diff --git a/cli/server.go b/cli/server.go
index e0d17838cde25..95fca7caa84d5 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -1991,6 +1991,13 @@ func redirectToAccessURL(handler http.Handler, accessURL *url.URL, tunnel bool,
 			http.Redirect(w, r, accessURL.String(), http.StatusTemporaryRedirect)
 		}
 
+		// Exception: /healthz
+		// Kubernetes doesn't like it if you redirect your healthcheck or liveness check endpoint.
+		if r.URL.Path == "/healthz" {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
 		// Exception: DERP
 		// We use this endpoint when creating a DERP-mesh in the enterprise version to directly
 		// dial other Coderd derpers.  Redirecting to the access URL breaks direct dial since the
diff --git a/cli/server_test.go b/cli/server_test.go
index d596c39ad1bd1..57040a8d411e6 100644
--- a/cli/server_test.go
+++ b/cli/server_test.go
@@ -685,11 +685,17 @@ func TestServer(t *testing.T) {
 						require.Equal(t, c.expectRedirect, resp.Header.Get("Location"))
 					}
 
+					// We should never readirect /healthz
+					respHealthz, err := client.Request(ctx, http.MethodGet, "/healthz", nil)
+					require.NoError(t, err)
+					defer respHealthz.Body.Close()
+					require.Equal(t, http.StatusOK, respHealthz.StatusCode, "/healthz should never redirect")
+
 					// We should never redirect DERP
 					respDERP, err := client.Request(ctx, http.MethodGet, "/derp", nil)
 					require.NoError(t, err)
 					defer respDERP.Body.Close()
-					require.Equal(t, http.StatusUpgradeRequired, respDERP.StatusCode)
+					require.Equal(t, http.StatusUpgradeRequired, respDERP.StatusCode, "/derp should never redirect")
 				}
 
 				// Verify TLS