diff --git a/pkg/cli/admin/nodeimage/create.go b/pkg/cli/admin/nodeimage/create.go
index 066b179cc4..e9df992ce5 100644
--- a/pkg/cli/admin/nodeimage/create.go
+++ b/pkg/cli/admin/nodeimage/create.go
@@ -712,6 +712,9 @@ func (o *CreateOptions) createPod(ctx context.Context) error {
 			Labels: map[string]string{
 				"app": "node-joiner",
 			},
+			Annotations: map[string]string{
+				"openshift.io/required-scc": "restricted-v2",
+			},
 		},
 		Spec: corev1.PodSpec{
 			RestartPolicy:      corev1.RestartPolicyNever,
diff --git a/pkg/cli/admin/nodeimage/create_test.go b/pkg/cli/admin/nodeimage/create_test.go
index d85d195dce..e5aacfd8b1 100644
--- a/pkg/cli/admin/nodeimage/create_test.go
+++ b/pkg/cli/admin/nodeimage/create_test.go
@@ -236,6 +236,18 @@ func TestRun(t *testing.T) {
 			objects:          ClusterVersion_4_17_ObjectFn,
 			remoteExecOutput: "0",
 		},
+		{
+			name:        "node-joiner pod has required-scc annotation",
+			nodesConfig: defaultNodesConfigYaml,
+			objects:     defaultClusterVersionObjectFn,
+			expectedPod: func(t *testing.T, pod *corev1.Pod) {
+				expected := "restricted-v2"
+				got := pod.Annotations["openshift.io/required-scc"]
+				if got != expected {
+					t.Errorf("annotation openshift.io/required-scc = %q, want %q", got, expected)
+				}
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
diff --git a/pkg/cli/admin/nodeimage/monitor.go b/pkg/cli/admin/nodeimage/monitor.go
index 790d44c778..2c91b628c2 100644
--- a/pkg/cli/admin/nodeimage/monitor.go
+++ b/pkg/cli/admin/nodeimage/monitor.go
@@ -263,6 +263,9 @@ func (o *MonitorOptions) createPod(ctx context.Context) error {
 			Labels: map[string]string{
 				"app": "node-joiner-monitor",
 			},
+			Annotations: map[string]string{
+				"openshift.io/required-scc": "restricted-v2",
+			},
 		},
 		Spec: corev1.PodSpec{
 			RestartPolicy:      corev1.RestartPolicyNever,
diff --git a/pkg/cli/admin/nodeimage/monitor_test.go b/pkg/cli/admin/nodeimage/monitor_test.go
index c5a3d8b040..91baeb139c 100644
--- a/pkg/cli/admin/nodeimage/monitor_test.go
+++ b/pkg/cli/admin/nodeimage/monitor_test.go
@@ -3,6 +3,7 @@ package nodeimage
 import (
 	"bytes"
 	fakeoperatorconfig "github.com/openshift/client-go/operator/clientset/versioned/fake"
+	corev1 "k8s.io/api/core/v1"
 	"strings"
 	"testing"
 
@@ -73,6 +74,7 @@ func TestMonitorRun(t *testing.T) {
 		remoteExecOutput string
 
 		expectedError string
+		expectedPod   func(t *testing.T, pod *corev1.Pod)
 	}{
 		{
 			name:    "default",
@@ -82,6 +84,17 @@ func TestMonitorRun(t *testing.T) {
 			name:          "missing cluster connection",
 			expectedError: `command expects a connection to an OpenShift 4.x server`,
 		},
+		{
+			name:    "node-joiner monitor pod has required-scc annotation",
+			objects: defaultClusterVersionObjectFn,
+			expectedPod: func(t *testing.T, pod *corev1.Pod) {
+				expected := "restricted-v2"
+				got := pod.Annotations["openshift.io/required-scc"]
+				if got != expected {
+					t.Errorf("annotation openshift.io/required-scc = %q, want %q", got, expected)
+				}
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -134,6 +147,10 @@ func TestMonitorRun(t *testing.T) {
 					t.Errorf("expected %v, actual %v", fakeLogContent, logContents.String())
 				}
 			}
+			if tc.expectedPod != nil {
+				pod := getTestPod(fakeClient, nodeJoinerMonitorContainer)
+				tc.expectedPod(t, pod)
+			}
 		})
 	}
 }