diff --git a/changelogs/unreleased/5101-izturn-small.md b/changelogs/unreleased/5101-izturn-small.md
new file mode 100644
index 00000000000..dd813f08f35
--- /dev/null
+++ b/changelogs/unreleased/5101-izturn-small.md
@@ -0,0 +1 @@
+Gateway provisioner: add a container port to the Envoy daemonset/deployment for the metrics port.
\ No newline at end of file
diff --git a/internal/provisioner/controller/gateway_test.go b/internal/provisioner/controller/gateway_test.go
index 18a5a612592..49032c6d137 100644
--- a/internal/provisioner/controller/gateway_test.go
+++ b/internal/provisioner/controller/gateway_test.go
@@ -355,6 +355,9 @@ func TestGatewayReconcile(t *testing.T) {
 							Listener: &contourv1alpha1.EnvoyListenerConfig{
 								DisableMergeSlashes: ref.To(true),
 							},
+							Metrics: &contourv1alpha1.MetricsConfig{
+								Port: 8003,
+							},
 						},
 					},
 				},
@@ -402,6 +405,9 @@ func TestGatewayReconcile(t *testing.T) {
 							Namespace: gw.Namespace,
 							Name:      "envoy-" + gw.Name,
 						},
+						Metrics: &contourv1alpha1.MetricsConfig{
+							Port: 8003,
+						},
 					},
 				}
 
diff --git a/internal/provisioner/objects/dataplane/dataplane.go b/internal/provisioner/objects/dataplane/dataplane.go
index 84ea6dab805..78445b29181 100644
--- a/internal/provisioner/objects/dataplane/dataplane.go
+++ b/internal/provisioner/objects/dataplane/dataplane.go
@@ -136,14 +136,32 @@ func desiredContainers(contour *model.Contour, contourImage, envoyImage string)
 		ports = append(ports, p)
 	}
 
-	healthPort := 8002
+	var (
+		metricsPort = objects.EnvoyMetricsPort
+		healthPort  = objects.EnvoyHealthPort
+	)
+
 	if contour.Spec.RuntimeSettings != nil &&
-		contour.Spec.RuntimeSettings.Envoy != nil &&
-		contour.Spec.RuntimeSettings.Envoy.Health != nil &&
-		contour.Spec.RuntimeSettings.Envoy.Health.Port > 0 {
-		healthPort = contour.Spec.RuntimeSettings.Envoy.Health.Port
+		contour.Spec.RuntimeSettings.Envoy != nil {
+
+		if contour.Spec.RuntimeSettings.Envoy.Metrics != nil &&
+			contour.Spec.RuntimeSettings.Envoy.Metrics.Port > 0 {
+			metricsPort = int32(contour.Spec.RuntimeSettings.Envoy.Metrics.Port)
+
+		}
+
+		if contour.Spec.RuntimeSettings.Envoy.Health != nil &&
+			contour.Spec.RuntimeSettings.Envoy.Health.Port > 0 {
+			healthPort = contour.Spec.RuntimeSettings.Envoy.Health.Port
+		}
 	}
 
+	ports = append(ports, corev1.ContainerPort{
+		Name:          "metrics",
+		ContainerPort: metricsPort,
+		Protocol:      corev1.ProtocolTCP,
+	})
+
 	containers := []corev1.Container{
 		{
 			Name:            ShutdownContainerName,
@@ -511,12 +529,12 @@ func envoyPodAnnotations(contour *model.Contour) map[string]string {
 		annotations[k] = v
 	}
 
-	metricsPort := 8002
+	metricsPort := objects.EnvoyMetricsPort
 	if contour.Spec.RuntimeSettings != nil &&
 		contour.Spec.RuntimeSettings.Envoy != nil &&
 		contour.Spec.RuntimeSettings.Envoy.Metrics != nil &&
 		contour.Spec.RuntimeSettings.Envoy.Metrics.Port > 0 {
-		metricsPort = contour.Spec.RuntimeSettings.Envoy.Metrics.Port
+		metricsPort = int32(contour.Spec.RuntimeSettings.Envoy.Metrics.Port)
 	}
 
 	annotations["prometheus.io/scrape"] = "true"
diff --git a/internal/provisioner/objects/dataplane/dataplane_test.go b/internal/provisioner/objects/dataplane/dataplane_test.go
index 135d4ba801a..c167eb376e5 100644
--- a/internal/provisioner/objects/dataplane/dataplane_test.go
+++ b/internal/provisioner/objects/dataplane/dataplane_test.go
@@ -19,7 +19,7 @@ import (
 
