diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
index 4c5e5b850..16c7e12ca 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
@@ -103,6 +103,9 @@ spec:
             kubeletExtraArgs:
               cloud-provider: external
             name: '{{ ds.meta_data.local_hostname }}'
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
 kind: AWSMachineTemplate
@@ -142,3 +145,6 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
           name: '{{ ds.meta_data.local_hostname }}'
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
index d924b1017..d3cbec1a7 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
@@ -94,6 +94,9 @@ spec:
           nodeRegistration: {}
         joinConfiguration:
           nodeRegistration: {}
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachineTemplate
@@ -132,3 +135,6 @@ spec:
     spec:
       joinConfiguration:
         nodeRegistration: {}
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
index e81b4e74c..2702abc3b 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
@@ -15,6 +15,8 @@ spec:
             tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
       postKubeadmCommands:
       - echo "after kubeadm call" > /var/log/postkubeadm.log
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
       preKubeadmCommands:
       - echo "before kubeadm call" > /var/log/prekubeadm.log
       - hostnamectl set-hostname "{{ ds.meta_data.hostname }}"
@@ -223,6 +225,9 @@ spec:
         - echo "127.0.0.1   {{ ds.meta_data.hostname }}" >> /etc/hosts
         useExperimentalRetryJoin: true
         verbosity: 10
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 /var/lib/kubelet/config.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: NutanixClusterTemplate
diff --git a/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
index 682bc2c53..6a7efb134 100644
--- a/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
@@ -69,4 +69,16 @@ patches:
   - target:
       kind: KubeadmControlPlaneTemplate
     path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/initialize-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
   # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
index d2706f020..3f4b42de9 100644
--- a/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
@@ -30,4 +30,16 @@ patches:
   - target:
       kind: KubeadmControlPlaneTemplate
     path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/initialize-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
   # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
index 90c13c876..91d95f88a 100644
--- a/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
@@ -30,4 +30,13 @@ patches:
   - target:
       kind: KubeadmControlPlaneTemplate
     path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/kubelet-file-permissions.yaml
   # END CIS patches
diff --git a/hack/examples/patches/initialize-postkubeadmcommands.yaml b/hack/examples/patches/initialize-postkubeadmcommands.yaml
new file mode 100644
index 000000000..9da1fd703
--- /dev/null
+++ b/hack/examples/patches/initialize-postkubeadmcommands.yaml
@@ -0,0 +1,6 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+- op: add
+  path: /spec/template/spec/postKubeadmCommands
+  value: []
diff --git a/hack/examples/patches/kubelet-file-permissions.yaml b/hack/examples/patches/kubelet-file-permissions.yaml
new file mode 100644
index 000000000..af2d957e4
--- /dev/null
+++ b/hack/examples/patches/kubelet-file-permissions.yaml
@@ -0,0 +1,9 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+- op: add
+  path: /spec/template/spec/postKubeadmCommands/-
+  value: chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+- op: add
+  path: /spec/template/spec/postKubeadmCommands/-
+  value: chmod 600 /var/lib/kubelet/config.yaml