diff --git a/test/integration/manifests/cns/daemonset-linux.yaml b/test/integration/manifests/cns/daemonset-linux.yaml
index 87daa8df34..3a30796e4d 100644
--- a/test/integration/manifests/cns/daemonset-linux.yaml
+++ b/test/integration/manifests/cns/daemonset-linux.yaml
@@ -46,8 +46,11 @@ spec:
           args: [ "-c", "tcp://$(CNSIpAddress):$(CNSPort)", "-t", "$(CNSLogTarget)"]
           securityContext:
             capabilities:
+              drop:
+                - ALL
               add:
-                - NET_ADMIN
+                - NET_ADMIN # only necessary for delegated IPAM/Cilium
+                - NET_RAW # only necessary for delegated IPAM/Cilium
           volumeMounts:
             - name: log
               mountPath: /var/log
@@ -89,8 +92,8 @@ spec:
           command: ["sleep", "3600"]
           securityContext:
             capabilities:
-              add:
-                - NET_ADMIN
+              drop:
+                - ALL
           volumeMounts:
             - name: log
               mountPath: /var/log
diff --git a/test/integration/manifests/cns/daemonset-windows.yaml b/test/integration/manifests/cns/daemonset-windows.yaml
index db0ec69ecc..04e2aaa3fa 100644
--- a/test/integration/manifests/cns/daemonset-windows.yaml
+++ b/test/integration/manifests/cns/daemonset-windows.yaml
@@ -123,6 +123,10 @@ spec:
           volumeMounts:
             - name: cni-bin
               mountPath: /k/azurecni/bin/ # TODO: add cni conflist when ready
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
       hostNetwork: true
       volumes:
         - name: log