diff --git a/oryxBuildBinary b/oryxBuildBinary
new file mode 100755
index 0000000000000000000000000000000000000000..afe277b75bed357602ffd462df7bff40c7721de6
Binary files /dev/null and b/oryxBuildBinary differ
diff --git a/pkg/apis/upgrade.cattle.io/v1/types.go b/pkg/apis/upgrade.cattle.io/v1/types.go
index 4756151e0db872cd3da990f1200b28ffb6cbd46a..cc170eafda7dd79bb914ae96542ea45d015e4576 100644
--- a/pkg/apis/upgrade.cattle.io/v1/types.go
+++ b/pkg/apis/upgrade.cattle.io/v1/types.go
@@ -62,12 +62,13 @@ type PlanStatus struct {
 
 // ContainerSpec is a simplified container template.
 type ContainerSpec struct {
-	Image   string                 `json:"image,omitempty"`
-	Command []string               `json:"command,omitempty"`
-	Args    []string               `json:"args,omitempty"`
-	Env     []corev1.EnvVar        `json:"envs,omitempty"`
-	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`
-	Volumes []VolumeSpec           `json:"volumes,omitempty"`
+	Image           string                  `json:"image,omitempty"`
+	Command         []string                `json:"command,omitempty"`
+	Args            []string                `json:"args,omitempty"`
+	Env             []corev1.EnvVar         `json:"envs,omitempty"`
+	EnvFrom         []corev1.EnvFromSource  `json:"envFrom,omitempty"`
+	Volumes         []VolumeSpec            `json:"volumes,omitempty"`
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
 type VolumeSpec struct {
diff --git a/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go b/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go
index 20df86b8d1585aa3972f2479499d22c34d1994ac..47f78c5aeabc331faa01706d754752e2ec3707fe 100644
--- a/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go
+++ b/pkg/apis/upgrade.cattle.io/v1/zz_generated_deepcopy.go
@@ -62,6 +62,11 @@ func (in *ContainerSpec) DeepCopyInto(out *ContainerSpec) {
 		*out = make([]VolumeSpec, len(*in))
 		copy(*out, *in)
 	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		*out = new(corev1.SecurityContext)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
diff --git a/pkg/upgrade/.DS_Store b/pkg/upgrade/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..aa07961543849dfcf0415ee08543caf602b177a9
Binary files /dev/null and b/pkg/upgrade/.DS_Store differ
diff --git a/pkg/upgrade/job/job.go b/pkg/upgrade/job/job.go
index aa6f0240d25aad278c00cf03ed1409008b61c581..1e729cc0efcd3beae1c304e8b51353f676beb538 100644
--- a/pkg/upgrade/job/job.go
+++ b/pkg/upgrade/job/job.go
@@ -29,6 +29,17 @@ const (
 	defaultTTLSecondsAfterFinished = int32(900)
 )
 
+func allowUserDefinedSecurityContext(defaultValue bool) bool {
+	if str, ok := os.LookupEnv("ALLOW_USER_DEFINED_SECURITY_CONTEXT"); ok {
+		if b, err := strconv.ParseBool(str); err != nil {
+			logrus.Errorf("failed to parse $%s: %v", "ALLOW_USER_DEFINED_SECURITY_CONTEXT", err)
+		} else {
+			return b
+		}
+	}
+	return defaultValue
+}
+
 var (
 	ActiveDeadlineSeconds = func(defaultValue int64) int64 {
 		if str, ok := os.LookupEnv("SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS"); ok {
@@ -81,6 +92,8 @@ var (
 		return defaultValue
 	}(defaultPrivileged)
 
+	AllowUserDefinedSecurityContext = allowUserDefinedSecurityContext(true)
+
 	ImagePullPolicy = func(defaultValue corev1.PullPolicy) corev1.PullPolicy {
 		if str := os.Getenv("SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY"); str != "" {
 			return corev1.PullPolicy(str)
@@ -263,6 +276,7 @@ func New(plan *upgradeapiv1.Plan, node *corev1.Node, controllerName string) *bat
 				upgradectr.WithPlanEnvironment(plan.Name, plan.Status),
 				upgradectr.WithImagePullPolicy(ImagePullPolicy),
 				upgradectr.WithVolumes(plan.Spec.Upgrade.Volumes),
+				upgradectr.WithSecurityContext(plan.Spec.Upgrade.SecurityContext),
 			),
 		)
 	}
@@ -337,18 +351,26 @@ func New(plan *upgradeapiv1.Plan, node *corev1.Node, controllerName string) *bat
 		)
 	}
 
+	// Check if SecurityContext from the Plan is non-nil
+	var securityContext *corev1.SecurityContext
+	if plan.Spec.Upgrade.SecurityContext != nil {
+		securityContext = plan.Spec.Upgrade.SecurityContext
+	} else {
+		securityContext = &corev1.SecurityContext{
+			Privileged: &Privileged,
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{
+					corev1.Capability("CAP_SYS_BOOT"),
+				},
+			},
+		}
+	}
+
 	// and finally, we upgrade
 	podTemplate.Spec.Containers = []corev1.Container{
 		upgradectr.New("upgrade", *plan.Spec.Upgrade,
 			upgradectr.WithLatestTag(plan.Status.LatestVersion),
-			upgradectr.WithSecurityContext(&corev1.SecurityContext{
-				Privileged: &Privileged,
-				Capabilities: &corev1.Capabilities{
-					Add: []corev1.Capability{
-						corev1.Capability("CAP_SYS_BOOT"),
-					},
-				},
-			}),
+			upgradectr.WithSecurityContext(securityContext),
 			upgradectr.WithSecrets(plan.Spec.Secrets),
 			upgradectr.WithPlanEnvironment(plan.Name, plan.Status),
 			upgradectr.WithImagePullPolicy(ImagePullPolicy),