diff --git a/pkg/cli/agent/agent.go b/pkg/cli/agent/agent.go
index a4520ac5dd..8e7e6de09d 100644
--- a/pkg/cli/agent/agent.go
+++ b/pkg/cli/agent/agent.go
@@ -56,6 +56,7 @@ func Run(ctx *cli.Context) error {
 	cfg := cmds.AgentConfig
 	cfg.Debug = ctx.Bool("debug")
 	cfg.DataDir = dataDir
+	cfg.ProtectKernelDefaults = true
 
 	contextCtx := signals.SetupSignalHandler(context.Background())
 
diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go
index a234d6ea2f..2ffcfaf860 100644
--- a/pkg/cli/cmds/agent.go
+++ b/pkg/cli/cmds/agent.go
@@ -36,6 +36,7 @@ type Agent struct {
 	Labels                   []string
 	Taints                   []string
 	PrivateRegistry          string
+	ProtectKernelDefaults    bool
 	AgentShared
 }
 
@@ -136,6 +137,11 @@ var (
 		Hidden:      true,
 		Destination: &AgentConfig.DisableSELinux,
 	}
+	ProtectKernelDefaultsFlag = cli.BoolFlag{
+		Name:        "protect-kernel-defaults",
+		Usage:       "(agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.",
+		Destination: &AgentConfig.ProtectKernelDefaults,
+	}
 )
 
 func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command {
@@ -192,6 +198,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) *cli.Command {
 			&FlannelConfFlag,
 			&ExtraKubeletArgs,
 			&ExtraKubeProxyArgs,
+			&ProtectKernelDefaultsFlag,
 			&cli.BoolFlag{
 				Name:        "rootless",
 				Usage:       "(experimental) Run rootless",