info("setting up manager")
-		mgr, err := manager.New(kubernetesClient.Config(), manager.Options{CertDir: s.WebhookCertDir})
+		// Use 8443 instead of 443 cause we need root permission to bind port 443
+		mgr, err := manager.New(kubernetesClient.Config(), manager.Options{CertDir: s.WebhookCertDir, Port: 8443})
 		if err != nil {
 			klog.Fatalf("unable to set up overall controller manager: %v", err)
 		}