diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index fdb237ee43..253235e68b 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -72,9 +72,7 @@ jobs:
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
           fi
         done
-        kubectl get pods -n istio-system
-        kubectl get cm -n istio-system
-        kubectl describe cm istio-sidecar-injector -n istio-system
+        sleep 100
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
diff --git a/contrib/security/PSS/patches/cluster-jwks-proxy.yaml b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
new file mode 100644
index 0000000000..2a640234cb
--- /dev/null
+++ b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cluster-jwks-proxy
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kubectl-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL