diff --git a/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml b/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml
index 3d9d4e55f8add..8d4083a729cf3 100644
--- a/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml
@@ -62,14 +62,15 @@ spec:
                 cpu: 10m
               limits:
                 memory: 512Mi
-        pod:
-          securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            runAsNonRoot: true
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-            supplementalGroups: [10000]
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        supplementalGroups: [10000]
+        seccompProfile: { type: RuntimeDefault }
     service:
       app:
         controller: filebrowser
diff --git a/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml
index aa5fa3771efa4..9c28b81c7121a 100644
--- a/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml
+++ b/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml
@@ -106,13 +106,14 @@ spec:
                   initialDelaySeconds: 15
             securityContext: *securityContext
             resources: *resources
-        pod:
-          securityContext:
-            runAsUser: 999
-            runAsGroup: 999
-            runAsNonRoot: true
-            fsGroup: 999
-            fsGroupChangePolicy: OnRootMismatch
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
     service:
       app:
         controller: onepassword-connect
diff --git a/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml
index 225dfcb68038d..086e5344af813 100644
--- a/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml
+++ b/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml
@@ -54,27 +54,28 @@ spec:
               capabilities: { drop: ["ALL"] }
               seccompProfile:
                 type: RuntimeDefault
-        pod:
-          securityContext:
-            runAsUser: 65534
-            runAsGroup: 65534
-            runAsNonRoot: true
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: node-role.kubernetes.io/control-plane
-                        operator: Exists
-          tolerations:
-            - key: CriticalAddonsOnly
-              operator: Exists
-            - key: node-role.kubernetes.io/control-plane
-              operator: Exists
-              effect: NoSchedule
-            - key: node-role.kubernetes.io/master
-              operator: Exists
-              effect: NoSchedule
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
     serviceAccount:
       create: true
       name: system-upgrade