diff --git a/helm/kanister-operator/templates/deployment.yaml b/helm/kanister-operator/templates/deployment.yaml
index a560e5d0a69..2955fde8b31 100644
--- a/helm/kanister-operator/templates/deployment.yaml
+++ b/helm/kanister-operator/templates/deployment.yaml
@@ -14,6 +14,10 @@ spec:
       labels:
 {{ include "kanister-operator.helmLabels" . | indent 8}}
     spec:
+{{- if .Values.podSecurityContext }}
+      securityContext: 
+        {{ toYaml .Values.podSecurityContext | indent 6 }}
+{{- end }}
       serviceAccountName: {{ template "kanister-operator.serviceAccountName" . }}
 {{- if or .Values.bpValidatingWebhook.enabled .Values.validatingWebhook.repositoryserver.enabled }}
       volumes:
@@ -29,6 +33,10 @@ spec:
       - name: {{ template "kanister-operator.fullname" . }}
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+{{- if .Values.containerSecurityContext }}
+        securityContext: 
+          {{ toYaml .Values.containerSecurityContext | indent 8 }}
+{{- end }}
 {{- if .Values.bpValidatingWebhook.enabled }}
         volumeMounts:
           - name: webhook-certs
@@ -53,6 +61,10 @@ spec:
       - name: {{ template "repository-server-controller.name" . }}
         image: {{ .Values.repositoryServerControllerImage.registry }}/{{ .Values.repositoryServerControllerImage.name }}:{{ .Values.repositoryServerControllerImage.tag }}
         imagePullPolicy: {{ .Values.repositoryServerControllerImage.pullPolicy }}
+{{- if .Values.containerSecurityContext }}
+        securityContext: 
+          {{ toYaml .Values.containerSecurityContext | indent 8 }}
+{{- end }}
 {{- if .Values.validatingWebhook.repositoryserver.enabled }}
         volumeMounts:
           - name: webhook-certs
diff --git a/helm/kanister-operator/values.yaml b/helm/kanister-operator/values.yaml
index 6de036f300d..991e078fb28 100644
--- a/helm/kanister-operator/values.yaml
+++ b/helm/kanister-operator/values.yaml
@@ -89,3 +89,23 @@ tolerations: []
 #
 # node labels for pod assignment. Evaluated as template
 nodeSelector: {}
+
+# Pod-level security context settings
+podSecurityContext:
+  runAsUser: 1000
+  fsGroup: 2000
+  runAsNonRoot: true
+  # SELinux options can be specified here if required
+  # seLinuxOptions:
+  #   level: "s0:c123,c456"
+
+# Container-level security context settings
+containerSecurityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  # AllowPrivilegeEscalation should be disabled for security
+  allowPrivilegeEscalation: false
+  
\ No newline at end of file