diff --git a/charts/consul/templates/api-gateway-securitycontextconstraints.yaml b/charts/consul/templates/api-gateway-securitycontextconstraints.yaml
new file mode 100644
index 0000000000..087ca00e78
--- /dev/null
+++ b/charts/consul/templates/api-gateway-securitycontextconstraints.yaml
@@ -0,0 +1,49 @@
+{{- if (and .Values.global.enabled .Values.global.openshift.enabled) }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ template "consul.fullname" . }}-api-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: api-gateway-controller  # TODO
+  annotations:
+    kubernetes.io/description: {{ template "consul.fullname" . }}-api-gateway are the security context constraints required
+      to run api-gateways. All api-gateways will reference this single SecurityContextConstraints resource.
+allowHostPorts: true
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostPID: false
+allowHostNetwork: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+groups: []
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - KILL
+  - MKNOD
+  - SETUID
+  - SETGID
+runAsUser:
+  type: MustRunAsRange
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: MustRunAs
+users: []
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+{{- end -}}