 	"github.com/projectcontour/contour/apis/projectcontour/v1alpha1"
 	"github.com/projectcontour/contour/internal/provisioner/model"
-	"github.com/stretchr/testify/assert"
+	"github.com/projectcontour/contour/internal/provisioner/objects"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -294,13 +294,19 @@ func TestDesiredDaemonSet(t *testing.T) {
 
 	// Change the Envoy log level to test --log-level debug.
 	cntr.Spec.EnvoyLogLevel = v1alpha1.DebugLog
+	cntr.Spec.RuntimeSettings = &v1alpha1.ContourConfigurationSpec{
+		Envoy: &v1alpha1.EnvoyConfig{
+			Metrics: &v1alpha1.MetricsConfig{
+				Port: int(objects.EnvoyMetricsPort),
+			},
+		},
+	}
 
 	ds := DesiredDaemonSet(cntr, testContourImage, testEnvoyImage)
 	container := checkDaemonSetHasContainer(t, ds, EnvoyContainerName, true)
 	checkContainerHasArg(t, container, testLogLevelArg)
 	checkContainerHasImage(t, container, testEnvoyImage)
 	checkContainerHasReadinessPort(t, container, 8002)
-	assert.Len(t, container.Ports, 2)
 
 	container = checkDaemonSetHasContainer(t, ds, ShutdownContainerName, true)
 	checkContainerHasImage(t, container, testContourImage)
@@ -313,12 +319,14 @@ func TestDesiredDaemonSet(t *testing.T) {
 	for _, port := range cntr.Spec.NetworkPublishing.Envoy.Ports {
 		checkContainerHasPort(t, ds, port.ContainerPort)
 	}
+	checkContainerHasPort(t, ds, int32(cntr.Spec.RuntimeSettings.Envoy.Metrics.Port))
+
 	checkDaemonSetHasNodeSelector(t, ds, nil)
 	checkDaemonSetHasTolerations(t, ds, nil)
 	checkDaemonSecurityContext(t, ds)
 	checkDaemonSetHasVolume(t, ds, volTest, volTestMount)
 	checkDaemonSetHasPodAnnotations(t, ds, envoyPodAnnotations(cntr))
-	checkDaemonSetHasMetricsPort(t, ds, 8002)
+	checkDaemonSetHasMetricsPort(t, ds, objects.EnvoyMetricsPort)
 
 	checkDaemonSetHasResourceRequirements(t, ds, resQutoa)
 	checkDaemonSetHasUpdateStrategy(t, ds, cntr.Spec.EnvoyDaemonSetUpdateStrategy)
@@ -365,6 +373,7 @@ func TestNodePlacementDaemonSet(t *testing.T) {
 
 func TestEnvoyCustomPorts(t *testing.T) {
 	name := "envoy-runtime-ports"
+	metricPort := 9090
 	cntr := model.Default(fmt.Sprintf("%s-ns", name), name)
 	cntr.Spec.RuntimeSettings = &v1alpha1.ContourConfigurationSpec{
 		Envoy: &v1alpha1.EnvoyConfig{
@@ -372,7 +381,7 @@ func TestEnvoyCustomPorts(t *testing.T) {
 				Port: 8020,
 			},
 			Metrics: &v1alpha1.MetricsConfig{
-				Port: 9090,
+				Port: metricPort,
 			},
 		},
 	}
@@ -380,7 +389,8 @@ func TestEnvoyCustomPorts(t *testing.T) {
 	testContourImage := "ghcr.io/projectcontour/contour:test"
 	testEnvoyImage := "docker.io/envoyproxy/envoy:test"
 	ds := DesiredDaemonSet(cntr, testContourImage, testEnvoyImage)
-	checkDaemonSetHasMetricsPort(t, ds, 9090)
+	checkDaemonSetHasMetricsPort(t, ds, int32(metricPort))
+	checkContainerHasPort(t, ds, int32(metricPort))
 
 	container := checkDaemonSetHasContainer(t, ds, EnvoyContainerName, true)
 	checkContainerHasReadinessPort(t, container, 8020)
diff --git a/internal/provisioner/objects/object.go b/internal/provisioner/objects/object.go
index f1146a92f01..bce42f4e4c6 100644
--- a/internal/provisioner/objects/object.go
+++ b/internal/provisioner/objects/object.go
@@ -32,6 +32,12 @@ const (
 	EnvoyInsecureContainerPort = int32(8080)
 	// EnvoySecureContainerPort is the network port number of Envoy's secure listener.
 	EnvoySecureContainerPort = int32(8443)
+
+	// EnvoyMetricsPort is the network port number of Envoy's metrics listener.
+	EnvoyMetricsPort = int32(8002)
+
+	// EnvoyHealthPort is the network port number of Envoy's health listener.
+	EnvoyHealthPort = 8002
 )
 
 // NewUnprivilegedPodSecurity makes a a non-root PodSecurityContext object