diff --git a/charts/kueue/templates/manager/manager.yaml b/charts/kueue/templates/manager/manager.yaml
index 4eaa06c8bc..7e05c8604e 100644
--- a/charts/kueue/templates/manager/manager.yaml
+++ b/charts/kueue/templates/manager/manager.yaml
@@ -79,6 +79,8 @@ spec:
           name: https
           protocol: TCP
         resources: {}
+        securityContext:
+          {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext | nindent 10 }}
       securityContext:
         {{- toYaml .Values.controllerManager.manager.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "kueue.fullname" . }}-controller-manager
diff --git a/charts/kueue/values.yaml b/charts/kueue/values.yaml
index a382870214..74258c6e85 100644
--- a/charts/kueue/values.yaml
+++ b/charts/kueue/values.yaml
@@ -19,6 +19,11 @@ controllerManager:
       tag: v0.8.0
       # This should be set to 'IfNotPresent' for released version
       pullPolicy: IfNotPresent
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      capabilities:
+        drop: ["ALL"]
   manager:
     image:
       repository: gcr.io/k8s-staging-kueue/kueue
@@ -34,8 +39,13 @@ controllerManager:
         memory: 512Mi
     podSecurityContext:
       runAsNonRoot: true
+      seccompProfile:
+        type: "RuntimeDefault"
     containerSecurityContext:
       allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      capabilities:
+        drop: ["ALL"]
   replicas: 1
   imagePullSecrets: []
   readinessProbe:
diff --git a/config/components/manager/manager.yaml b/config/components/manager/manager.yaml
index b5e7f92812..5499d078f2 100644
--- a/config/components/manager/manager.yaml
+++ b/config/components/manager/manager.yaml
@@ -17,6 +17,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
       - command:
         - /manager
@@ -27,6 +29,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop: ["ALL"]
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index d4f6481707..2e999badbb 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -20,3 +20,8 @@ spec:
         - containerPort: 8443
           protocol: TCP
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop: ["ALL"]