diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go
index 7dd339f7a807..635a80f11c4b 100644
--- a/pkg/operator/ceph/cluster/osd/spec.go
+++ b/pkg/operator/ceph/cluster/osd/spec.go
@@ -777,12 +777,15 @@ func (c *Cluster) getActivateOSDInitContainer(configDir, namespace, osdID string
 // To be able to perform this action, the CAP_MKNOD capability is required.
 // Provide a securityContext which requests the MKNOD capability for the container to function properly.
 func getBlockDevMapperContext() *v1.SecurityContext {
+	privileged := controller.HostPathRequiresPrivileged()
+
 	return &v1.SecurityContext{
 		Capabilities: &v1.Capabilities{
 			Add: []v1.Capability{
 				"MKNOD",
 			},
 		},
+		Privileged: &privileged,
 	}
 }
 
diff --git a/pkg/operator/ceph/controller/spec.go b/pkg/operator/ceph/controller/spec.go
index e8410bfb2676..29e101170d06 100644
--- a/pkg/operator/ceph/controller/spec.go
+++ b/pkg/operator/ceph/controller/spec.go
@@ -604,12 +604,13 @@ func (c *daemonConfig) buildAdminSocketCommand() string {
 	return command
 }
 
+func HostPathRequiresPrivileged() bool {
+	return os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true"
+}
+
 // PodSecurityContext detects if the pod needs privileges to run
 func PodSecurityContext() *v1.SecurityContext {
-	privileged := false
-	if os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true" {
-		privileged = true
-	}
+	privileged := HostPathRequiresPrivileged()
 
 	return &v1.SecurityContext{
 		Privileged: &privileged,