diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 450e2c0a4b2..0f6e6bf5fd3 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -227,6 +227,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update ECS to 1.12.0. {pull}27770[27770]
 - Fields mapped as `match_only_text` will automatically fallback to a `text` mapping when using Elasticsearch versions that do not support `match_only_text`. {pull}27770[27770]
 - Do not load ML jobs to Elasticsearch 8.x from new Beats 7.x releases. {pull}27771[27771]
+- Update kubernetes scheduler and controllermanager endpoints in elastic-agent-standalone-kubernetes.yaml with secure ports {pull}28675[28675]
 
 *Auditbeat*
 
diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml
index 819ab0accee..7af94fa0f3d 100644
--- a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml
+++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml
@@ -341,19 +341,23 @@ data:
               type: metrics
             metricsets:
               - controllermanager
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             hosts:
-              - '${kubernetes.pod.ip}:10252'
+              - 'https://${kubernetes.pod.ip}:10257'
             period: 10s
-            condition: ${kubernetes.pod.labels.component} == 'kube-controller-manager'
+            ssl.verification_mode: none
+            condition: ${kubernetes.labels.component} == 'kube-controller-manager'
           - data_stream:
               dataset: kubernetes.scheduler
               type: metrics
             metricsets:
               - scheduler
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             hosts:
-              - '${kubernetes.pod.ip}:10251'
+              - 'https://${kubernetes.pod.ip}:10259'
             period: 10s
-            condition: ${kubernetes.pod.labels.component} == 'kube-scheduler'
+            ssl.verification_mode: none
+            condition: ${kubernetes.labels.component} == 'kube-scheduler'
           - data_stream:
               dataset: kubernetes.proxy
               type: metrics
diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml
index 2688bbfc61c..d3f290b2aab 100644
--- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml
+++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml
@@ -341,19 +341,23 @@ data:
               type: metrics
             metricsets:
               - controllermanager
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             hosts:
-              - '${kubernetes.pod.ip}:10252'
+              - 'https://${kubernetes.pod.ip}:10257'
             period: 10s
-            condition: ${kubernetes.pod.labels.component} == 'kube-controller-manager'
+            ssl.verification_mode: none
+            condition: ${kubernetes.labels.component} == 'kube-controller-manager'
           - data_stream:
               dataset: kubernetes.scheduler
               type: metrics
             metricsets:
               - scheduler
+            bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
             hosts:
-              - '${kubernetes.pod.ip}:10251'
+              - 'https://${kubernetes.pod.ip}:10259'
             period: 10s
-            condition: ${kubernetes.pod.labels.component} == 'kube-scheduler'
+            ssl.verification_mode: none
+            condition: ${kubernetes.labels.component} == 'kube-scheduler'
           - data_stream:
               dataset: kubernetes.proxy
               type: metrics