diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml
index 2c953c61..53d3069d 100644
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@@ -152,7 +152,14 @@ argo-cd:
         - mountPath: /home/argocd/.kube
           name: kubeconfigs
         securityContext:
-          '{{- toYaml .Values.repoServer.containerSecurityContext | nindent 4 }}'
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
 
   server:
     # Rename former https port to grpc, works with istio + insecure