diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
index b07775d56613226fc6e21ebb3ef17c1d4c6108d8..f6e62b58011d5faa54b6cfb1b946b75373f528f8 100644
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }}
 healthzBindAddress: {{ kubelet_healthz_bind_address }}
 kubeletCgroups: {{ kubelet_kubelet_cgroups }}
 clusterDomain: {{ dns_domain }}
+{% if kubelet_protect_kernel_defaults|bool %}
+protectKernelDefaults: true
+{% endif %}
 {% if kubelet_rotate_certificates|bool %}
 rotateCertificates: true
 {% endif %}
diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
index 03716c38aa041c2e63360c229f93ce272b98c94a..35cc0b0d5dc8a7c91221f6ce7772ba91d1e64822 100644
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -61,3 +61,16 @@
     value: 1
     state: present
     reload: yes
+
+- name: Ensure kube-bench parameters are set
+  sysctl:
+    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: yes
+  with_items:
+    - { name: vm.overcommit_memory, value: 1 }
+    - { name: kernel.panic, value: 10 }
+    - { name: kernel.panic_on_oops, value: 1 }
+  when: kubelet_protect_kernel_defaults|bool
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 9bc38e4aebc7950bca83d1717035ff9e547bb671..9a0cfe50bf6db9dfcfcea40a83a5fccc95f1b449 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -397,6 +397,9 @@ kubelet_rotate_certificates: true
 # kubelet can also request a new server certificate from the Kubernetes API
 kubelet_rotate_server_certificates: false
 
+# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults
+kubelet_protect_kernel_defaults: true
+
 ## List of key=value pairs that describe feature gates for
 ## the k8s cluster.
 kube_feature_gates: []