diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index a0865bd78..dc4e34697 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -84,6 +84,15 @@ containerd_cfg_dir: /etc/containerd
 # Extra config to be put in {{ containerd_cfg_dir }}/config.toml literally
 containerd_extra_args: ''
 
+# Extra runtime configuration options to be injected into the containerd CRI runtime plugin section
+# [plugins."io.containerd.cri.v1.runtime"]. This is useful for adding containerd runtime
+# configuration options that aren't explicitly supported by Kubespray's default variables.
+# Example:
+#   containerd_extra_runtime_args:
+#     device_ownership_from_security_context: true
+#     another_option: "value"
+containerd_extra_runtime_args: {}
+
 # Configure registry auth (if applicable to secure/insecure registries)
 containerd_registry_auth: []
 #  - registry: 10.0.0.2:5000
diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
index 8b1c5c253..20f60afbd 100644
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -36,6 +36,15 @@ oom_score = {{ containerd_oom_score }}
     enable_cdi = true
     cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"]
 {% endif %}
+{% for key, value in containerd_extra_runtime_args.items() %}
+{% if value is string %}
+    {{ key }} = "{{ value }}"
+{% elif value is boolean %}
+    {{ key }} = {{ value | lower }}
+{% else %}
+    {{ key }} = {{ value }}
+{% endif %}
+{% endfor %}
 
    [plugins."io.containerd.cri.v1.runtime".containerd]
      default_runtime_name = "{{ containerd_default_runtime }}"