diff --git a/.local/debug-driver.yaml b/.local/debug-driver.yaml
index a542da584..4b2710296 100644
--- a/.local/debug-driver.yaml
+++ b/.local/debug-driver.yaml
@@ -41,6 +41,14 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.3.0
           imagePullPolicy: IfNotPresent
@@ -59,6 +67,14 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
       volumes:
         - name: mountpoint-dir
           hostPath:
@@ -118,6 +134,14 @@ spec:
             requests:
               cpu: 250m
               memory: 512Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
       volumes:
         - name: driver-volume
           persistentVolumeClaim:
diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml
index caa752aba..8b159041a 100644
--- a/deploy/secrets-store-csi-driver-windows.yaml
+++ b/deploy/secrets-store-csi-driver-windows.yaml
@@ -35,6 +35,14 @@ spec:
             requests:
               cpu: 100m
               memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
         - name: secrets-store
           image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
           args:
@@ -84,6 +92,14 @@ spec:
               mountPath: "C:\\var\\lib\\kubelet\\pods"
             - name: providers-dir
               mountPath: C:\k\secrets-store-csi-providers
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
           imagePullPolicy: IfNotPresent
@@ -102,6 +118,14 @@ spec:
             requests:
               cpu: 100m
               memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
       volumes:
         - name: mountpoint-dir
           hostPath:
diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml
index 7375762a1..c91316c68 100644
--- a/deploy/secrets-store-csi-driver.yaml
+++ b/deploy/secrets-store-csi-driver.yaml
@@ -35,6 +35,14 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
         - name: secrets-store
           image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
           args:
@@ -90,6 +98,14 @@ spec:
             requests:
               cpu: 50m
               memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
         - name: liveness-probe
           image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
           imagePullPolicy: IfNotPresent
@@ -108,6 +124,14 @@ spec:
             requests:
               cpu: 10m
               memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
       volumes:
         - name: mountpoint-dir
           hostPath:
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
index b7e4f0623..d69b42314 100644
--- a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
@@ -53,6 +53,10 @@ spec:
               mountPath: C:\csi
             - name: registration-dir
               mountPath: C:\registration
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.windows.registrar.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -134,6 +138,10 @@ spec:
             {{- if .Values.windows.volumeMounts }}
               {{- toYaml .Values.windows.volumeMounts | nindent 12 }}
             {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.windows.driver.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -153,6 +161,10 @@ spec:
           volumeMounts:
             - name: plugin-dir
               mountPath: C:\csi
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.windows.livenessProbe.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -160,6 +172,10 @@ spec:
       {{- if .Values.windows.priorityClassName }}
       priorityClassName: {{ .Values.windows.priorityClassName | quote }}
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       volumes:
         - name: mountpoint-dir
           hostPath:
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
index 60566d941..3d249bc35 100644
--- a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
+++ b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
@@ -53,6 +53,10 @@ spec:
               mountPath: /csi
             - name: registration-dir
               mountPath: /registration
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.linux.registrar.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -137,6 +141,10 @@ spec:
             {{- if .Values.linux.volumeMounts }}
               {{- toYaml .Values.linux.volumeMounts | nindent 12 }}
             {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.linux.driver.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -156,6 +164,10 @@ spec:
           volumeMounts:
             - name: plugin-dir
               mountPath: /csi
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
 {{- with .Values.linux.livenessProbe.resources }}
           resources:
 {{ toYaml . | indent 12 }}
@@ -163,6 +175,10 @@ spec:
       {{- if .Values.linux.priorityClassName }}
       priorityClassName: {{ .Values.linux.priorityClassName | quote }}
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       volumes:
         - name: mountpoint-dir
           hostPath:
diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml
index e734e6764..3fe886593 100644
--- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml
+++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml
@@ -13,7 +13,8 @@ linux:
       tag: v1.4.7
       pullPolicy: IfNotPresent
     ## Optionally override resource limits for crd hooks(jobs)
-    resources: {}
+    resources:
+      {}
       # requests:
       #   cpu: "100m"
       #   memory: "128Mi"
@@ -242,3 +243,17 @@ tokenRequests: []
 # -- Labels to apply to all resources
 commonLabels: {}
 # team_name: dev
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+# podSecurityContext -- [Security context for Pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+podSecurityContext:
+  # fsGroup: 1000