diff --git a/assets/index.yaml b/assets/index.yaml
index ff481e7af..0630821c0 100644
--- a/assets/index.yaml
+++ b/assets/index.yaml
@@ -812,7 +812,7 @@ entries:
       catalog.cattle.io/ui-component: monitoring
     apiVersion: v1
     appVersion: 0.38.1
-    created: "2020-10-12T22:25:01.32011898Z"
+    created: "2020-10-13T02:35:33.467832582Z"
     dependencies:
     - condition: kubeStateMetrics.enabled
       name: kube-state-metrics
@@ -908,7 +908,7 @@ entries:
     description: Collects several related Helm charts, Grafana dashboards, and Prometheus
       rules combined with documentation and scripts to provide easy to operate end-to-end
       Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
-    digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
+    digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
     home: https://github.com/prometheus-operator/kube-prometheus
     icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
     keywords:
@@ -1078,9 +1078,9 @@ entries:
       catalog.cattle.io/namespace: cattle-monitoring-system
       catalog.cattle.io/release-name: rancher-monitoring-crd
     apiVersion: v1
-    created: "2020-10-12T22:25:01.326842648Z"
+    created: "2020-10-13T02:35:33.474117471Z"
     description: Installs the CRDs for rancher-monitoring.
-    digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
+    digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
     name: rancher-monitoring-crd
     type: application
     urls:
@@ -1228,4 +1228,4 @@ entries:
     urls:
     - assets/rio/rio-0.8.000.tgz
     version: 0.8.000
-generated: "2020-10-12T22:53:17.316876871Z"
+generated: "2020-10-13T02:35:33.438687468Z"
diff --git a/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz b/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz
index 0b4dc73bb..f9e5e42d9 100644
Binary files a/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz and b/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz differ
diff --git a/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz b/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz
index 834fed495..395ad48a1 100644
Binary files a/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz and b/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz differ
diff --git a/charts/rancher-monitoring/CHANGELOG.md b/charts/rancher-monitoring/CHANGELOG.md
index f4ca5d8fd..1296061b1 100644
--- a/charts/rancher-monitoring/CHANGELOG.md
+++ b/charts/rancher-monitoring/CHANGELOG.md
@@ -19,6 +19,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
 - Added support for private registries via introducing a new field for `global.cattle.systemDefaultRegistry` that, if supplied, will automatically be prepended onto every image used by the chart.
 - Added a default `nginx` proxy container deployed with Grafana whose config is set in the `ConfigMap` located in `charts/grafana/templates/nginx-config.yaml`. The purpose of this container is to make it possible to view Grafana's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `service`), which is also where the Grafana service will now point to, and will forward all requests to the Grafana container listening on the default port `3000`.
 - Added a default `nginx` proxy container deployed with Prometheus whose config is set in the `ConfigMap` located in `templates/prometheus/nginx-config.yaml`. The purpose of this container is to make it possible to view Prometheus's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `web`), which is also where the Prometheus service will now point to, and will forward all requests to the Prometheus container listening on the default port `9090`.
+- Added support for passing CIS Scans in a hardened cluster by introducing a Job that patches the default service account within the `cattle-monitoring-system` and `cattle-dashboards` namespaces on install or upgrade and adding a default allow all `NetworkPolicy` to the `cattle-monitoring-system` and `cattle-dashboards` namespaces.
 ### Modified
 - Updated the chart name from `prometheus-operator` to `rancher-monitoring` and added the `io.rancher.certified: rancher` annotation to `Chart.yaml`
 - Modified the default `node-exporter` port from `9100` to `9796`
@@ -40,7 +41,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
 - Modified the default `<serviceMonitor|podMonitor|rule>SelectorNilUsesHelmValues` to default to `false`. As a result, we look for all CRs with any labels in all namespaces by default rather than just the ones tagged with the label `release: rancher-monitoring`.
 - Modified the default images used by the `rancher-monitoring` chart to point to Rancher mirrors of the original images from upstream.
 - Modified the behavior of the chart to create the Alertmanager Config Secret via a pre-install hook instead of using the normal Helm lifecycle to manage the secret. The benefit of this approach is that all changes to the Config Secret done on a live cluster will never get overridden on a `helm upgrade` since the secret only gets created on a `helm install`. If you would like the secret to be cleaned up on an `helm uninstall`, enable `alertmanager.cleanupOnUninstall`; however, this is disabled by default to prevent the loss of alerting configuration on an uninstall. This secret will never be modified on a `helm upgrade`.
-- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and set `grafana.rbac.pspUseAppArmor=false` in order to make it possible to deploy this chart on a hardened cluster without AppArmor installed.
+- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and replaced `grafana.rbac.pspUseAppArmor` in favor of `grafana.rbac.pspAnnotations={}` in order to make it possible to deploy this chart on a hardened cluster which does not support Seccomp or AppArmor annotations in PSPs. Users can always choose to specify the annotations they want to use for the PSP directly as part of the values provided.
 - Modified `.Values.prometheus.prometheusSpec.containers` to take in a string representing a template that should be rendered by Helm (via `tpl`) instead of allowing a user to provide YAML directly.
 - Modified the default Grafana configuration to auto assign users who access Grafana to the Viewer role and enable anonymous access to Grafana dashboards by default. This default works well for a Rancher user who is accessing Grafana via the `kubectl proxy` on the Rancher Dashboard UI since anonymous users who enter via the proxy are authenticated by the k8s API Server, but you can / should modify this behavior if you plan on exposing Grafana in a way that does not require authentication (e.g. as a `NodePort` service).
 - Modified the default Grafana configuration to add a default dashboard for Rancher on the Grafana home page.
\ No newline at end of file
diff --git a/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml b/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml
index c5e6ba05e..ba835efeb 100644
--- a/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml
+++ b/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml
@@ -6,13 +6,9 @@ metadata:
   namespace: {{ template "grafana.namespace" . }}
   labels:
     {{- include "grafana.labels" . | nindent 4 }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
-    {{- if .Values.rbac.pspUseAppArmor }}
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    {{- end }}
+{{- if .Values.rbac.pspAnnotations }}
+    annotations: {{ toYaml .Values.rbac.pspAnnotations | nindent 4 }}
+{{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
diff --git a/charts/rancher-monitoring/charts/grafana/values.yaml b/charts/rancher-monitoring/charts/grafana/values.yaml
index f883d43c3..1e8b97615 100644
--- a/charts/rancher-monitoring/charts/grafana/values.yaml
+++ b/charts/rancher-monitoring/charts/grafana/values.yaml
@@ -1,7 +1,17 @@
 rbac:
   create: true
   pspEnabled: true
-  pspUseAppArmor: false
+  pspAnnotations: {}
+  ## Specify pod annotations
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+  ##
+  # seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+  # seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+  # apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  # apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+
   namespaced: false
   extraRoleRules: []
   # - apiGroups: []
diff --git a/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz b/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz
index 85601f072..0cd010280 100644
Binary files a/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz and b/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz differ
diff --git a/charts/rancher-monitoring/requirements.lock b/charts/rancher-monitoring/requirements.lock
index 817d8d6c5..c0995cbc7 100644
--- a/charts/rancher-monitoring/requirements.lock
+++ b/charts/rancher-monitoring/requirements.lock
@@ -57,4 +57,4 @@ dependencies:
   repository: file://../../rancher-pushprox/charts
   version: 0.1.0
 digest: sha256:816a7b6760971acf88b62b4178a5d8919cb97b6576cdca22021137929b1ed031
-generated: "2020-10-12T22:24:52.859070811Z"
+generated: "2020-10-13T02:35:25.604939063Z"
diff --git a/charts/rancher-monitoring/templates/rancher-monitoring/hardened.yaml b/charts/rancher-monitoring/templates/rancher-monitoring/hardened.yaml
new file mode 100644
index 000000000..2aab79572
--- /dev/null
+++ b/charts/rancher-monitoring/templates/rancher-monitoring/hardened.yaml
@@ -0,0 +1,87 @@
+{{- $namespaces := dict "_0" .Release.Namespace -}}
+{{- if and .Values.grafana.enabled (or .Values.grafana.sidecar.dashboards.enabled .Values.grafana.defaultDashboardsEnabled) -}}
+{{- $_ := set $namespaces "_1" .Values.grafana.sidecar.dashboards.searchNamespace -}}
+{{- end -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-patch-sa
+      labels:
+        app: {{ .Chart.Name }}-patch-sa
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      containers:
+      {{- range $_, $ns := $namespaces }}
