diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml
index f4e759a0ab..29a80464a7 100644
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@@ -64,8 +64,7 @@ spec:
         - name: neutron-dhcp-agent
 {{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           readinessProbe:
             exec:
               command:
@@ -100,6 +99,8 @@ spec:
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: /var/lib/neutron
             - name: neutron-bin
               mountPath: /tmp/neutron-dhcp-agent.sh
               subPath: neutron-dhcp-agent.sh
@@ -172,6 +173,8 @@ spec:
       volumes:
         - name: pod-tmp
           emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
         - name: neutron-bin
           configMap:
             name: neutron-bin
diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml
index fb79a94a88..4f1763485b 100644
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@@ -64,8 +64,7 @@ spec:
         - name: neutron-l3-agent
 {{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           readinessProbe:
             exec:
               command:
@@ -100,6 +99,8 @@ spec:
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: /var/lib/neutron
             - name: neutron-bin
               mountPath: /tmp/neutron-l3-agent.sh
               subPath: neutron-l3-agent.sh
@@ -171,6 +172,8 @@ spec:
       volumes:
         - name: pod-tmp
           emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
         - name: neutron-bin
           configMap:
             name: neutron-bin
diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml
index 8f6889f6a8..37d35d0bb2 100644
--- a/neutron/templates/daemonset-lb-agent.yaml
+++ b/neutron/templates/daemonset-lb-agent.yaml
@@ -62,11 +62,7 @@ spec:
 {{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
         - name: neutron-lb-agent-kernel-modules
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            capabilities:
-              add:
-                - SYS_MODULE
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-linuxbridge-agent-init-modules.sh
           volumeMounts:
@@ -80,9 +76,7 @@ spec:
         - name: neutron-lb-agent-init
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-linuxbridge-agent-init.sh
           volumeMounts:
@@ -138,8 +132,7 @@ spec:
         - name: neutron-lb-agent
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-linuxbridge-agent.sh
           readinessProbe:
diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml
index 1730990245..33ba8f6102 100644
--- a/neutron/templates/daemonset-sriov-agent.yaml
+++ b/neutron/templates/daemonset-sriov-agent.yaml
@@ -63,9 +63,7 @@ spec:
         - name: neutron-sriov-agent-init
 {{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-sriov-agent-init.sh
           volumeMounts:
@@ -127,8 +125,7 @@ spec:
         - name: neutron-sriov-agent
 {{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-sriov-agent.sh
           readinessProbe:
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
index 2f16842597..33ce76636d 100644
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@@ -62,8 +62,7 @@ spec:
         - name: neutron-server
 {{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/neutron-server.sh
             - start
diff --git a/neutron/values.yaml b/neutron/values.yaml
index abd3c19dd7..b14fea78f2 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -304,6 +304,40 @@ pod:
   user:
     neutron:
       uid: 42424
+  security_context:
+    neutron:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_dhcp_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_l3_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_lb_agent_kernel_modules:
+          capabilities:
+            add:
+              - SYS_MODULE
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_sriov_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_sriov_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_server:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: