diff --git a/pkg/daemons/agent/agent.go b/pkg/daemons/agent/agent.go
index f7f5870f20e..6f4d1101d8b 100644
--- a/pkg/daemons/agent/agent.go
+++ b/pkg/daemons/agent/agent.go
@@ -56,7 +56,6 @@ func kubelet(cfg *config.Agent) {
 	argsMap := map[string]string{
 		"healthz-bind-address":     "127.0.0.1",
 		"read-only-port":           "0",
-		"allow-privileged":         "true",
 		"cluster-domain":           cfg.ClusterDomain,
 		"kubeconfig":               cfg.KubeConfigKubelet,
 		"eviction-hard":            "imagefs.available<5%,nodefs.available<5%",
@@ -65,6 +64,7 @@ func kubelet(cfg *config.Agent) {
 		//"cgroup-root": "/k3s",
 		"cgroup-driver":                "cgroupfs",
 		"authentication-token-webhook": "true",
+		"anonymous-auth":               "false",
 		"authorization-mode":           modes.ModeWebhook,
 	}
 	if cfg.RootDir != "" {
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index eacef8b72d3..150ccd67e23 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -182,7 +182,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["requestheader-group-headers"] = "X-Remote-Group"
 	argsMap["requestheader-username-headers"] = "X-Remote-User"
 	argsMap["client-ca-file"] = runtime.ClientCA
-	argsMap["enable-admission-plugins"] = "NodeRestriction"
+	argsMap["anonymous-auth"] = "false"
 
 	args := config.GetArgsList(argsMap, cfg.ExtraAPIArgs)