diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml
index 5a15a8929a..0e7a9d55f9 100644
--- a/installer/roles/kubernetes/defaults/main.yml
+++ b/installer/roles/kubernetes/defaults/main.yml
@@ -14,14 +14,25 @@ kubernetes_awx_image: "{{ tower_package_name | default('ansible/awx') }}"
 kubernetes_web_image: "{{ kubernetes_awx_image }}"
 kubernetes_task_image: "{{ kubernetes_awx_image }}"
 
+awx_psp_create: false
+awx_psp_name: 'awx'
+awx_psp_privileged: true
+
 web_mem_request: 1
 web_cpu_request: 500
+web_security_context_enabled: true
+web_security_context_privileged: false
 
 task_mem_request: 2
 task_cpu_request: 1500
+task_security_context_enabled: true
+task_security_context_privileged: true
 
 redis_mem_request: 2
 redis_cpu_request: 500
+redis_security_context_enabled: true
+redis_security_context_privileged: false
+redis_security_context_user: 1001
 
 kubernetes_redis_image: "redis"
 kubernetes_redis_image_tag: "latest"
diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2
index 22ce12153a..7e3d16f859 100644
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@@ -15,6 +15,70 @@ imagePullSecrets:
   - name: "{{ kubernetes_image_pull_secrets }}"
 {% endif %}
 
+{% if awx_psp_create is defined and awx_psp_create | bool %}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ awx_psp_name }}-psp
+spec:
+{% if awx_psp_privileged is defined %}
+  privileged: {{ awx_psp_privileged }}
+  allowPrivilegeEscalation: {{ awx_psp_privileged }}
+{% endif %}
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ kubernetes_namespace }}
+  name: {{ awx_psp_name }}-role
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - {{ awx_psp_name }}-psp
+  verbs:
+  - use
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ awx_psp_name }}-role-binding
+  namespace: {{ kubernetes_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ awx_psp_name }}-role
+subjects:
+- kind: ServiceAccount
+  name: awx
+  namespace: {{ kubernetes_namespace }}
+{% endif %}
+
 ---
 apiVersion: {{ kubernetes_deployment_api_version }}
 kind: Deployment
@@ -89,6 +153,12 @@ spec:
 {% endif %}
       containers:
         - name: {{ kubernetes_deployment_name }}-web
+{% if web_security_context_enabled is defined and web_security_context_enabled | bool %}
+          securityContext:
+{% if web_security_context_privileged is defined %}
+            privileged: {{ web_security_context_privileged }}
+{% endif %}
+{% endif %}
           image: "{{ kubernetes_awx_image }}:{{ kubernetes_web_version }}"
           imagePullPolicy: Always
           ports:
@@ -175,8 +245,12 @@ spec:
               cpu: "{{ web_cpu_limit }}m"
 {% endif %}
         - name: {{ kubernetes_deployment_name }}-task
+{% if task_security_context_enabled is defined and task_security_context_enabled | bool %}
           securityContext:
-            privileged: true
+{% if task_security_context_privileged is defined %}
+            privileged: {{ task_security_context_privileged }}
+{% endif %}
+{% endif %}
           image: "{{ kubernetes_task_image }}:{{ kubernetes_task_version }}"
           command:
             - /usr/bin/launch_awx_task.sh
@@ -264,6 +338,15 @@ spec:
               cpu: "{{ task_cpu_limit }}m"
 {% endif %}
         - name: {{ kubernetes_deployment_name }}-redis
+{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %}
+          securityContext:
+{% if redis_security_context_privileged is defined %}
+            privileged: {{ redis_security_context_privileged }}
+{% endif %}
+{% if redis_security_context_user is defined %}
+            runAsUser: {{ redis_security_context_user }}
+{% endif %}
+{% endif %}
           image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }}
           imagePullPolicy: Always
           args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"]