diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
index bb67dac7d171..6ac93d0f81d2 100644
--- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml
+++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
@@ -18,7 +18,7 @@ allowHostNetwork: false
 # set to true if running rook with the provider as host
 allowHostPorts: false
 priority:
-allowedCapabilities: []
+allowedCapabilities: ["MKNOD"]
 allowHostIPC: true
 readOnlyRootFilesystem: false
 requiredDropCapabilities: []
diff --git a/pkg/apis/ceph.rook.io/v1/scc.go b/pkg/apis/ceph.rook.io/v1/scc.go
index 954e36c80afc..e99f7e4f3a54 100644
--- a/pkg/apis/ceph.rook.io/v1/scc.go
+++ b/pkg/apis/ceph.rook.io/v1/scc.go
@@ -42,6 +42,7 @@ func NewSecurityContextConstraints(name, namespace string) *secv1.SecurityContex
 		AllowHostIPC:             true,
 		AllowHostNetwork:         false,
 		AllowHostPorts:           false,
+		AllowedCapabilities:      []corev1.Capability{"MKNOD"},
 		RequiredDropCapabilities: []corev1.Capability{},
 		DefaultAddCapabilities:   []corev1.Capability{},
 		RunAsUser: secv1.RunAsUserStrategyOptions{