diff --git a/pkg/kubelet/eviction/threshold_notifier_linux.go b/pkg/kubelet/eviction/threshold_notifier_linux.go
index 1d097fd293f..8ac1ac6cf25 100644
--- a/pkg/kubelet/eviction/threshold_notifier_linux.go
+++ b/pkg/kubelet/eviction/threshold_notifier_linux.go
@@ -48,12 +48,12 @@ var _ CgroupNotifier = &linuxCgroupNotifier{}
 func NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier, error) {
 	var watchfd, eventfd, epfd, controlfd int
 	var err error
-	watchfd, err = unix.Open(fmt.Sprintf("%s/%s", path, attribute), unix.O_RDONLY, 0)
+	watchfd, err = unix.Open(fmt.Sprintf("%s/%s", path, attribute), unix.O_RDONLY|unix.O_CLOEXEC, 0)
 	if err != nil {
 		return nil, err
 	}
 	defer unix.Close(watchfd)
-	controlfd, err = unix.Open(fmt.Sprintf("%s/cgroup.event_control", path), unix.O_WRONLY, 0)
+	controlfd, err = unix.Open(fmt.Sprintf("%s/cgroup.event_control", path), unix.O_WRONLY|unix.O_CLOEXEC, 0)
 	if err != nil {
 		return nil, err
 	}
@@ -72,7 +72,7 @@ func NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier,
 			unix.Close(eventfd)
 		}
 	}()
-	epfd, err = unix.EpollCreate1(0)
+	epfd, err = unix.EpollCreate1(unix.EPOLL_CLOEXEC)
 	if err != nil {
 		return nil, err
 	}