diff --git a/charts/flagger/templates/deployment.yaml b/charts/flagger/templates/deployment.yaml
index 93884ace5..eaa185d7a 100644
--- a/charts/flagger/templates/deployment.yaml
+++ b/charts/flagger/templates/deployment.yaml
@@ -189,6 +189,10 @@ spec:
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+{{ toYaml .Values.podSecurityContext.context | indent 8 }}
     {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
diff --git a/charts/flagger/values.yaml b/charts/flagger/values.yaml
index dd264017b..9b2305695 100644
--- a/charts/flagger/values.yaml
+++ b/charts/flagger/values.yaml
@@ -52,13 +52,27 @@ ingressAnnotationsPrefix: ""
 # ingress class used for annotating HTTPProxy objects
 ingressClass: ""
 
-# when enabled, it will add a security context for the flagger pod. You may
-# need to disable this if you are running flagger on OpenShift
+# when enabled, it will add a container level security context for the flagger pod. 
+# You may need to disable this if you are running flagger on OpenShift
 securityContext:
   enabled: true
   context:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: [ALL]
+    privileged: false
     readOnlyRootFilesystem: true
+    
+# when enabled, it will add a pod level security context for the flagger pod. 
+# You may need to disable this if you are running flagger on OpenShift
+podSecurityContext:
+  enabled: true
+  context:
+    runAsGroup: 10001
+    runAsNonRoot: true
     runAsUser: 10001
+    fsGroup: 10001
+    supplementalGroups: [10001]
 
 # when specified, flagger will publish events to the provided webhook
 eventWebhook: ""