diff --git a/deploy/charts/cert-manager/README.md b/deploy/charts/cert-manager/README.md
index 153b84b82..09d6596b8 100644
--- a/deploy/charts/cert-manager/README.md
+++ b/deploy/charts/cert-manager/README.md
@@ -82,6 +82,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | --------- | ----------- | ------- |
 | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
+| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
 | `image.tag` | Image tag | `v0.11.0-alpha.0` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
diff --git a/deploy/charts/cert-manager/cainjector/templates/psp-clusterrole.yaml b/deploy/charts/cert-manager/cainjector/templates/psp-clusterrole.yaml
new file mode 100644
index 000000000..177f13c69
--- /dev/null
+++ b/deploy/charts/cert-manager/cainjector/templates/psp-clusterrole.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cainjector.fullname" . }}-psp
+  labels:
+    app: {{ include "cainjector.name" . }}
+    chart: {{ include "cainjector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "cainjector.fullname" . }}
+{{- end }}
diff --git a/deploy/charts/cert-manager/cainjector/templates/psp-clusterrolebinding.yaml b/deploy/charts/cert-manager/cainjector/templates/psp-clusterrolebinding.yaml
new file mode 100644
index 000000000..5baae2484
--- /dev/null
+++ b/deploy/charts/cert-manager/cainjector/templates/psp-clusterrolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cainjector.fullname" . }}-psp
+  labels:
+    app: {{ include "cainjector.name" . }}
+    chart: {{ include "cainjector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cainjector.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "cainjector.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/deploy/charts/cert-manager/cainjector/templates/psp.yaml b/deploy/charts/cert-manager/cainjector/templates/psp.yaml
new file mode 100644
index 000000000..f87fba647
--- /dev/null
+++ b/deploy/charts/cert-manager/cainjector/templates/psp.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    chart: {{ include "cainjector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotation:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
diff --git a/deploy/charts/cert-manager/cainjector/values.yaml b/deploy/charts/cert-manager/cainjector/values.yaml
index 29769d16b..27abe2534 100644
--- a/deploy/charts/cert-manager/cainjector/values.yaml
+++ b/deploy/charts/cert-manager/cainjector/values.yaml
@@ -10,6 +10,9 @@ global:
   rbac:
     create: true
 
+  podSecurityPolicy:
+    enabled: false
+
   leaderElection:
     # Override the namespace used to store the ConfigMap for leader election
     namespace: ""
diff --git a/deploy/charts/cert-manager/templates/psp-clusterrole.yaml b/deploy/charts/cert-manager/templates/psp-clusterrole.yaml
new file mode 100644
index 000000000..d53fb7ba0
--- /dev/null
+++ b/deploy/charts/cert-manager/templates/psp-clusterrole.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-psp
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    chart: {{ include "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "cert-manager.fullname" . }}
+{{- end }}
diff --git a/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml b/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml
new file mode 100644
index 000000000..41bebf032
--- /dev/null
+++ b/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-psp
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    chart: {{ include "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "cert-manager.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/deploy/charts/cert-manager/templates/psp.yaml b/deploy/charts/cert-manager/templates/psp.yaml
new file mode 100644
index 000000000..02e895446
--- /dev/null
+++ b/deploy/charts/cert-manager/templates/psp.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    chart: {{ include "cert-manager.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotation:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index 603941e75..62e0c9c04 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -14,6 +14,9 @@ global:
   rbac:
     create: true
 
+  podSecurityPolicy:
+    enabled: false
+
   logLevel: 2
 
   leaderElection:
diff --git a/test/fixtures/cert-manager-values.yaml b/test/fixtures/cert-manager-values.yaml
index 0f32d9057..e6bf894a3 100644
--- a/test/fixtures/cert-manager-values.yaml
+++ b/test/fixtures/cert-manager-values.yaml
@@ -2,6 +2,8 @@ replicaCount: 1
 
 global:
   logLevel: "4"
+  podSecurityPolicy:
+    enabled: true
 
 image:
   tag: build