diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index 07a76428..628e56bd 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -130,6 +130,7 @@ spec:
         - name: apiserver
           image: {{ .Values.images.tags.apiserver }}
 {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: POD_IP
               valueFrom:
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index 5c49b64b..d3b89e64 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -202,6 +202,14 @@ network_policy:
       - {}
 
 pod:
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
+      container:
+        apiserver:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   mounts:
     kubernetes_apiserver:
       init_container: null
@@ -272,10 +280,6 @@ pod:
     kubernetes_keystone_webhook_tests:
       init_container: null
       kubernetes_keystone_webhook_tests: null
-  security_context:
-    apiserver_webhook:
-      pod:
-        runAsUser: 65534
 conf:
   paths:
     base: '/etc/webhook_apiserver/'