diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
index de460ed55cb3..eeb6a54d486e 100644
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -540,6 +540,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, "agent", DefaultPodManifestPath)
 	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
+	nodeConfig.AgentConfig.DisableServiceLB = envInfo.DisableServiceLB
 
 	if err := validateNetworkConfig(nodeConfig); err != nil {
 		return nil, err
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 05179dbd373a..4af679dfc512 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -96,6 +96,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
+	nodeConfig.AgentConfig.EnableIPv6 = enableIPv6
 
 	if err := setupCriCtlConfig(cfg, nodeConfig); err != nil {
 		return err
diff --git a/pkg/cli/cmds/agent.go b/pkg/cli/cmds/agent.go
index 2158b0b9a428..dc843fb8787f 100644
--- a/pkg/cli/cmds/agent.go
+++ b/pkg/cli/cmds/agent.go
@@ -16,6 +16,7 @@ type Agent struct {
 	ServerURL                string
 	APIAddressCh             chan string
 	DisableLoadBalancer      bool
+	DisableServiceLB         bool
 	ETCDAgent                bool
 	LBServerPort             int
 	ResolvConf               string
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index a9e30d0bcbd7..681495f8f008 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -451,6 +451,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	agentConfig.ServerURL = url
 	agentConfig.Token = token
 	agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
+	agentConfig.DisableServiceLB = serverConfig.DisableServiceLB
 	agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
 	agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
 
diff --git a/pkg/daemons/agent/agent.go b/pkg/daemons/agent/agent.go
index 3e0a8575d08c..131772a6a6bb 100644
--- a/pkg/daemons/agent/agent.go
+++ b/pkg/daemons/agent/agent.go
@@ -190,6 +190,10 @@ func startKubelet(cfg *config.Agent) error {
 		argsMap["protect-kernel-defaults"] = "true"
 	}
 
+	if !cfg.DisableServiceLB && cfg.EnableIPv6 {
+		argsMap["allowed-unsafe-sysctls"] = "net.ipv6.conf.all.forwarding"
+	}
+
 	args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)
 	logrus.Infof("Running kubelet %s", config.ArgString(args))
 
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index f9546e137edd..fdfe37816efc 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -100,6 +100,8 @@ type Agent struct {
 	DisableKubeProxy        bool
 	Rootless                bool
 	ProtectKernelDefaults   bool
+	DisableServiceLB        bool
+	EnableIPv6              bool
 }
 
 type Control struct {
@@ -122,6 +124,7 @@ type Control struct {
 	ClusterDNS               net.IP
 	ClusterDNSs              []net.IP
 	ClusterDomain            string
+	DisableServiceLB         bool
 	NoCoreDNS                bool
 	KubeConfigOutput         string
 	KubeConfigMode           string
diff --git a/pkg/servicelb/controller.go b/pkg/servicelb/controller.go
index a232b129e868..65cfb70dbc1c 100644
--- a/pkg/servicelb/controller.go
+++ b/pkg/servicelb/controller.go
@@ -350,6 +350,14 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	name := fmt.Sprintf("svclb-%s", svc.Name)
 	oneInt := intstr.FromInt(1)
 
+	// If ipv6 is present, we must enable ipv6 forwarding in the manifest
+	var ipv6Switch bool
+	for _, ipFamily := range svc.Spec.IPFamilies {
+		if ipFamily == core.IPv6Protocol {
+			ipv6Switch = true
+		}
+	}
+
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
@@ -394,6 +402,19 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 		},
 	}
 
+	if ipv6Switch {
+		// Add security context to enable ipv6 forwarding
+		securityContext := &core.PodSecurityContext{
+			Sysctls: []core.Sysctl{
+				{
+					Name:  "net.ipv6.conf.all.forwarding",
+					Value: "1",
+				},
+			},
+		}
+		ds.Spec.Template.Spec.SecurityContext = securityContext
+	}
+
 	for _, port := range svc.Spec.Ports {
 		portName := fmt.Sprintf("lb-port-%d", port.Port)
 		container := core.Container{