+      - name: patch-sa-{{ $ns }}
+        image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }}
+        imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", "{{ $ns }}"]
+      {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs: ['get', 'patch']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-patch-sa
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+{{- range $_, $ns := $namespaces }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ $ns }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
diff --git a/charts/rancher-monitoring/values.yaml b/charts/rancher-monitoring/values.yaml
index 724d0155a..4a7a0af7d 100644
--- a/charts/rancher-monitoring/values.yaml
+++ b/charts/rancher-monitoring/values.yaml
@@ -338,6 +338,10 @@ additionalPrometheusRules: []
 global:
   cattle:
     systemDefaultRegistry: ""
+  kubectl:
+     repository: rancher/kubectl
+     tag: v1.18.6
+     pullPolicy: IfNotPresent
   rbac:
     ## Create RBAC resources for ServiceAccounts and users 
     ##
diff --git a/index.yaml b/index.yaml
index ff481e7af..0630821c0 100644
--- a/index.yaml
+++ b/index.yaml
@@ -812,7 +812,7 @@ entries:
       catalog.cattle.io/ui-component: monitoring
     apiVersion: v1
     appVersion: 0.38.1
-    created: "2020-10-12T22:25:01.32011898Z"
+    created: "2020-10-13T02:35:33.467832582Z"
     dependencies:
     - condition: kubeStateMetrics.enabled
       name: kube-state-metrics
@@ -908,7 +908,7 @@ entries:
     description: Collects several related Helm charts, Grafana dashboards, and Prometheus
       rules combined with documentation and scripts to provide easy to operate end-to-end
       Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
-    digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
+    digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
     home: https://github.com/prometheus-operator/kube-prometheus
     icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
     keywords:
@@ -1078,9 +1078,9 @@ entries:
       catalog.cattle.io/namespace: cattle-monitoring-system
       catalog.cattle.io/release-name: rancher-monitoring-crd
     apiVersion: v1
-    created: "2020-10-12T22:25:01.326842648Z"
+    created: "2020-10-13T02:35:33.474117471Z"
     description: Installs the CRDs for rancher-monitoring.
-    digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
+    digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
     name: rancher-monitoring-crd
     type: application
     urls:
@@ -1228,4 +1228,4 @@ entries:
     urls:
     - assets/rio/rio-0.8.000.tgz
     version: 0.8.000
-generated: "2020-10-12T22:53:17.316876871Z"
+generated: "2020-10-13T02:35:33.438687468Z"
diff --git a/sha256sum/rancher-monitoring/rancher-monitoring.sum b/sha256sum/rancher-monitoring/rancher-monitoring.sum
index 93be2334d..644dd2a0c 100644
--- a/sha256sum/rancher-monitoring/rancher-monitoring.sum
+++ b/sha256sum/rancher-monitoring/rancher-monitoring.sum
@@ -1,4 +1,4 @@
-e0eddabe716afe6e14b6e82adc0275e4b1406b8347dbd37852ce5295965ded9a  packages/rancher-monitoring/overlay/CHANGELOG.md
+9553024443b0a1f67b6a5f5426713144d38674d7c457f64512e8ca48ae249d2c  packages/rancher-monitoring/overlay/CHANGELOG.md
 909d2625c716cebb846218604f54369de9436729133004d041b65ec7345d618f  packages/rancher-monitoring/overlay/app-README.md
 ef03cc1278c0b75fb92012a5136500f5c2bdce9129d2c66c9c9ceec45021cc45  packages/rancher-monitoring/overlay/charts/grafana/templates/nginx-config.yaml
 af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865  packages/rancher-monitoring/overlay/templates/prometheus/nginx-config.yaml
@@ -6,5 +6,6 @@ af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865  packages/ranch
 bb4f6fc55612f35e086c1b5657fc1ca356f8c3add72145a39e1d6202a4d40ebe  packages/rancher-monitoring/overlay/templates/rancher-monitoring/config-role.yaml
 5ad9876026208a86d66a2ae78ed5d0789ac5aa490cf126b47f73a9919bd37b47  packages/rancher-monitoring/overlay/templates/rancher-monitoring/dashboard-role.yaml
 33fee4fdab967c396d8dd12f058136c3414357cb65bd162c1e26dae561d5ac1d  packages/rancher-monitoring/overlay/templates/rancher-monitoring/default-dashboard.yaml
+9ab6bb402a9c1d5ad652cbd01a14c9fede7d14f9131a3e375ba2933adf1ae98d  packages/rancher-monitoring/overlay/templates/rancher-monitoring/hardened.yaml
 e99f1420d98f0e27f6ed5deba21b3000c7e1085de55de2610b971938eedd5c52  packages/rancher-monitoring/package.yaml
-648db85abcb871c047b5e3bacd8a0ff1b79fd40a192149b73403fcbd58098278  packages/rancher-monitoring/rancher-monitoring.patch
+ba5acbe90e85d05e7e405e5258780980bb2b7c79dc55547293017ba9d6ba1ed9  packages/rancher-monitoring/rancher-monitoring.patch