diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
index a9d32a6e6..e6dd7d1a1 100644
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -43,6 +43,10 @@ spec:
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  forbiddenSysctls:
+  - '*'
+{% endif %}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -75,3 +79,8 @@ spec:
   fsGroup:
     rule: 'RunAsAny'
   readOnlyRootFilesystem: false
+{% if kube_version is version('v1.12.1', '>=') %}
+  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+  allowedUnsafeSysctls:
+  - '*'
+{% endif %}