diff --git a/step-certificates/templates/ca.yaml b/step-certificates/templates/ca.yaml
index 7784410..d7c77e0 100644
--- a/step-certificates/templates/ca.yaml
+++ b/step-certificates/templates/ca.yaml
@@ -52,6 +52,13 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.ca.dnsPolicy }}
+      dnsPolicy: {{ .Values.ca.dnsPolicy }}
+      {{- end }}
+      {{- with .Values.ca.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if  .Values.shareProcessNamespace }}
       shareProcessNamespace: {{ .Values.shareProcessNamespace }}
       {{- end }}
diff --git a/step-certificates/values.yaml b/step-certificates/values.yaml
index 8100349..905f3e6 100644
--- a/step-certificates/values.yaml
+++ b/step-certificates/values.yaml
@@ -300,6 +300,10 @@ ca:
   bootstrap:
     # Add script snippets here to be executed after the step ca init has been run
     postInitHook: ""
+  # dns policy. See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+  dnsPolicy: Default
+  # dns config. See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
+  dnsConfig: {}
   # Use existing secret for ca-password
   existingSecrets:
     enabled: false