diff --git a/pkg/controller/migration/convert/network.go b/pkg/controller/migration/convert/network.go
index e98e498c69..441f6dd482 100644
--- a/pkg/controller/migration/convert/network.go
+++ b/pkg/controller/migration/convert/network.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023, 2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -201,8 +201,8 @@ func handleCalicoCNI(c *components, install *operatorv1.Installation) error {
 	}
 
 	type TuningSpec struct {
-		Sysctl []operatorv1.Sysctl `json:"sysctl,omitempty"`
-		Type   string              `json:"type"`
+		Sysctl *map[string]string `json:"sysctl,omitempty"`
+		Type   string             `json:"type"`
 	}
 
 	// CNI tuning plugin
@@ -219,10 +219,10 @@ func handleCalicoCNI(c *components, install *operatorv1.Installation) error {
 		}
 
 		sysctlTuning := []operatorv1.Sysctl{}
-		for _, setting := range tuningSpecData.Sysctl {
+		for k, v := range *tuningSpecData.Sysctl {
 			sysctl := operatorv1.Sysctl{
-				Key:   setting.Key,
-				Value: setting.Value,
+				Key:   k,
+				Value: v,
 			}
 			sysctlTuning = append(sysctlTuning, sysctl)
 		}
diff --git a/pkg/controller/migration/convert/network_test.go b/pkg/controller/migration/convert/network_test.go
index a7cfba5507..b72212393d 100644
--- a/pkg/controller/migration/convert/network_test.go
+++ b/pkg/controller/migration/convert/network_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023, 2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -782,20 +782,11 @@ var _ = Describe("Convert network tests", func() {
   },
   {
 	"type": "tuning",
-	"sysctl": [
-		  {
-			"key": "net.ipv4.tcp_keepalive_intvl",
-			"value": "15"
-		  },
-		  {
-			"key": "net.ipv4.tcp_keepalive_probes",
-			"value": "6"
-		  },
-		  {
-			"key": "net.ipv4.tcp_keepalive_time",
-			"value": "40"
-		  }
-		]
+	"sysctl": {
+		"net.ipv4.tcp_keepalive_intvl": "15",
+		"net.ipv4.tcp_keepalive_probes": "6",
+		"net.ipv4.tcp_keepalive_time": "40"
+	}
   }
   ]
 }`,
@@ -846,13 +837,10 @@ var _ = Describe("Convert network tests", func() {
 },
 {
 	"type": "tuning",
-	"sysctl": [
-		{
-		  "key": "net.ipv4.not_allowed",
-		  "value": "40"
-		}
-	]
-  }
+	"sysctl": {
+		"net.ipv4.not_allowed": "40"
+	}
+}
 ]
 }`,
 					}}
diff --git a/pkg/render/node.go b/pkg/render/node.go
index ee44a58c3f..a02f5546bf 100644
--- a/pkg/render/node.go
+++ b/pkg/render/node.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -708,12 +708,18 @@ func (c *nodeComponent) createPortmapPlugin() map[string]interface{} {
 
 func (c *nodeComponent) createTuningPlugin() map[string]interface{} {
 	// tuning plugin (sysctl)
+	sysctl := map[string]string{}
 	tuningPlugin := map[string]interface{}{
 		"type":   "tuning",
-		"sysctl": []operatorv1.Sysctl{},
+		"sysctl": sysctl,
 	}
-	tuningPlugin["sysctl"] = c.cfg.Installation.CalicoNetwork.Sysctl
 
+	// convert []operatorv1.Sysctl{} to map[string]string for CNI definition
+	// details: https://www.cni.dev/plugins/current/meta/tuning/#system-controls-operation
+	for _, v := range c.cfg.Installation.CalicoNetwork.Sysctl {
+		sysctl[v.Key] = v.Value
+	}
+	tuningPlugin["sysctl"] = sysctl
 	return tuningPlugin
 }
 
diff --git a/pkg/render/node_test.go b/pkg/render/node_test.go
index 0bf4fe107d..ca54d62217 100644
--- a/pkg/render/node_test.go
+++ b/pkg/render/node_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -2748,20 +2748,12 @@ var _ = Describe("Node rendering tests", func() {
       "type": "portmap"
     },
     {
-      "sysctl": [
+      "sysctl":
 		  {
-			"key": "net.ipv4.tcp_keepalive_intvl",
-			"value": "15"
+			"net.ipv4.tcp_keepalive_intvl": "15",
+			"net.ipv4.tcp_keepalive_probes": "6",
+			"net.ipv4.tcp_keepalive_time": "40"
 		  },
-		  {
-			"key": "net.ipv4.tcp_keepalive_probes",
-			"value": "6"
-		  },
-		  {
-			"key": "net.ipv4.tcp_keepalive_time",
-		    "value": "40"
-		  }
-		],
       "type": "tuning"
 	}
   ]