diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
index fd190c72..3db454b8 100644
--- a/charts/retool/Chart.yaml
+++ b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.0.16
+version: 6.0.17
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com
diff --git a/charts/retool/templates/deployment_code_executor.yaml b/charts/retool/templates/deployment_code_executor.yaml
index c461ac9c..340cb9fb 100644
--- a/charts/retool/templates/deployment_code_executor.yaml
+++ b/charts/retool/templates/deployment_code_executor.yaml
@@ -53,7 +53,11 @@ spec:
         image: "{{ .Values.codeExecutor.image.repository }}:{{ include "retool.codeExecutor.image.tag" . }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
+          {{ if .Values.codeExecutor.securityContext }}
+{{ toYaml .Values.codeExecutor.securityContext | indent 10 }}
+          {{ else }}
           privileged: true
+          {{ end }}
         env:
           - name: DEPLOYMENT_TEMPLATE_TYPE
             value: {{ template "retool.deploymentTemplateType" . }}
diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
index 4f96648b..93a78574 100644
--- a/charts/retool/values.yaml
+++ b/charts/retool/values.yaml
@@ -440,6 +440,12 @@ codeExecutor:
       cpu: 1000m
       memory: 1024Mi
 
+  # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+  # If your deployment does not support privileged access, you can set `privileged` to false to not
+  # use nsjail. Without nsjail, all code is run without sandboxing within your deployment.
+  securityContext:
+    privileged: true
+
   image:
     repository: tryretool/code-executor-service
     # defaults to image.tag if >= 3.20.15, otherwise defaults to 1.1.0; explicitly set to override.
diff --git a/values.yaml b/values.yaml
index 4f96648b..93a78574 100644
--- a/values.yaml
+++ b/values.yaml
@@ -440,6 +440,12 @@ codeExecutor:
       cpu: 1000m
       memory: 1024Mi
 
+  # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+  # If your deployment does not support privileged access, you can set `privileged` to false to not
+  # use nsjail. Without nsjail, all code is run without sandboxing within your deployment.
+  securityContext:
+    privileged: true
+
   image:
     repository: tryretool/code-executor-service
     # defaults to image.tag if >= 3.20.15, otherwise defaults to 1.1.0; explicitly set to override.