diff --git a/contrib/util/check-config.sh b/contrib/util/check-config.sh
index c5f9dd3cd7..9c48deebc1 100755
--- a/contrib/util/check-config.sh
+++ b/contrib/util/check-config.sh
@@ -410,11 +410,12 @@ flags="
   NET_CLS_CGROUP $netprio
   CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
   IP_NF_TARGET_REDIRECT
+  IP_SET
   IP_VS
   IP_VS_NFCT
   IP_VS_PROTO_TCP
   IP_VS_PROTO_UDP
-   IP_VS_RR
+  IP_VS_RR
 "
 check_flags $flags
 
diff --git a/pkg/agent/netpol/network_policy.go b/pkg/agent/netpol/network_policy.go
index 65e93c6abe..497c96adca 100644
--- a/pkg/agent/netpol/network_policy.go
+++ b/pkg/agent/netpol/network_policy.go
@@ -5,11 +5,17 @@ import (
 	"time"
 
 	"github.com/rancher/k3s/pkg/daemons/config"
+	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 )
 
 func Run(ctx context.Context, nodeConfig *config.Node) error {
+	if _, err := NewSavedIPSet(false); err != nil {
+		logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
+		return nil
+	}
+
 	restConfig, err := clientcmd.BuildConfigFromFlags("", nodeConfig.AgentConfig.KubeConfigK3sController)
 	if err != nil {
 		return err
diff --git a/pkg/agent/netpol/network_policy_controller.go b/pkg/agent/netpol/network_policy_controller.go
index ade765529b..de65599575 100644
--- a/pkg/agent/netpol/network_policy_controller.go
+++ b/pkg/agent/netpol/network_policy_controller.go
@@ -934,13 +934,9 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
 	if err != nil {
 		log.Fatalf("failed to initialize iptables command executor due to %s", err.Error())
 	}
-	ipsets, err := NewIPSet(false)
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
-		log.Fatalf("failed to create ipsets command executor due to %s", err.Error())
-	}
-	err = ipsets.Save()
-	if err != nil {
-		log.Fatalf("failed to initialize ipsets command executor due to %s", err.Error())
+		log.Fatalf("failed to create ipset command executor due to %s", err.Error())
 	}
 
 	// get the list of chains created for pod firewall and network policies
@@ -957,7 +953,7 @@ func cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIPSets
 			}
 		}
 	}
-	for _, set := range ipsets.Sets {
+	for _, set := range ipset.Sets {
 		if strings.HasPrefix(set.Name, kubeSourceIPSetPrefix) ||
 			strings.HasPrefix(set.Name, kubeDestinationIPSetPrefix) {
 			if _, ok := activePolicyIPSets[set.Name]; !ok {
@@ -1605,11 +1601,7 @@ func (npc *NetworkPolicyController) Cleanup() {
 	}
 
 	// delete all ipsets
-	ipset, err := NewIPSet(false)
-	if err != nil {
-		log.Errorf("Failed to clean up ipsets: " + err.Error())
-	}
-	err = ipset.Save()
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
 		log.Errorf("Failed to clean up ipsets: " + err.Error())
 	}
@@ -1719,11 +1711,7 @@ func NewNetworkPolicyController(
 	}
 	npc.nodeIP = nodeIP
 
-	ipset, err := NewIPSet(false)
-	if err != nil {
-		return nil, err
-	}
-	err = ipset.Save()
+	ipset, err := NewSavedIPSet(false)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/agent/netpol/utils.go b/pkg/agent/netpol/utils.go
index c4c7a48950..ba7729e5dd 100644
--- a/pkg/agent/netpol/utils.go
+++ b/pkg/agent/netpol/utils.go
@@ -152,8 +152,8 @@ func (ipset *IPSet) runWithStdin(stdin *bytes.Buffer, args ...string) (string, e
 	return stdout.String(), nil
 }
 
-// NewIPSet create a new IPSet with ipSetPath initialized.
-func NewIPSet(isIpv6 bool) (*IPSet, error) {
+// NewSavedIPSet create a new IPSet with ipSetPath initialized.
+func NewSavedIPSet(isIpv6 bool) (*IPSet, error) {
 	ipSetPath, err := getIPSetPath()
 	if err != nil {
 		return nil, err
@@ -163,6 +163,9 @@ func NewIPSet(isIpv6 bool) (*IPSet, error) {
 		Sets:      make(map[string]*Set),
 		isIpv6:    isIpv6,
 	}
+	if err := ipSet.Save(); err != nil {
+		return nil, err
+	}
 	return ipSet, nil
 }