diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
index 81131242c5..0a001b18c4 100644
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -348,6 +348,9 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.KubeConfigNode = kubeconfigNode
 	nodeConfig.AgentConfig.KubeConfigKubelet = kubeconfigKubelet
 	nodeConfig.AgentConfig.KubeConfigKubeProxy = kubeconfigKubeproxy
+	if envInfo.Rootless {
+		nodeConfig.AgentConfig.RootDir = filepath.Join(envInfo.DataDir, "kubelet")
+	}
 	nodeConfig.AgentConfig.PauseImage = envInfo.PauseImage
 	nodeConfig.AgentConfig.IPSECPSK = controlConfig.IPSECPSK
 	nodeConfig.AgentConfig.StrongSwanDir = filepath.Join(envInfo.DataDir, "strongswan")
@@ -400,6 +403,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.PrivateRegistry = envInfo.PrivateRegistry
 	nodeConfig.AgentConfig.DisableCCM = controlConfig.DisableCCM
 	nodeConfig.AgentConfig.DisableNPC = controlConfig.DisableNPC
+	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 
 	return nodeConfig, nil
 }
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 8c96d89b0e..aaf24976c7 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -91,7 +91,7 @@ func Run(ctx context.Context, cfg cmds.Agent) error {
 		return err
 	}
 
-	if cfg.Rootless {
+	if cfg.Rootless && !cfg.RootlessAlreadyUnshared {
 		if err := rootless.Rootless(cfg.DataDir); err != nil {
 			return err
 		}
diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go
index 3492622819..b376009c2a 100644
--- a/pkg/cli/cmds/agent.go
+++ b/pkg/cli/cmds/agent.go
@@ -26,6 +26,7 @@ type Agent struct {
 	FlannelConf              string
 	Debug                    bool
 	Rootless                 bool
+	RootlessAlreadyUnshared  bool
 	AgentShared
 	ExtraKubeletArgs   cli.StringSlice
 	ExtraKubeProxyArgs cli.StringSlice
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 674d33eccd..d58277ff3b 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -187,6 +187,11 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 	agentConfig.ServerURL = url
 	agentConfig.Token = token
 	agentConfig.DisableLoadBalancer = true
+	agentConfig.Rootless = cfg.Rootless
+	if agentConfig.Rootless {
+		// let agent specify Rootless kubelet flags, but not unshare twice
+		agentConfig.RootlessAlreadyUnshared = true
+	}
 
 	return agent.Run(ctx, agentConfig)
 }
diff --git a/pkg/daemons/agent/agent.go b/pkg/daemons/agent/agent.go
index b7d5709c94..d4b38aa4cb 100644
--- a/pkg/daemons/agent/agent.go
+++ b/pkg/daemons/agent/agent.go
@@ -137,6 +137,14 @@ func kubelet(cfg *config.Agent) {
 		argsMap["cloud-provider"] = "external"
 	}
 
+	if cfg.Rootless {
+		// flags are from https://github.com/rootless-containers/usernetes/blob/v20190826.0/boot/kubelet.sh
+		argsMap["cgroup-driver"] = "none"
+		argsMap["feature-gates=SupportNoneCgroupDriver"] = "true"
+		argsMap["cgroups-per-qos"] = "false"
+		argsMap["enforce-node-allocatable"] = ""
+	}
+
 	args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)
 	command.SetArgs(args)
 
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index d84f433643..655dc816cd 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -80,6 +80,7 @@ type Agent struct {
 	PrivateRegistry     string
 	DisableCCM          bool
 	DisableNPC          bool
+	Rootless            bool
 }
 
 type Control struct {