diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml
index 360546b..b8a61dd 100644
--- a/charts/maas/templates/deployment-ingress-errors.yaml
+++ b/charts/maas/templates/deployment-ingress-errors.yaml
@@ -50,6 +50,7 @@ spec:
           image: {{ .Values.images.tags.error_pages }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           args:
             - "-port"
             - {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml
index 7f7e685..f92305e 100644
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@@ -65,6 +65,7 @@ spec:
           image: {{ .Values.images.tags.maas_rack }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
           tty: true
+{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: MAAS_ENDPOINT
 {{- if empty .Values.conf.maas.url.maas_url }}
@@ -83,18 +84,8 @@ spec:
                   name: {{ .Values.conf.maas.credentials.secret.name }}
                   key: 'token'
 {{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/start.sh
-          securityContext:
-            capabilities:
-              add:
-                - 'DAC_READ_SEARCH'
-                - 'NET_ADMIN'
-                - 'SYS_ADMIN'
-                - 'SYS_PTRACE'
-                - 'SYS_RESOURCE'
-                - 'SYS_TIME'
           readinessProbe:
             initialDelaySeconds: 60
             periodSeconds: 60
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index d57de86..2662e48 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -105,15 +105,6 @@ spec:
           readinessProbe:
             tcpSocket:
               port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-          securityContext:
-            capabilities:
-              add:
-                - 'SYS_ADMIN'
-                - 'NET_ADMIN'
-                - 'SYS_PTRACE'
-                - 'SYS_TIME'
-                - 'SYS_RESOURCE'
-                - 'DAC_READ_SEARCH'
           command:
             - /tmp/start.sh
           volumeMounts:
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index ae72bf3..c5d9f03 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -411,6 +411,14 @@ pod:
       container:
         maas_rack:
           readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'DAC_READ_SEARCH'
+              - 'NET_ADMIN'
+              - 'SYS_ADMIN'
+              - 'SYS_PTRACE'
+              - 'SYS_RESOURCE'
+              - 'SYS_TIME'
     region:
       pod:
         runAsUser: 0
@@ -419,6 +427,14 @@ pod:
           readOnlyRootFilesystem: false
         maas_region:
           readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'SYS_ADMIN'
+              - 'NET_ADMIN'
+              - 'SYS_PTRACE'
+              - 'SYS_TIME'
+              - 'SYS_RESOURCE'
+              - 'DAC_READ_SEARCH'
     api_test:
       pod:
         runAsUser: 0