diff --git a/autoscaler/controllers/gateway/deployment.go b/autoscaler/controllers/gateway/deployment.go
index 2351a5730..b0501631d 100644
--- a/autoscaler/controllers/gateway/deployment.go
+++ b/autoscaler/controllers/gateway/deployment.go
@@ -140,6 +140,9 @@ func getDesiredDeployment(dests *odigosv1.DestinationList, configData string,
 							Image:   utils.GetContainerImage(containerImage),
 							Command: []string{containerCommand, fmt.Sprintf("--config=%s/%s.yaml", confDir, configKey)},
 							EnvFrom: getSecretsFromDests(dests),
+							SecurityContext: &corev1.SecurityContext{
+								RunAsUser: int64Ptr(10000),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      configKey,
@@ -204,3 +207,7 @@ func getSecretsFromDests(destList *odigosv1.DestinationList) []corev1.EnvFromSou
 func intPtr(n int32) *int32 {
 	return &n
 }
+
+func int64Ptr(n int64) *int64 {
+	return &n
+}
diff --git a/cli/cmd/install.go b/cli/cmd/install.go
index 6929abfa2..751154182 100644
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@@ -29,6 +29,7 @@ var (
 	skipWait                 bool
 	telemetryEnabled         bool
 	sidecarInstrumentation   bool
+	psp                      bool
 	ignoredNamespaces        []string
 	DefaultIgnoredNamespaces = []string{"odigos-system", "kube-system", "local-path-storage", "istio-system", "linkerd"}
 )
@@ -130,7 +131,7 @@ func createDataCollectionRBAC(ctx context.Context, cmd *cobra.Command, client *k
 		return err
 	}
 
-	_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewDataCollectionClusterRole(), metav1.CreateOptions{})
+	_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewDataCollectionClusterRole(psp), metav1.CreateOptions{})
 	if err != nil {
 		return err
 	}
@@ -230,7 +231,7 @@ func createOdiglet(ctx context.Context, cmd *cobra.Command, client *kube.Client,
 		return err
 	}
 
-	_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewOdigletClusterRole(), metav1.CreateOptions{})
+	_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewOdigletClusterRole(psp), metav1.CreateOptions{})
 	if err != nil {
 		return err
 	}
@@ -301,4 +302,5 @@ func init() {
 	installCmd.Flags().StringVar(&resources.OdigletImage, "odiglet-image", "keyval/odigos-odiglet", "odiglet container image")
 	installCmd.Flags().StringVar(&resources.InstrumentorImage, "instrumentor-image", "keyval/odigos-instrumentor", "instrumentor container image")
 	installCmd.Flags().StringVar(&containers.ImagePrefix, "image-prefix", "", "Prefix for all container images")
+	installCmd.Flags().BoolVar(&psp, "psp", false, "Enable pod security policy")
 }
diff --git a/cli/cmd/resources/datacollection.go b/cli/cmd/resources/datacollection.go
index 03f8adfd3..cf877fbca 100644
--- a/cli/cmd/resources/datacollection.go
+++ b/cli/cmd/resources/datacollection.go
@@ -20,8 +20,8 @@ func NewDataCollectionServiceAccount() *corev1.ServiceAccount {
 	}
 }
 
-func NewDataCollectionClusterRole() *rbacv1.ClusterRole {
-	return &rbacv1.ClusterRole{
+func NewDataCollectionClusterRole(psp bool) *rbacv1.ClusterRole {
+	clusterrole := &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRole",
 			APIVersion: "rbac.authorization.k8s.io/v1",
@@ -60,6 +60,25 @@ func NewDataCollectionClusterRole() *rbacv1.ClusterRole {
 			},
 		},
 	}
+
+	if psp {
+		clusterrole.Rules = append(clusterrole.Rules, rbacv1.PolicyRule{
+			Verbs: []string{
+				"use",
+			},
+			APIGroups: []string{
+				"policy",
+			},
+			Resources: []string{
+				"podsecuritypolicies",
+			},
+			ResourceNames: []string{
+				"privileged",
+			},
+		})
+	}
+
+	return clusterrole
 }
 
 func NewDataCollectionClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go
index f0cb98e2a..4ac9221e3 100644
--- a/cli/cmd/resources/odiglet.go
+++ b/cli/cmd/resources/odiglet.go
@@ -27,8 +27,8 @@ func NewOdigletServiceAccount() *corev1.ServiceAccount {
 	}
 }
 
-func NewOdigletClusterRole() *rbacv1.ClusterRole {
-	return &rbacv1.ClusterRole{
+func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
+	clusterrole := &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRole",
 			APIVersion: "rbac.authorization.k8s.io/v1",
@@ -161,6 +161,25 @@ func NewOdigletClusterRole() *rbacv1.ClusterRole {
 			},
 		},
 	}
+
+	if psp {
+		clusterrole.Rules = append(clusterrole.Rules, rbacv1.PolicyRule{
+			Verbs: []string{
+				"use",
+			},
+			APIGroups: []string{
+				"policy",
+			},
+			Resources: []string{
+				"podsecuritypolicies",
+			},
+			ResourceNames: []string{
+				"privileged",
+			},
+		})
+	}
+
+	return clusterrole
 }
 
 func NewOdigletClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
diff --git a/frontend/kube/client.go b/frontend/kube/client.go
index 354962c64..255812c78 100644
--- a/frontend/kube/client.go
+++ b/frontend/kube/client.go
@@ -3,6 +3,8 @@ package kube
 import (
 	"github.com/keyval-dev/odigos/frontend/generated/clientset/versioned/typed/odigos/v1alpha1"
 	"k8s.io/client-go/kubernetes"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 	"k8s.io/client-go/tools/clientcmd"
 )