diff --git a/hardened/README.md b/hardened/README.md
new file mode 100644
index 00000000..bb4c1f94
--- /dev/null
+++ b/hardened/README.md
@@ -0,0 +1,16 @@
+# Hardened Example
+
+This example will deploy the [Kubernetes sample guestbook](https://github.com/kubernetes/examples/tree/master/guestbook/) application, with modifications to securityContext which allow its deployment on a hardened cluster. 
+The app will be deployed into the `default` namespace. Note that you must have added the `default` namespace to the PSA to allow deployments to this namespace. 
+
+```yaml
+kind: GitRepo
+apiVersion: fleet.cattle.io/v1alpha1
+metadata:
+  name: simple
+  namespace: fleet-local
+spec:
+  repo: https://github.com/rancher/fleet-examples
+  paths:
+  - hardened
+```
diff --git a/hardened/fleet.yaml b/hardened/fleet.yaml
new file mode 100644
index 00000000..7ebb432f
--- /dev/null
+++ b/hardened/fleet.yaml
@@ -0,0 +1,4 @@
+namespace: hardened-fleet-deployments
+
+namespaceLabels:
+  pod-security.kubernetes.io/enforce: baseline
\ No newline at end of file
diff --git a/hardened/frontend-deployment.yaml b/hardened/frontend-deployment.yaml
new file mode 100644
index 00000000..69b761cc
--- /dev/null
+++ b/hardened/frontend-deployment.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+spec:
+  selector:
+    matchLabels:
+      app: guestbook
+      tier: frontend
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: guestbook
+        tier: frontend
+    spec:
+      containers:
+      - name: php-redis
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
+        image: us-docker.pkg.dev/google-samples/containers/gke/gb-frontend:v5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 80
diff --git a/hardened/frontend-service.yaml b/hardened/frontend-service.yaml
new file mode 100644
index 00000000..e488acba
--- /dev/null
+++ b/hardened/frontend-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  labels:
+    app: guestbook
+    tier: frontend
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+  selector:
+    app: guestbook
+    tier: frontend
diff --git a/hardened/redis-master-deployment.yaml b/hardened/redis-master-deployment.yaml
new file mode 100644
index 00000000..fd1ba025
--- /dev/null
+++ b/hardened/redis-master-deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-master
+spec:
+  selector:
+    matchLabels:
+      app: redis
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: master
+        tier: backend
+    spec:
+      containers:
+      - name: master
+        image: redis:7-alpine
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
diff --git a/hardened/redis-master-service.yaml b/hardened/redis-master-service.yaml
new file mode 100644
index 00000000..a484014f
--- /dev/null
+++ b/hardened/redis-master-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-master
+  labels:
+    app: redis
+    role: master
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379
+  selector:
+    app: redis
+    role: master
+    tier: backend
diff --git a/hardened/redis-slave-deployment.yaml b/hardened/redis-slave-deployment.yaml
new file mode 100644
index 00000000..99615a66
--- /dev/null
+++ b/hardened/redis-slave-deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-slave
+spec:
+  selector:
+    matchLabels:
+      app: redis
+      role: slave
+      tier: backend
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: redis
+        role: slave
+        tier: backend
+    spec:
+      containers:
+      - name: slave
+        image: redis:7-alpine
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
diff --git a/hardened/redis-slave-service.yaml b/hardened/redis-slave-service.yaml
new file mode 100644
index 00000000..238fd63f
--- /dev/null
+++ b/hardened/redis-slave-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-slave
+  labels:
+    app: redis
+    role: slave
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+  selector:
+    app: redis
+    role: slave
+    tier: backend