diff --git a/controller/controllers/component_controller.go b/controller/controllers/component_controller.go
index 43c4d29c8..734a35a23 100644
--- a/controller/controllers/component_controller.go
+++ b/controller/controllers/component_controller.go
@@ -43,6 +43,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
+	"strconv"
 	"strings"
 
 	corev1alpha1 "github.com/kalmhq/kalm/controller/api/v1alpha1"
@@ -280,6 +281,46 @@ func (r *ComponentReconcilerTask) GetAnnotations() map[string]string {
 	return res
 }
 
+func GetPodSecurityContextFromAnnotation(annotations map[string]string) *coreV1.PodSecurityContext {
+	securityContext := new(coreV1.PodSecurityContext)
+	annotationFound := false
+
+	for k, v := range annotations {
+		if !strings.HasPrefix(k, "core.kalm.dev/podExt/securityContext") {
+			continue
+		}
+
+		annotationFound = true
+
+		rest := strings.TrimPrefix(k, "core.kalm.dev/podExt/securityContext")
+
+		switch rest {
+		case "runAsGroup":
+			n, err := strconv.ParseInt(v, 0, 64)
+
+			if err != nil {
+				continue
+			}
+
+			securityContext.RunAsGroup = &n
+		case "runAsUser":
+			n, err := strconv.ParseInt(v, 0, 64)
+
+			if err != nil {
+				continue
+			}
+
+			securityContext.RunAsUser = &n
+		}
+	}
+
+	if !annotationFound {
+		return nil
+	}
+
+	return securityContext
+}
+
 func (r *ComponentReconcilerTask) FixComponentDefaultValues() (err error) {
 	if r.component == nil {
 		return nil
@@ -981,6 +1022,7 @@ func (r *ComponentReconcilerTask) GetPodTemplateWithoutVols() (template *coreV1.
 					LivenessProbe:  r.FixProbe(component.Spec.LivenessProbe),
 				},
 			},
+			SecurityContext: GetPodSecurityContextFromAnnotation(annotations),
 		},
 	}
 
diff --git a/controller/controllers/logsystem_controller.go b/controller/controllers/logsystem_controller.go
index d484ee9d3..49c7a0f19 100644
--- a/controller/controllers/logsystem_controller.go
+++ b/controller/controllers/logsystem_controller.go
@@ -409,7 +409,9 @@ func (r *LogSystemReconcilerTask) ReconcilePLGMonolithicPromtail() error {
 		},
 		Spec: corev1alpha1.ComponentSpec{
 			Annotations: map[string]string{
-				"sidecar.istio.io/inject": "false",
+				"sidecar.istio.io/inject":                         "false",
+				"core.kalm.dev/podExt/securityContext/runAsGroup": "0",
+				"core.kalm.dev/podExt/securityContext/runAsUser":  "0",
 			},
 			Image:        promtailImage,
 			WorkloadType: corev1alpha1.WorkloadTypeDaemonSet,