diff --git a/gitopsaddon/addonTemplates/addonTemplates.yaml b/gitopsaddon/addonTemplates/addonTemplates.yaml
index a1ec765..1835883 100644
--- a/gitopsaddon/addonTemplates/addonTemplates.yaml
+++ b/gitopsaddon/addonTemplates/addonTemplates.yaml
@@ -29,6 +29,15 @@ spec:
                     - name: gitops-addon
                       image: quay.io/xiangjingli/multicloud-integrations:gitopsaddon-8
                       imagePullPolicy: IfNotPresent
+                      securityContext:
+                        privileged: false
+                        readOnlyRootFilesystem: true
+                        allowPrivilegeEscalation: false
+                        runAsNonRoot: true
+                        runAsUser: 1000
+                        capabilities:
+                          drop:
+                          - ALL
                       command:
                       - /usr/local/bin/gitopsaddon
                       - --leader-election-lease-duration=137s
diff --git a/gitopsaddon/charts/openshift-gitops-operator/templates/argocd-aggreate-admin.clusterrole.yaml b/gitopsaddon/charts/openshift-gitops-operator/templates/argocd-aggreate-admin.clusterrole.yaml
new file mode 100644
index 0000000..83280e7
--- /dev/null
+++ b/gitopsaddon/charts/openshift-gitops-operator/templates/argocd-aggreate-admin.clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argocd-aggregate-admin
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - argocds
+  - appprojects
+  - applications
+  verbs:
+  - '*'