diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index e1ad80c9e73a351f2cdaac3e730bfaa3b5995c60..3427f54fe957138cc72b1757f957aba8d28bae4c 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -38,7 +38,9 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- define "app.ssoRealm" -}}
 {{ printf "%s-%s-%s" (include "app.ozgcloudBundesland" .) ( include "app.ozgcloudBezeichner" . ) ( include "app.ozgcloudEnvironment" . ) | trunc 63 | trimSuffix "-" }}
 {{- end -}}
-
+{{- define "app.serviceAccountName" -}}
+{{ printf "%s" ( (.Values.serviceAccount).name | default "administration-service-account" ) }}
+{{- end -}}
 {{- define "app.ozgcloudBundesland" -}}
 {{- required "Bundesland muss angegeben sein" (.Values.ozgcloud).bundesland }}
 {{- end -}}
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index cf4720b88a773d2153428371fc018d1d8638e72d..b554d57c771f82258d30f20cd129eca4f55eb66f 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -48,6 +48,9 @@ spec:
         {{- include "app.defaultLabels" . | indent 8 }}
         component: {{ .Release.Name }}
     spec:
+      {{- if (.Values.serviceAccount).create }}
+      serviceAccountName: {{ include "app.serviceAccountName" . }}
+      {{- end }}
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: kubernetes.io/hostname
@@ -142,15 +145,36 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5
+        {{- if .Values.enableLivenessProbe }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /actuator/health/liveness
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 3
+        {{- end }}
         resources:
         {{- with .Values.resources }}
-        {{ toYaml . | indent 10 }}
+{{ toYaml . | indent 10 }}
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
           readOnlyRootFilesystem: false
           runAsNonRoot: true
+          {{- with (.Values.securityContext).runAsUser }}
+          runAsUser: {{ . }}
+          {{- end }}
+          {{- with (.Values.securityContext).runAsGroup }}
+          runAsGroup: {{ . }}
+          {{- end }}
+          {{- with (.Values.securityContext).capabilities }}
+          capabilities:
+{{ toYaml . | indent 12 }}
+          {{- end }}
         stdin: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
@@ -178,5 +202,8 @@ spec:
         - name: {{ required "image-pull-secret must be set" .Values.imagePullSecret }}
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
-      terminationGracePeriodSeconds: 300000000
\ No newline at end of file
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 30