diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml
index 8b986ab9..e7e73249 100644
--- a/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml
+++ b/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml
@@ -89,6 +89,10 @@ spec:
     {{- if .Values.starrocksFESpec.readOnlyRootFilesystem }}
     readOnlyRootFilesystem: {{ .Values.starrocksFESpec.readOnlyRootFilesystem }}
     {{- end }}
+    {{- if .Values.starrocksFESpec.capabilities }}
+    capabilities:
+      {{- toYaml .Values.starrocksFESpec.capabilities | nindent 6 }}
+    {{- end }}
     {{- if or .Values.starrocksFESpec.nodeSelector .Values.starrocksCluster.componentValues.nodeSelector }}
     nodeSelector:
       {{- include "starrockscluster.fe.nodeSelector" . | nindent 6 }}
diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml
index 01283eec..bcb5aec9 100644
--- a/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml
+++ b/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml
@@ -165,6 +165,13 @@ starrocksFESpec:
   # Whether this container has a read-only root filesystem.
   # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
   readOnlyRootFilesystem: false
+  # add/drop capabilities for FE container.
+  capabilities: {}
+  #  add:
+  #    - PERFMON
+  #    - SYS_PTRACE
+  #  drop:
+  #    - SYS_ADMIN
   # specify the service name and port config and serviceType
   # the service type refer https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
   service:
diff --git a/helm-charts/charts/kube-starrocks/values.yaml b/helm-charts/charts/kube-starrocks/values.yaml
index c699b150..99b86348 100644
--- a/helm-charts/charts/kube-starrocks/values.yaml
+++ b/helm-charts/charts/kube-starrocks/values.yaml
@@ -273,6 +273,13 @@ starrocks:
     # Whether this container has a read-only root filesystem.
     # Note: The FE/BE/CN container should support read-only root filesystem. The newest version of FE/BE/CN is 3.3.6, and does not support read-only root filesystem.
     readOnlyRootFilesystem: false
+    # add/drop capabilities for FE container.
+    capabilities: {}
+    #  add:
+    #    - PERFMON
+    #    - SYS_PTRACE
+    #  drop:
+    #    - SYS_ADMIN
     # specify the service name and port config and serviceType
     # the service type refer https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
     service: