diff --git a/helm/core/templates/daemonset.yaml b/helm/core/templates/daemonset.yaml
index d1acd4a2aa..908eec5203 100644
--- a/helm/core/templates/daemonset.yaml
+++ b/helm/core/templates/daemonset.yaml
@@ -1,7 +1,8 @@
 {{- if eq .Values.gateway.kind "DaemonSet" -}}
 {{- $o11y := .Values.global.o11y  }}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
     {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
     {{- if $kernelVersion }}
       {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
@@ -9,8 +10,9 @@
       {{- $unprivilegedPortSupported = false }}
       {{- end }}
     {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
-{{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 
 apiVersion: apps/v1
 kind: DaemonSet
diff --git a/helm/core/templates/deployment.yaml b/helm/core/templates/deployment.yaml
index f3d2311301..60420c2abb 100644
--- a/helm/core/templates/deployment.yaml
+++ b/helm/core/templates/deployment.yaml
@@ -1,6 +1,7 @@
 {{- if eq .Values.gateway.kind "Deployment" -}}
-{{- $unprivilegedPortSupported := true }}
-{{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
+{{- if eq .Values.gateway.unprivilegedPortSupported nil -}}
+  {{- $unprivilegedPortSupported := true }}
+  {{- range $index, $node := (lookup "v1" "Node" "default" "").items }}
     {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }}
     {{- if $kernelVersion }}
       {{- $kernelVersion = regexFind "^(\\d+\\.\\d+\\.\\d+)" $kernelVersion }}
@@ -8,8 +9,9 @@
       {{- $unprivilegedPortSupported = false }}
       {{- end }}
     {{- end }}
+  {{- end -}}
+  {{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 {{- end -}}
-{{- $_ := set .Values.gateway "unprivilegedPortSupported" $unprivilegedPortSupported -}}
 
 apiVersion: apps/v1
 kind: Deployment
diff --git a/helm/core/values.yaml b/helm/core/values.yaml
index 43695e77d4..5377d206c6 100644
--- a/helm/core/values.yaml
+++ b/helm/core/values.yaml
@@ -465,6 +465,7 @@ gateway:
   # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
   securityContext: ~
   containerSecurityContext: ~
+  unprivilegedPortSupported: ~
 
   service:
     # -- Type of service. Set to "None" to disable the service entirely
diff --git a/helm/higress/README.md b/helm/higress/README.md
index fd1ecc4c3d..b1283d59cc 100644
--- a/helm/higress/README.md
+++ b/helm/higress/README.md
@@ -149,6 +149,7 @@ The command removes all the Kubernetes components associated with the chart and
 | gateway.serviceAccount.name | string | `""` | The name of the service account to use. If not set, the release name is used |
 | gateway.tag | string | `""` |  |
 | gateway.tolerations | list | `[]` |  |
+| gateway.unprivilegedPortSupported | string | `nil` |  |
 | global.autoscalingv2API | bool | `true` | whether to use autoscaling/v2 template for HPA settings for internal usage only, not to be configured by users. |
 | global.caAddress | string | `""` | The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. If not set explicitly, default to the Istio discovery address. |
 | global.caName | string | `""` | The name of the CA for workload certificates. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER). |