diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go
index 55b3cb10623..f99d0ce2b30 100644
--- a/internal/infrastructure/kubernetes/proxy/resource.go
+++ b/internal/infrastructure/kubernetes/proxy/resource.go
@@ -227,7 +227,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
 					},
 				},
 			},
-			SecurityContext: expectedShutdownManagerSecurityContext(),
+			SecurityContext: expectedShutdownManagerSecurityContext(containerSpec),
 		},
 	}
 
@@ -384,7 +384,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec)
 	return sc
 }
 
-func expectedShutdownManagerSecurityContext() *corev1.SecurityContext {
+func expectedShutdownManagerSecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext {
+	if containerSpec != nil && containerSpec.SecurityContext != nil {
+		return containerSpec.SecurityContext
+	}
+
 	sc := resource.DefaultSecurityContext()
 
 	// run as non-root user
diff --git a/internal/infrastructure/kubernetes/proxy/resource_test.go b/internal/infrastructure/kubernetes/proxy/resource_test.go
index 31054b1ef1d..46592c85164 100644
--- a/internal/infrastructure/kubernetes/proxy/resource_test.go
+++ b/internal/infrastructure/kubernetes/proxy/resource_test.go
@@ -8,7 +8,12 @@ package proxy
 import (
 	"testing"
 
+	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+	"github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource"
+
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 )
 
 func TestEnvoyPodSelector(t *testing.T) {
@@ -36,3 +41,49 @@ func TestEnvoyPodSelector(t *testing.T) {
 		})
 	}
 }
+
+func TestExpectedShutdownManagerSecurityContext(t *testing.T) {
+	defaultSecurityContext := func() *corev1.SecurityContext {
+		sc := resource.DefaultSecurityContext()
+
+		// run as non-root user
+		sc.RunAsGroup = ptr.To(int64(65532))
+		sc.RunAsUser = ptr.To(int64(65532))
+
+		// ShutdownManger creates a file to indicate the connection drain process is completed,
+		// so it needs file write permission.
+		sc.ReadOnlyRootFilesystem = nil
+		return sc
+	}
+
+	customSc := &corev1.SecurityContext{
+		Privileged: ptr.To(true),
+		RunAsUser:  ptr.To(int64(21)),
+		RunAsGroup: ptr.To(int64(2100)),
+	}
+
+	tests := []struct {
+		name     string
+		in       *egv1a1.KubernetesContainerSpec
+		expected *corev1.SecurityContext
+	}{
+		{
+			name:     "default",
+			in:       nil,
+			expected: defaultSecurityContext(),
+		},
+		{
+			name: "default",
+			in: &egv1a1.KubernetesContainerSpec{
+				SecurityContext: customSc,
+			},
+			expected: customSc,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := expectedShutdownManagerSecurityContext(tc.in)
+			require.Equal(t, tc.expected, got)
+		})
+	}
+}