diff --git a/.gitattributes b/.gitattributes
index 867879420..c7d74c7a6 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 pkg/generated/** linguist-generated
-**/zz_generated.deepcopy.go linguist-generated
\ No newline at end of file
+**/zz_generated.deepcopy.go linguist-generated
+pkg/api/** linguist-generated
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c8d9258e..babd5d39a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - (Feature) Backup lifetime - remove Backup once its lifetime has been reached
 - (Feature) Add Feature dependency
 - (Feature) Run secured containers as a feature
+- (Feature) Expose core.PodSecurityContext Sysctl options
 
 ## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14)
 - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode
diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md
index 8d5927299..c21b45ae6 100644
--- a/docs/api/ArangoDeployment.V1.md
+++ b/docs/api/ArangoDeployment.V1.md
@@ -327,11 +327,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.agents.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.agents.securityContext.dropAllCapabilities: bool
 
@@ -339,31 +339,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.agents.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.agents.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.agents.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.agents.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.agents.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.agents.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.agents.securityContext.seccompProfile: core.SeccompProfile
 
@@ -372,7 +372,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.agents.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -381,11 +381,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.agents.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.agents.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.agents.serviceAccountName: string
 
@@ -917,11 +938,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.coordinators.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.coordinators.securityContext.dropAllCapabilities: bool
 
@@ -929,31 +950,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.coordinators.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.coordinators.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.coordinators.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.coordinators.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.coordinators.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.coordinators.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.coordinators.securityContext.seccompProfile: core.SeccompProfile
 
@@ -962,7 +983,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.coordinators.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -971,11 +992,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.coordinators.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.coordinators.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.coordinators.serviceAccountName: string
 
@@ -1439,11 +1481,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.dbservers.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.dbservers.securityContext.dropAllCapabilities: bool
 
@@ -1451,31 +1493,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.dbservers.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.dbservers.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.dbservers.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.dbservers.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.dbservers.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.dbservers.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.dbservers.securityContext.seccompProfile: core.SeccompProfile
 
@@ -1484,7 +1526,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.dbservers.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -1493,11 +1535,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.dbservers.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.dbservers.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.dbservers.serviceAccountName: string
 
@@ -1748,11 +1811,11 @@ Code Reference: [server_id_group_spec.go:56](/pkg/apis/deployment/v1/server_id_g
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.id.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.id.securityContext.dropAllCapabilities: bool
 
@@ -1760,31 +1823,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.id.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.id.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.id.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.id.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.id.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.id.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.id.securityContext.seccompProfile: core.SeccompProfile
 
@@ -1793,7 +1856,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.id.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -1802,11 +1865,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.id.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.id.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.id.serviceAccountName: string
 
@@ -2290,11 +2374,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.single.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.single.securityContext.dropAllCapabilities: bool
 
@@ -2302,31 +2386,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.single.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.single.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.single.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.single.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.single.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.single.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.single.securityContext.seccompProfile: core.SeccompProfile
 
@@ -2335,7 +2419,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.single.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -2344,11 +2428,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.single.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.single.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.single.serviceAccountName: string
 
@@ -2902,11 +3007,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.syncmasters.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.syncmasters.securityContext.dropAllCapabilities: bool
 
@@ -2914,31 +3019,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.syncmasters.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.syncmasters.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.syncmasters.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.syncmasters.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.syncmasters.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.syncmasters.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.syncmasters.securityContext.seccompProfile: core.SeccompProfile
 
@@ -2947,7 +3052,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.syncmasters.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -2956,11 +3061,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.syncmasters.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.syncmasters.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.syncmasters.serviceAccountName: string
 
@@ -3418,11 +3544,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
 
 AddCapabilities add new capabilities to containers
 
-Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42)
+Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
 
 ### .spec.syncworkers.securityContext.allowPrivilegeEscalation: bool
 
-Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44)
+Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
 
 ### .spec.syncworkers.securityContext.dropAllCapabilities: bool
 
@@ -3430,31 +3556,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
 
 Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
 
-Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40)
+Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
 
 ### .spec.syncworkers.securityContext.fsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
 
 ### .spec.syncworkers.securityContext.privileged: bool
 
-Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
+Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
 
