diff --git a/packages/kubernetes-1.15/kubelet-config b/packages/kubernetes-1.15/kubelet-config
index 0a4c6364b95..b3734c75e06 100644
--- a/packages/kubernetes-1.15/kubelet-config
+++ b/packages/kubernetes-1.15/kubelet-config
@@ -50,11 +50,13 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache
diff --git a/packages/kubernetes-1.15/kubelet-sysctl.conf b/packages/kubernetes-1.15/kubelet-sysctl.conf
new file mode 100644
index 00000000000..ed68c7e197f
--- /dev/null
+++ b/packages/kubernetes-1.15/kubelet-sysctl.conf
@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1
diff --git a/packages/kubernetes-1.15/kubernetes-1.15.spec b/packages/kubernetes-1.15/kubernetes-1.15.spec
index cbd58ba8e90..f9e555bc591 100644
--- a/packages/kubernetes-1.15/kubernetes-1.15.spec
+++ b/packages/kubernetes-1.15/kubernetes-1.15.spec
@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -92,6 +93,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.15
@@ -110,5 +114,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog
diff --git a/packages/kubernetes-1.16/kubelet-config b/packages/kubernetes-1.16/kubelet-config
index 0a4c6364b95..b3734c75e06 100644
--- a/packages/kubernetes-1.16/kubelet-config
+++ b/packages/kubernetes-1.16/kubelet-config
@@ -50,11 +50,13 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache
diff --git a/packages/kubernetes-1.16/kubelet-sysctl.conf b/packages/kubernetes-1.16/kubelet-sysctl.conf
new file mode 100644
index 00000000000..ed68c7e197f
--- /dev/null
+++ b/packages/kubernetes-1.16/kubelet-sysctl.conf
@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1
diff --git a/packages/kubernetes-1.16/kubernetes-1.16.spec b/packages/kubernetes-1.16/kubernetes-1.16.spec
index 6b54d9ee509..c560933ca4c 100644
--- a/packages/kubernetes-1.16/kubernetes-1.16.spec
+++ b/packages/kubernetes-1.16/kubernetes-1.16.spec
@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -88,6 +89,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf  
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.16
@@ -106,5 +110,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog
diff --git a/packages/kubernetes-1.17/kubelet-config b/packages/kubernetes-1.17/kubelet-config
index 380b91e582b..23bf7e90aef 100644
--- a/packages/kubernetes-1.17/kubelet-config
+++ b/packages/kubernetes-1.17/kubelet-config
@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache
diff --git a/packages/kubernetes-1.17/kubelet-sysctl.conf b/packages/kubernetes-1.17/kubelet-sysctl.conf
new file mode 100644
index 00000000000..ed68c7e197f
--- /dev/null
+++ b/packages/kubernetes-1.17/kubelet-sysctl.conf
@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1
diff --git a/packages/kubernetes-1.17/kubernetes-1.17.spec b/packages/kubernetes-1.17/kubernetes-1.17.spec
index 037c0e88106..65583f0a389 100644
--- a/packages/kubernetes-1.17/kubernetes-1.17.spec
+++ b/packages/kubernetes-1.17/kubernetes-1.17.spec
@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -88,6 +89,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.17
@@ -106,5 +110,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog
diff --git a/packages/kubernetes-1.18/kubelet-config b/packages/kubernetes-1.18/kubelet-config
index 380b91e582b..23bf7e90aef 100644
--- a/packages/kubernetes-1.18/kubelet-config
+++ b/packages/kubernetes-1.18/kubelet-config
@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache
diff --git a/packages/kubernetes-1.18/kubelet-sysctl.conf b/packages/kubernetes-1.18/kubelet-sysctl.conf
new file mode 100644
index 00000000000..ed68c7e197f
--- /dev/null
+++ b/packages/kubernetes-1.18/kubelet-sysctl.conf
@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1
diff --git a/packages/kubernetes-1.18/kubernetes-1.18.spec b/packages/kubernetes-1.18/kubernetes-1.18.spec
index 574fc848336..a3001b7cb8a 100644
--- a/packages/kubernetes-1.18/kubernetes-1.18.spec
+++ b/packages/kubernetes-1.18/kubernetes-1.18.spec
@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -85,6 +86,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.18
@@ -103,5 +107,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog
diff --git a/packages/kubernetes-1.19/kubelet-config b/packages/kubernetes-1.19/kubelet-config
index abb2728384c..793dfc0290c 100644
--- a/packages/kubernetes-1.19/kubelet-config
+++ b/packages/kubernetes-1.19/kubelet-config
@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache
diff --git a/packages/kubernetes-1.19/kubelet-sysctl.conf b/packages/kubernetes-1.19/kubelet-sysctl.conf
new file mode 100644
index 00000000000..ed68c7e197f
--- /dev/null
+++ b/packages/kubernetes-1.19/kubelet-sysctl.conf
@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1
diff --git a/packages/kubernetes-1.19/kubernetes-1.19.spec b/packages/kubernetes-1.19/kubernetes-1.19.spec
index 13561621ea6..65797fa8841 100644
--- a/packages/kubernetes-1.19/kubernetes-1.19.spec
+++ b/packages/kubernetes-1.19/kubernetes-1.19.spec
@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -82,6 +83,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.19
@@ -100,5 +104,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog
diff --git a/packages/release/release-sysctl.conf b/packages/release/release-sysctl.conf
index a76a372cd89..cdaa7d9a56c 100644
--- a/packages/release/release-sysctl.conf
+++ b/packages/release/release-sysctl.conf
@@ -2,8 +2,11 @@
 # Maximize console logging level for kernel printk messages
 kernel.printk = 8 4 1 7
 
-# Wait 30 seconds and then reboot
-kernel.panic = 30
+# Wait 10 seconds and then reboot
+kernel.panic = 10
+
+# Controls the kernel's behaviour when an oops or BUG is encountered
+kernel.panic_on_oops = 1
 
 # Allow neighbor cache entries to expire even when the cache is not full
 net.ipv4.neigh.default.gc_thresh1 = 0