diff --git a/apps/code-server/deploy.tf b/apps/code-server/deploy.tf
index 4e234f8..a64474f 100644
--- a/apps/code-server/deploy.tf
+++ b/apps/code-server/deploy.tf
@@ -15,6 +15,9 @@ resource "kubectl_manifest" "deploy" {
       template:
         metadata:
           labels: ${jsonencode(local.common-labels)}
+          annotations:
+            container.apparmor.security.beta.kubernetes.io/code-server: unconfined
+            container.seccomp.security.alpha.kubernetes.io/code-server: unconfined
         spec:
           securityContext:
             fsGroup: 1000
@@ -33,6 +36,7 @@ resource "kubectl_manifest" "deploy" {
               runAsNonRoot: true
               runAsUser: 1000
               privileged: true
+              procMount: unmasked
             env:
             - name: USER
               value: coder
diff --git a/apps/code-server/index.yaml b/apps/code-server/index.yaml
index 1767747..cd9fbc2 100644
--- a/apps/code-server/index.yaml
+++ b/apps/code-server/index.yaml
@@ -11,31 +11,11 @@ options:
     examples:
     - code
     type: string
-  issuer:
-    default: letsencrypt-prod
+  timezone:
+    default: Europe/Paris
     examples:
-    - letsencrypt-prod
+    - Europe/Paris
     type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
-  admin:
-    default:
-      cluster: false
-      namespace: false
-    examples:
-    - cluster: false
-      namespace: false
-    properties:
-      cluster:
-        default: false
-        type: boolean
-      namespace:
-        default: false
-        type: boolean
-    type: object
   storage:
     default:
       accessMode: ReadWriteOnce
@@ -63,20 +43,40 @@ options:
         - block
         type: string
     type: object
-  timezone:
-    default: Europe/Paris
+  ingress-class:
+    default: traefik
     examples:
-    - Europe/Paris
+    - traefik
     type: string
+  admin:
+    default:
+      cluster: false
+      namespace: false
+    examples:
+    - cluster: false
+      namespace: false
+    properties:
+      cluster:
+        default: false
+        type: boolean
+      namespace:
+        default: false
+        type: boolean
+    type: object
   domain:
     default: your-company
     examples:
     - your-company
     type: string
-  ingress-class:
-    default: traefik
+  issuer:
+    default: letsencrypt-prod
     examples:
-    - traefik
+    - letsencrypt-prod
+    type: string
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
     type: string
   images:
     default:
@@ -84,20 +84,20 @@ options:
         pullPolicy: IfNotPresent
         registry: docker.io
         repository: sebt3/code-server
-        tag: 4.14
+        tag: 4.15
     examples:
     - codeserver:
         pullPolicy: IfNotPresent
         registry: docker.io
         repository: sebt3/code-server
-        tag: 4.14
+        tag: 4.15
     properties:
       codeserver:
         default:
           pullPolicy: IfNotPresent
           registry: docker.io
           repository: sebt3/code-server
-          tag: 4.14
+          tag: 4.15
         properties:
           pullPolicy:
             default: IfNotPresent
@@ -113,7 +113,7 @@ options:
             default: sebt3/code-server
             type: string
           tag:
-            default: 4.14
+            default: 4.15
             type: number
         type: object
     type: object