diff --git a/kubespawner/objects.py b/kubespawner/objects.py
index 19a9c58bc..c4fd31d75 100644
--- a/kubespawner/objects.py
+++ b/kubespawner/objects.py
@@ -334,8 +334,8 @@ def make_pod(
         container_security_context.run_as_group = int(run_as_gid)
     if run_privileged:
         container_security_context.privileged = True
-    if not allow_privilege_escalation:
-        container_security_context.allow_privilege_escalation = False
+    if not allow_privilege_escalation is not None:
+        container_security_context.allow_privilege_escalation = allow_privilege_escalation
     # Only clutter container spec with actual content
     if all([e is None for e in container_security_context.to_dict().values()]):
         container_security_context = None
diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py
index abde6233e..66e9f1a94 100644
--- a/kubespawner/spawner.py
+++ b/kubespawner/spawner.py
@@ -747,15 +747,21 @@ def _validate_image_pull_secrets(self, proposal):
     )
 
     allow_privilege_escalation = Bool(
-        True,
+        False,
         config=True,
+        allow_none=True,
         help="""
         Controls whether a process can gain more privileges than its parent process.
-        
-        This bool directly controls whether the no_new_privs flag gets set on the container 
+
+        When set to False (the default), the primary user visible effect is that
+        setuid binaries (like sudo) will no longer work.
+
+        When set to None, the defaults for the cluster are respected.
+
+        This bool directly controls whether the no_new_privs flag gets set on the container
         process.
 
-        AllowPrivilegeEscalation is true always when the container is: 
+        AllowPrivilegeEscalation is true always when the container is:
         1) run as Privileged OR 2) has CAP_SYS_ADMIN.
         """
     )