diff --git a/pkg/kubelet/sysctl/safe_sysctls.go b/pkg/kubelet/sysctl/safe_sysctls.go
index 601b88de75e..c182cb96cc2 100644
--- a/pkg/kubelet/sysctl/safe_sysctls.go
+++ b/pkg/kubelet/sysctl/safe_sysctls.go
@@ -16,12 +16,43 @@ limitations under the License.
 
 package sysctl
 
+import (
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/proxy/ipvs"
+)
+
+const ipLocalReservedPortsMinNamespacedKernelVersion = "3.16"
+
+var safeSysctls = []string{
+	"kernel.shm_rmid_forced",
+	"net.ipv4.ip_local_port_range",
+	"net.ipv4.tcp_syncookies",
+	"net.ipv4.ping_group_range",
+	"net.ipv4.ip_unprivileged_port_start",
+}
+
 // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *).
 //
 // A sysctl is called safe iff
 // - it is namespaced in the container or the pod
 // - it is isolated, i.e. has no influence on any other pod on the same node.
 func SafeSysctlAllowlist() []string {
+	kernelVersionStr, err := ipvs.NewLinuxKernelHandler().GetKernelVersion()
+	if err != nil {
+		klog.ErrorS(err, "Failed to get kernel version.")
+		return safeSysctls
+	}
+	kernelVersion, err := version.ParseGeneric(kernelVersionStr)
+	if err != nil {
+		klog.ErrorS(err, "Failed to parse kernel version.")
+		return safeSysctls
+	}
+	// ip_local_reserved_ports has been changed to namesapced since kernel v3.16.
+	// refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934.
+	if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) {
+		return safeSysctls
+	}
 	return []string{
 		"kernel.shm_rmid_forced",
 		"net.ipv4.ip_local_port_range",