 ### .spec.syncworkers.securityContext.readOnlyRootFilesystem: bool
 
-Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
+Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
 
 ### .spec.syncworkers.securityContext.runAsGroup: int64
 
-Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
+Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
 
 ### .spec.syncworkers.securityContext.runAsNonRoot: bool
 
-Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
+Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
 
 ### .spec.syncworkers.securityContext.runAsUser: int64
 
-Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
+Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
 
 ### .spec.syncworkers.securityContext.seccompProfile: core.SeccompProfile
 
@@ -3463,7 +3589,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
 Links:
 * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57)
+Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
 
 ### .spec.syncworkers.securityContext.seLinuxOptions: core.SELinuxOptions
 
@@ -3472,11 +3598,32 @@ SELinuxOptions are the labels to be applied to the container
 Links:
 * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
 
-Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62)
+Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
 
 ### .spec.syncworkers.securityContext.supplementalGroups: []int64
 
-Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51)
+Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
+
+### .spec.syncworkers.securityContext.sysctls: map[string]intstr.IntOrString
+
+Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+
+sysctls (by the container runtime) might fail to launch.
+
+Map Value can be String or Int
+
+Links:
+* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+
+Example:
+```yaml
+sysctls:
+  "kernel.shm_rmid_forced": "0"
+  "net.core.somaxconn": 1024
+  "kernel.msgmax": "65536"
+```
+
+Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
 
 ### .spec.syncworkers.serviceAccountName: string
 
diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec.go b/pkg/apis/deployment/v1/server_group_security_context_spec.go
index 11dbb97ca..2b892bf58 100644
--- a/pkg/apis/deployment/v1/server_group_security_context_spec.go
+++ b/pkg/apis/deployment/v1/server_group_security_context_spec.go
@@ -21,7 +21,10 @@
 package v1
 
 import (
+	"sort"
+
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
 	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
 	FSGroup            *int64  `json:"fsGroup,omitempty"`
 
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Map Value can be String or Int
+	// +doc/example: sysctls:
+	// +doc/example:   "kernel.shm_rmid_forced": "0"
+	// +doc/example:   "net.core.somaxconn": 1024
+	// +doc/example:   "kernel.msgmax": "65536"
+	// +doc/type: map[string]intstr.IntOrString
+	// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+	Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
+
 	// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
 	// +doc/type: core.SeccompProfile
 	// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil && len(s.Sysctls) > 0 {
+		var sysctls []core.Sysctl
+		for k, v := range s.Sysctls {
+			sysctls = append(sysctls, core.Sysctl{
+				Name:  k,
+				Value: v.String(),
+			})
+		}
+
+		sort.Slice(sysctls, func(i, j int) bool {
+			return sysctls[i].Name < sysctls[j].Name
+		})
+
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.Sysctls = sysctls
+	}
+
 	if secured {
 		if psc == nil {
 			psc = &core.PodSecurityContext{}
diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go
index 80b83f5fc..b7d7a5d3f 100644
--- a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go
+++ b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go
@@ -21,10 +21,13 @@
 package v1
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				SupplementalGroups: []int64{1},
 			},
 		},
+		"pass sysctl opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				Sysctls: map[string]intstr.IntOrString{
+					"opt.1": intstr.FromInt(1),
+					"opt.2": intstr.FromString("2"),
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 	}
 }
 
+func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
+	testCases := map[string]struct {
+		sc      string
+		secured bool
+		want    *core.PodSecurityContext
+	}{
+		"pass sysctl opts": {
+			sc:      `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			var p ServerGroupSpecSecurityContext
+			require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
+
+			actual := p.NewPodSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
+		})
+	}
+}
+
 func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 	tests := map[string]struct {
 		sc      *ServerGroupSpecSecurityContext
diff --git a/pkg/apis/deployment/v1/timeouts.go b/pkg/apis/deployment/v1/timeouts.go
index ee580ebd0..285e7783c 100644
--- a/pkg/apis/deployment/v1/timeouts.go
+++ b/pkg/apis/deployment/v1/timeouts.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/pkg/apis/deployment/v1/zz_generated.deepcopy.go b/pkg/apis/deployment/v1/zz_generated.deepcopy.go
index 2a6c1ab09..8d5eb4ac0 100644
--- a/pkg/apis/deployment/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/deployment/v1/zz_generated.deepcopy.go
@@ -32,6 +32,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
 		*out = new(int64)
 		**out = **in
 	}
+	if in.Sysctls != nil {
+		in, out := &in.Sysctls, &out.Sysctls
+		*out = make(map[string]intstr.IntOrString, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.SeccompProfile != nil {
 		in, out := &in.SeccompProfile, &out.SeccompProfile
 		*out = new(corev1.SeccompProfile)
diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go
index 7f44b72ea..103b6fe4d 100644
--- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go
+++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go
@@ -21,7 +21,10 @@
 package v2alpha1
 
 import (
+	"sort"
+
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
 	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
 	FSGroup            *int64  `json:"fsGroup,omitempty"`
 
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Map Value can be String or Int
+	// +doc/example: sysctls:
+	// +doc/example:   "kernel.shm_rmid_forced": "0"
+	// +doc/example:   "net.core.somaxconn": 1024
+	// +doc/example:   "kernel.msgmax": "65536"
+	// +doc/type: map[string]intstr.IntOrString
+	// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+	Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
+
 	// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
 	// +doc/type: core.SeccompProfile
 	// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil && len(s.Sysctls) > 0 {
+		var sysctls []core.Sysctl
+		for k, v := range s.Sysctls {
+			sysctls = append(sysctls, core.Sysctl{
+				Name:  k,
+				Value: v.String(),
+			})
+		}
+
+		sort.Slice(sysctls, func(i, j int) bool {
+			return sysctls[i].Name < sysctls[j].Name
+		})
+
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.Sysctls = sysctls
+	}
+
 	if secured {
 		if psc == nil {
 			psc = &core.PodSecurityContext{}
diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go
index c66a69596..bb23b599b 100644
--- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go
+++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go
@@ -21,10 +21,13 @@
 package v2alpha1
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				SupplementalGroups: []int64{1},
 			},
 		},
+		"pass sysctl opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				Sysctls: map[string]intstr.IntOrString{
+					"opt.1": intstr.FromInt(1),
+					"opt.2": intstr.FromString("2"),
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 	}
 }
 
+func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
+	testCases := map[string]struct {
+		sc      string
+		secured bool
+		want    *core.PodSecurityContext
+	}{
+		"pass sysctl opts": {
+			sc:      `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			var p ServerGroupSpecSecurityContext
+			require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
+
+			actual := p.NewPodSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
+		})
+	}
+}
+
 func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 	tests := map[string]struct {
 		sc      *ServerGroupSpecSecurityContext
diff --git a/pkg/apis/deployment/v2alpha1/timeouts.go b/pkg/apis/deployment/v2alpha1/timeouts.go
index 3a2ec5591..865275766 100644
--- a/pkg/apis/deployment/v2alpha1/timeouts.go
+++ b/pkg/apis/deployment/v2alpha1/timeouts.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -35,7 +35,7 @@ type Timeouts struct {
 	// MaintenanceGracePeriod action timeout
 	MaintenanceGracePeriod *Timeout `json:"maintenanceGracePeriod,omitempty"`
 
-	// Actions keep list of the actions timeouts.
+	// Actions keep map of the actions timeouts.
 	// +doc/type: map[string]meta.Duration
 	// +doc/link: List of supported action names|/docs/generated/actions.md
 	// +doc/link: Definition of meta.Duration|https://github.com/kubernetes/apimachinery/blob/v0.26.6/pkg/apis/meta/v1/duration.go
diff --git a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go
index d39969623..18d6d8039 100644
--- a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go
@@ -32,6 +32,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
 		*out = new(int64)
 		**out = **in
 	}
+	if in.Sysctls != nil {
+		in, out := &in.Sysctls, &out.Sysctls
+		*out = make(map[string]intstr.IntOrString, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.SeccompProfile != nil {
 		in, out := &in.SeccompProfile, &out.SeccompProfile
 		*out = new(v1.SeccompProfile)