diff --git a/roles/rke2/templates/manifests/deploy-rancher-logging.j2 b/roles/rke2/templates/manifests/deploy-rancher-logging.j2
index c7f6ccc9455f979eaf3728d95e7867e00ec1b8bc..03a6e61184700585ed8b25e5b5d0ece98e2f6330 100644
--- a/roles/rke2/templates/manifests/deploy-rancher-logging.j2
+++ b/roles/rke2/templates/manifests/deploy-rancher-logging.j2
@@ -33,9 +33,20 @@ spec:
   targetNamespace: cattle-logging-system
   valuesContent: |-
     createCustomResource: true
-    global.seLinux.enabled: true
-    additionalLoggingSources.rke2.enabled: true
+    global:
+      seLinux:
+        enabled: true
+    additionalLoggingSources:
+      rke2:
+        enabled: true
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+    SecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
 
+# Need for fluentd statefulset the Security Context RunasUser
 ---
 
 apiVersion: helm.cattle.io/v1
diff --git a/roles/rke2/templates/manifests/deploy-rancher-neuvector.j2 b/roles/rke2/templates/manifests/deploy-rancher-neuvector.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5116e86c1499e19e59c5b65422309a12588276db
--- /dev/null
+++ b/roles/rke2/templates/manifests/deploy-rancher-neuvector.j2
@@ -0,0 +1,272 @@
+---
+
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: cattle-neuvector-system
+  name: kube-system #! it has  ALOT of priviledged stuff, hostMounts etc going on, getting it to run in user space is a mess
+
+
+
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cattle-neuvector-crd
+  namespace: kube-system
+spec:
+  repo: {{ item.value.repo | default("https://charts.rancher.io") }}
+  chart: neuvector-crd
+  version: {{ item.value.version | default("100.0.0+up2.2.0") }}
+  targetNamespace: cattle-neuvector-system
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cattle-neuvector
+  namespace: kube-system
+spec:
+  repo: {{ item.value.repo | default("https://charts.rancher.io") }}
+  chart: neuvector
+  version: {{ item.value.version | default("100.0.0+up2.2.0") }}
+  targetNamespace: cattle-neuvector-system
+  set:
+    psp: true
+  valuesContent: |-
+    docker:
+      enabled: false
+    k3s:
+      enabled: true
+      runtimePath: /run/k3s/containerd/containerd.sock
+    containerd:
+      enabled: true
+      path: /run/k3s/containerd/containerd.sock
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: psp-neuvector-system-unrestricted
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-unrestricted-psp-role
+subjects:
+- kind: ServiceAccount
+  name: neuvector
+  namespace: cattle-neuvector-system
+
+
+maanger and scanner pods are failing
+for manager, you also need to put 
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+admissionwebhook:
+  type: ClusterIP
+bottlerocket:
+  enabled: false
+  runtimePath: /run/dockershim.sock
+containerd:
+  enabled: true
+  path: /run/k3s/containerd/containerd.sock
+controller:
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                    - neuvector-controller-pod
+            topologyKey: kubernetes.io/hostname
+          weight: 100
+  apisvc:
+    annotations: {}
+    route:
+      enabled: false
+      host: null
+      termination: passthrough
+    type: null
+  azureFileShare:
+    enabled: false
+    secretName: null
+    shareName: null
+  certificate:
+    keyFile: tls.key
+    pemFile: tls.pem
+    secret: null
+  configmap:
+    data: null
+    enabled: false
+  disruptionbudget: 0
+  enabled: true
+  env: null
+  federation:
+    managedsvc:
+      ingress:
+        annotations:
+          ingress.kubernetes.io/protocol: https
+        enabled: false
+        host: null
+        path: /
+        secretName: null
+        tls: false
+      route:
+        enabled: false
+        host: null
+        termination: passthrough
+      type: null
+    mastersvc:
+      ingress:
+        annotations:
+          ingress.kubernetes.io/protocol: https
+        enabled: false
+        host: null
+        path: /
+        secretName: null
+        tls: false
+      route:
+        enabled: false
+        host: null
+        termination: passthrough
+      type: null
+  image:
+    hash: null
+    repository: rancher/mirrored-neuvector-controller
+    tag: 5.0.0
+  ingress:
+    annotations:
+      ingress.kubernetes.io/protocol: https
+    enabled: false
+    host: null
+    path: /
+    secretName: null
+    tls: false
+  nodeSelector: {}
+  priorityClassName: null
+  pvc:
+    accessModes:
+      - ReadWriteMany
+    capacity: null
+    enabled: false
+    storageClass: null
+  ranchersso:
+    enabled: true
+  replicas: 3
+  resources: {}
+  schedulerName: null
+  secret:
+    data: {}
+    enabled: false
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  tolerations: null
+crdwebhook:
+  enabled: true
+  type: ClusterIP
+crio:
+  enabled: false
+  path: /var/run/crio/crio.sock
+cve:
+  scanner:
+    affinity: {}
+    dockerPath: ''
+    enabled: true
+    image:
+      hash: null
+      repository: rancher/mirrored-neuvector-scanner
+      tag: latest
+    nodeSelector: {}
+    priorityClassName: null
+    replicas: 3
+    resources: {}
+    strategy:
+      rollingUpdate:
+        maxSurge: 1
+        maxUnavailable: 0
+      type: RollingUpdate
+    tolerations: null
+  updater:
+    enabled: true
+    image:
+      hash: null
+      repository: rancher/mirrored-neuvector-updater
+      tag: latest
+    priorityClassName: null
+    schedule: 0 0 * * *
+    secure: false
+docker:
+  path: /var/run/docker.sock
+  enabled: false
+enforcer:
+  enabled: true
+  image:
+    hash: null
+    repository: rancher/mirrored-neuvector-enforcer
+    tag: 5.0.0
+  priorityClassName: null
+  resources: {}
+  tolerations:
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/master
+k3s:
+  enabled: false
+  runtimePath: /run/k3s/containerd/containerd.sock
+manager:
+  affinity: {}
+  certificate:
+    keyFile: tls.key
+    pemFile: tls.pem
+    secret: null
+  enabled: true
+  env:
+    ssl: true
+  image:
+    hash: null
+    repository: rancher/mirrored-neuvector-manager
+    tag: 5.0.0
+  ingress:
+    annotations: {}
+    enabled: false
+    host: null
+    path: /
+    secretName: null
+    tls: false
+  nodeSelector: {}
+  priorityClassName: null
+  resources: {}
+  route:
+    enabled: true
+    host: null
+    termination: passthrough
+  svc:
+    annotations: {}
+    loadBalancerIP: null
+    type: NodePort
+  tolerations: null
+oem: null
+openshift: false
+psp: false
+registry: docker.io
+resources: {}
+serviceAccount: neuvector
+global:
+  cattle:
+    clusterId: local
+    clusterName: local
+    rkePathPrefix: ''
+    rkeWindowsPathPrefix: ''
+    systemDefaultRegistry: ''
+    systemProjectId: p-fkh6w
+    url: ''
+  systemDefaultRegistry: ''
\ No newline at end of file