diff --git a/pkg/apis/etcd/v1beta2/cluster.go b/pkg/apis/etcd/v1beta2/cluster.go
index 8d88bf8d3..32878c375 100644
--- a/pkg/apis/etcd/v1beta2/cluster.go
+++ b/pkg/apis/etcd/v1beta2/cluster.go
@@ -148,6 +148,10 @@ type PodPolicy struct {
 	// busybox:latest uses uclibc which contains a bug that sometimes prevents name resolution
 	// More info: https://github.com/docker-library/busybox/issues/27
 	BusyboxImage string `json:"busyboxImage,omitempty"`
+
+	// SecurityContext specifies the security context for the entire pod
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+	SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TODO: move this to initializer
diff --git a/pkg/apis/etcd/v1beta2/zz_generated.deepcopy.go b/pkg/apis/etcd/v1beta2/zz_generated.deepcopy.go
index 305396e7d..ed88cb67b 100644
--- a/pkg/apis/etcd/v1beta2/zz_generated.deepcopy.go
+++ b/pkg/apis/etcd/v1beta2/zz_generated.deepcopy.go
@@ -524,6 +524,15 @@ func (in *PodPolicy) DeepCopyInto(out *PodPolicy) {
 			(*out)[key] = val
 		}
 	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.PodSecurityContext)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }
 
diff --git a/pkg/util/k8sutil/k8sutil.go b/pkg/util/k8sutil/k8sutil.go
index 84dba2577..72508e790 100644
--- a/pkg/util/k8sutil/k8sutil.go
+++ b/pkg/util/k8sutil/k8sutil.go
@@ -350,9 +350,6 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 		}})
 	}
 
-	runAsNonRoot := true
-	podUID := int64(9000)
-	fsGroup := podUID
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        m.Name,
@@ -383,17 +380,20 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 			Hostname:                     m.Name,
 			Subdomain:                    clusterName,
 			AutomountServiceAccountToken: func(b bool) *bool { return &b }(false),
-			SecurityContext: &v1.PodSecurityContext{
-				RunAsUser:    &podUID,
-				RunAsNonRoot: &runAsNonRoot,
-				FSGroup:      &fsGroup,
-			},
+			SecurityContext:              podSecurityContext(cs.Pod),
 		},
 	}
 	SetEtcdVersion(pod, cs.Version)
 	return pod
 }
 
+func podSecurityContext(podPolicy *api.PodPolicy) *v1.PodSecurityContext {
+	if podPolicy == nil {
+		return nil
+	}
+	return podPolicy.SecurityContext
+}
+
 func NewEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state, token string, cs api.ClusterSpec, owner metav1.OwnerReference) *v1.Pod {
 	pod := newEtcdPod(m, initialCluster, clusterName, state, token, cs)
 	applyPodPolicy(clusterName, pod, cs.Pod)