diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d1dac7477c..48998f2412 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -11,6 +11,7 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
+    - contrib/security/PSS/*
     - tests/gh-actions/install_istio-cni.sh
     - tests/gh-actions/install_multitenancy.sh
 
diff --git a/contrib/security/PSS/patches/cluster-jwks-proxy.yaml b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
new file mode 100644
index 0000000000..7935ec8a7a
--- /dev/null
+++ b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cluster-jwks-proxy
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kubectl-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL