diff --git a/.changelog/4227.txt b/.changelog/4227.txt
new file mode 100644
index 0000000000..feb7844aae
--- /dev/null
+++ b/.changelog/4227.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
+This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical.
+```
diff --git a/charts/consul/templates/client-securitycontextconstraints.yaml b/charts/consul/templates/client-securitycontextconstraints.yaml
index 07e7711384..c14dd1c991 100644
--- a/charts/consul/templates/client-securitycontextconstraints.yaml
+++ b/charts/consul/templates/client-securitycontextconstraints.yaml
@@ -13,6 +13,7 @@ metadata:
   annotations:
     kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required
       to run the consul client.
+# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
 {{- if .Values.client.dataDirectoryHostPath }}
 allowHostDirVolumePlugin: true
 {{- else }}
@@ -44,13 +45,17 @@ supplementalGroups:
   type: MustRunAs
 users: []
 volumes:
+# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
+# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
+# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
+# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
 - configMap
 - downwardAPI
 - emptyDir
-- persistentVolumeClaim
-- projected
-- secret
 {{- if .Values.client.dataDirectoryHostPath }}
 - hostPath
 {{- end }}
+- persistentVolumeClaim
+- projected
+- secret
 {{- end}}
diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml
index 2c09dba9b8..cb60104cf0 100644
--- a/charts/consul/templates/cni-securitycontextconstraints.yaml
+++ b/charts/consul/templates/cni-securitycontextconstraints.yaml
@@ -13,6 +13,7 @@ metadata:
   annotations:
     kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required
       to run consul-cni.
+# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
 allowHostDirVolumePlugin: true
 allowHostIPC: false
 allowHostNetwork: false
@@ -40,11 +41,15 @@ supplementalGroups:
   type: MustRunAs
 users: []
 volumes:
+# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
+# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
+# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
+# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
 - configMap
 - downwardAPI
 - emptyDir
+- hostPath
 - persistentVolumeClaim
 - projected
 - secret
-- hostPath
 {{- end }}