diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md
index bab7f9dd2236..4f08c8b7799a 100644
--- a/charts/karpenter/README.md
+++ b/charts/karpenter/README.md
@@ -44,15 +44,18 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
 | additionalClusterRoleRules | list | `[]` | Specifies additional rules for the core ClusterRole. |
 | additionalLabels | object | `{}` | Additional labels to add into metadata. |
 | affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
-| controller.env | list | `[]` | Additional environment variables for the controller pod. |
+| controller.env | list | `[]` | Additional environment variables for the controller container. |
 | controller.envFrom | list | `[]` |  |
-| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
+| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
 | controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
 | controller.image.digest | string | `"sha256:1eb1073b9f4ed804634aabf320e4d6e822bb61c0f5ecfd9c3a88f05f1ca4c5c5"` | SHA256 digest of the controller image. |
 | controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
 | controller.image.tag | string | `"1.0.0"` | Tag of the controller image. |
 | controller.metrics.port | int | `8080` | The container port to use for metrics. |
-| controller.resources | object | `{}` | Resources for the controller pod. |
+| controller.resources | object | `{}` | Resources for the controller container. |
+| controller.securityContext.appArmorProfile | object | `nil` | The AppArmor options to use by the controller container. |
+| controller.securityContext.seLinuxOptions | object | `nil` | The SELinux context to be applied to the controller container. |
+| controller.securityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | The seccomp options to use by the controller container. |
 | controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
 | controller.sidecarVolumeMounts | list | `[]` | Additional volumeMounts for the sidecar - this will be added to the volume mounts on top of extraVolumeMounts |
 | dnsConfig | object | `{}` | Configure DNS Config for the pod |
@@ -71,10 +74,11 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
 | podDisruptionBudget.maxUnavailable | int | `1` |  |
 | podDisruptionBudget.name | string | `"karpenter"` |  |
 | podLabels | object | `{}` | Additional labels for the pod. |
-| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
+| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
 | priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
 | replicas | int | `2` | Number of replicas. |
 | revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
+| service.annotations | object | `{}` | Additional annotations for the Service. |
 | serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount. |
 | serviceAccount.create | bool | `true` | Specifies if a ServiceAccount should be created. |
 | serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
diff --git a/charts/karpenter/templates/deployment.yaml b/charts/karpenter/templates/deployment.yaml
index 952976cab027..b1b93ad49518 100644
--- a/charts/karpenter/templates/deployment.yaml
+++ b/charts/karpenter/templates/deployment.yaml
@@ -59,16 +59,29 @@ spec:
       containers:
         - name: controller
           securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
             runAsUser: 65532
             runAsGroup: 65532
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-            allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL
-            readOnlyRootFilesystem: true
+          {{- with .Values.controller.securityContext }}
+          {{- with .appArmorProfile }}
+            appArmorProfile:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- with .seLinuxOptions }}
+            seLinuxOptions:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- with .seccompProfile }}
+            seccompProfile:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- end }}
           image: {{ include "karpenter.controller.image" . }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
           env:
diff --git a/charts/karpenter/values.yaml b/charts/karpenter/values.yaml
index c865a2e9bf13..b000d2293e4f 100644
--- a/charts/karpenter/values.yaml
+++ b/charts/karpenter/values.yaml
@@ -51,7 +51,10 @@ podDisruptionBudget:
   maxUnavailable: 1
 # -- SecurityContext for the pod.
 podSecurityContext:
+  runAsNonRoot: true
   fsGroup: 65532
+  seccompProfile:
+    type: RuntimeDefault
 # -- PriorityClass name for the pod.
 priorityClassName: system-cluster-critical
 # -- Override the default termination grace period for the pod.
@@ -107,12 +110,20 @@ controller:
     tag: 1.0.0
     # -- SHA256 digest of the controller image.
     digest: sha256:1eb1073b9f4ed804634aabf320e4d6e822bb61c0f5ecfd9c3a88f05f1ca4c5c5
-  # -- Additional environment variables for the controller pod.
+  securityContext:
+    # -- (object) The AppArmor options to use by the controller container.
+    appArmorProfile:
+    # -- (object) The SELinux context to be applied to the controller container.
+    seLinuxOptions:
+    # -- The seccomp options to use by the controller container.
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Additional environment variables for the controller container.
   env: []
   # - name: AWS_REGION
   #   value: eu-west-1
   envFrom: []
-  # -- Resources for the controller pod.
+  # -- Resources for the controller container.
   resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
@@ -124,8 +135,7 @@ controller:
   #  limits:
   #    cpu: 1
   #    memory: 1Gi
-
-  # -- Additional volumeMounts for the controller pod.
+  # -- Additional volumeMounts for the controller container.
   extraVolumeMounts: []
   # - name: aws-iam-token
   #   mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount