diff --git a/templates/server-acl-init-cleanup-clusterrole.yaml b/templates/server-acl-init-cleanup-clusterrole.yaml
index 20509ac694..d70db13c31 100644
--- a/templates/server-acl-init-cleanup-clusterrole.yaml
+++ b/templates/server-acl-init-cleanup-clusterrole.yaml
@@ -13,5 +13,13 @@ rules:
   - apiGroups: ["batch"]
     resources: ["jobs"]
     verbs: ["get", "delete"]
+{{- if .Values.global.enablePodSecurityPolicies }}
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-server-acl-init-cleanup
+    verbs:
+      - use
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/templates/server-acl-init-cleanup-podsecuritypolicy.yaml
new file mode 100644
index 0000000000..300ff20f23
--- /dev/null
+++ b/templates/server-acl-init-cleanup-podsecuritypolicy.yaml
@@ -0,0 +1,37 @@
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.bootstrapACLs }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-server-acl-init-cleanup
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  privileged: false
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+  {{- end }}
+  {{- end }}
+  {{- end }}
diff --git a/templates/server-acl-init-clusterrole.yaml b/templates/server-acl-init-clusterrole.yaml
index 627a2f8592..15c14ba724 100644
--- a/templates/server-acl-init-clusterrole.yaml
+++ b/templates/server-acl-init-clusterrole.yaml
@@ -38,5 +38,13 @@ rules:
     verbs:
       - get
 {{- end }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-server-acl-init
+    verbs:
+      - use
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/server-acl-init-podsecuritypolicy.yaml b/templates/server-acl-init-podsecuritypolicy.yaml
new file mode 100644
index 0000000000..d39e06f344
--- /dev/null
+++ b/templates/server-acl-init-podsecuritypolicy.yaml
@@ -0,0 +1,37 @@
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.bootstrapACLs }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-server-acl-init
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  privileged: false
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+  {{- end }}
+  {{- end }}
+  {{- end }}
diff --git a/test/unit/server-acl-init-cleanup-clusterrole.bats b/test/unit/server-acl-init-cleanup-clusterrole.bats
index f6852515de..badd1a4e68 100644
--- a/test/unit/server-acl-init-cleanup-clusterrole.bats
+++ b/test/unit/server-acl-init-cleanup-clusterrole.bats
@@ -42,3 +42,17 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# global.enablePodSecurityPolicies
+
+@test "serverACLInitCleanup/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-cleanup-clusterrole.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
+  [ "${actual}" = "1" ]
+}
diff --git a/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats b/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats
new file mode 100644
index 0000000000..a19bff5146
--- /dev/null
+++ b/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats
@@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "serverACLInitCleanup/PodSecurityPolicy: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInitCleanup/PodSecurityPolicy: disabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInitCleanup/PodSecurityPolicy: enabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-cleanup-podsecuritypolicy.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/test/unit/server-acl-init-clusterrole.bats b/test/unit/server-acl-init-clusterrole.bats
index e005af6469..f63f60f0f3 100644
--- a/test/unit/server-acl-init-clusterrole.bats
+++ b/test/unit/server-acl-init-clusterrole.bats
@@ -42,3 +42,31 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# connectInject.enabled
+
+@test "serverACLInit/ClusterRole: allows service accounts when connectInject.enabled is true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-clusterrole.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.rules | map(select(.resources[0] == "serviceaccounts")) | length' | tee /dev/stderr)
+  [ "${actual}" = "1" ]
+}
+
+#--------------------------------------------------------------------
+# global.enablePodSecurityPolicies
+
+@test "serverACLInit/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-clusterrole.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
+  [ "${actual}" = "1" ]
+}
diff --git a/test/unit/server-acl-init-podsecuritypolicy.bats b/test/unit/server-acl-init-podsecuritypolicy.bats
new file mode 100644
index 0000000000..aee0cb5609
--- /dev/null
+++ b/test/unit/server-acl-init-podsecuritypolicy.bats
@@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "serverACLInit/PodSecurityPolicy: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-podsecuritypolicy.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInit/PodSecurityPolicy: disabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-podsecuritypolicy.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInit/PodSecurityPolicy: enabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-podsecuritypolicy.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}