diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml
index 46d1cd24f..741c9a8f0 100644
--- a/podsecuritypolicy/templates/podsecuritypolicy.yaml
+++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml
@@ -26,8 +26,12 @@ metadata:
   name: {{ $pspName }}
   labels:
 {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $pspDetails.annotations }}
+  annotations:
+{{ toYaml $pspDetails.annotations | indent 4 }}
+{{- end }}
 spec:
-{{ toYaml $pspDetails | indent 2 }}
+{{ toYaml $pspDetails.spec | indent 2 }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml
index 355000f5f..807e12893 100644
--- a/podsecuritypolicy/values.yaml
+++ b/podsecuritypolicy/values.yaml
@@ -33,25 +33,27 @@ data:
   # Note: you can define as many PSPs here as you need.
   #
   psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
-    privileged: true
-    allowPrivilegeEscalation: true
-    hostNetwork: true
-    hostPID: true
-    hostIPC: true
-    seLinux:
-      rule: RunAsAny
-    supplementalGroups:
-      rule: RunAsAny
-    runAsUser:
-      rule: RunAsAny
-    fsGroup:
-      rule: RunAsAny
-    volumes:
-    - '*'
-    allowedCapabilities:
-    - '*'
-    hostPorts:
-    - min: 1
-      max: 65536
+    annotations: {} # Placeholder to add seccomp/apparmor default annotations
+    spec:
+      privileged: true
+      allowPrivilegeEscalation: true
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      seLinux:
+        rule: RunAsAny
+      supplementalGroups:
+        rule: RunAsAny
+      runAsUser:
+        rule: RunAsAny
+      fsGroup:
+        rule: RunAsAny
+      volumes:
+      - '*'
+      allowedCapabilities:
+      - '*'
+      hostPorts:
+      - min: 1
+        max: 65536
 manifests:
   podsecuritypolicy: true
diff --git a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
index 1aed98a62..6b977e781 100755
--- a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
+++ b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
@@ -35,7 +35,7 @@ EOF
 #NOTE: Deploy with host networking off, and test for failure
 helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
   --namespace=kube-system \
-  --set data.psp-default.hostNetwork=false \
+  --set data.psp-default.spec.hostNetwork=false \
   ${OSH_INFRA_EXTRA_HELM_ARGS} \
   ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
 
@@ -50,12 +50,14 @@ if kubectl apply -f /tmp/psp-test-pod.yaml; then
   echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
   kubectl delete pod psp-test
   exit 1
+else
+  echo "Failure above is expected. Continuing."
 fi
 
 #NOTE: Deploy with host networking on, and test for success
 helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
   --namespace=kube-system \
-  --set data.psp-default.hostNetwork=true \
+  --set data.psp-default.spec.hostNetwork=true \
   ${OSH_INFRA_EXTRA_HELM_ARGS} \
   ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}