diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 72c772ab8c..8086aa3670 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -187,6 +187,32 @@ func coreClient(cfg string) (kubernetes.Interface, error) {
 	return kubernetes.NewForConfig(restConfig)
 }
 
+// RunStandalone bootstraps the executor, but does not run the kubelet or containerd.
+// This allows other bits of code that expect the executor to be set up properly to function
+// even when the agent is disabled. It will only return in case of error or context
+// cancellation.
+func RunStandalone(ctx context.Context, cfg cmds.Agent) error {
+	proxy, err := createProxyAndValidateToken(ctx, &cfg)
+	if err != nil {
+		return err
+	}
+
+	nodeConfig := config.Get(ctx, cfg, proxy)
+	if err := executor.Bootstrap(ctx, nodeConfig, cfg); err != nil {
+		return err
+	}
+
+	if cfg.AgentReady != nil {
+		close(cfg.AgentReady)
+	}
+
+	<-ctx.Done()
+	return ctx.Err()
+}
+
+// Run sets up cgroups, configures the LB proxy, and triggers startup
+// of containerd and kubelet. It will only return in case of error or context
+// cancellation.
 func Run(ctx context.Context, cfg cmds.Agent) error {
 	if err := cgroups.Validate(); err != nil {
 		return err
@@ -198,14 +224,23 @@ func Run(ctx context.Context, cfg cmds.Agent) error {
 		}
 	}
 
+	proxy, err := createProxyAndValidateToken(ctx, &cfg)
+	if err != nil {
+		return err
+	}
+
+	return run(ctx, cfg, proxy)
+}
+
+func createProxyAndValidateToken(ctx context.Context, cfg *cmds.Agent) (proxy.Proxy, error) {
 	agentDir := filepath.Join(cfg.DataDir, "agent")
 	if err := os.MkdirAll(agentDir, 0700); err != nil {
-		return err
+		return nil, err
 	}
 
 	proxy, err := proxy.NewSupervisorProxy(ctx, !cfg.DisableLoadBalancer, agentDir, cfg.ServerURL, cfg.LBServerPort)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	for {
@@ -214,7 +249,7 @@ func Run(ctx context.Context, cfg cmds.Agent) error {
 			logrus.Error(err)
 			select {
 			case <-ctx.Done():
-				return ctx.Err()
+				return nil, ctx.Err()
 			case <-time.After(2 * time.Second):
 			}
 			continue
@@ -222,8 +257,7 @@ func Run(ctx context.Context, cfg cmds.Agent) error {
 		cfg.Token = newToken.String()
 		break
 	}
-
-	return run(ctx, cfg, proxy)
+	return proxy, nil
 }
 
 func configureNode(ctx context.Context, agentConfig *daemonconfig.Agent, nodes typedcorev1.NodeInterface) error {
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 747401dc91..f46afcca44 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -80,8 +80,10 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 			return err
 		}
 		cfg.DataDir = dataDir
-		if err := rootless.Rootless(dataDir); err != nil {
-			return err
+		if !cfg.DisableAgent {
+			if err := rootless.Rootless(dataDir); err != nil {
+				return err
+			}
 		}
 	}
 
@@ -441,12 +443,6 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		}
 	}()
 
-	if cfg.DisableAgent {
-		close(agentReady)
-		<-ctx.Done()
-		return nil
-	}
-
 	ip := serverConfig.ControlConfig.BindAddress
 	if ip == "" {
 		ip = "127.0.0.1"
@@ -468,7 +464,6 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
 	agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
-
 	agentConfig.Rootless = cfg.Rootless
 
 	if agentConfig.Rootless {
@@ -484,6 +479,12 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		agentConfig.APIAddressCh = make(chan []string)
 		go getAPIAddressFromEtcd(ctx, serverConfig, agentConfig)
 	}
+
+	if cfg.DisableAgent {
+		agentConfig.ContainerRuntimeEndpoint = "/dev/null"
+		return agent.RunStandalone(ctx, agentConfig)
+	}
+
 	return agent.Run(ctx, agentConfig)
 }