diff --git a/api/doris/v1/types.go b/api/doris/v1/types.go
index c1b95126..7dc18ea8 100644
--- a/api/doris/v1/types.go
+++ b/api/doris/v1/types.go
@@ -88,6 +88,13 @@ type FeSpec struct {
 type BeSpec struct {
 	//the foundation spec for creating be software services.
 	BaseSpec `json:",inline"`
+
+	// EnableWorkloadGroup is a switch that determines whether the doris cluster enables the workload group.
+	// Default value is 'false'.
+	// Enabling it means that the container must be started in privileged mode.
+	// Please confirm whether the host machine and k8s cluster allow it.
+	// Doris workloadgroup reference document: https://doris.apache.org/docs/admin-manual/resource-admin/workload-group
+	EnableWorkloadGroup bool `json:"enableWorkloadGroup,omitempty"`
 }
 
 // FeAddress specify the fe address, please set it when you deploy fe outside k8s or deploy components use crd except fe, if not set .
diff --git a/pkg/common/utils/resource/constants.go b/pkg/common/utils/resource/constants.go
index 7db3b03e..72f88c86 100644
--- a/pkg/common/utils/resource/constants.go
+++ b/pkg/common/utils/resource/constants.go
@@ -23,6 +23,8 @@ const (
 
 	ENV_FE_PORT = "FE_QUERY_PORT"
 
+	ENABLE_WORKLOAD_GROUP = "ENABLE_WORKLOAD_GROUP"
+
 	ENV_FE_ELECT_NUMBER = "ELECT_NUMBER"
 
 	COMPONENT_TYPE = "COMPONENT_TYPE"
diff --git a/pkg/controller/sub_controller/be/pod.go b/pkg/controller/sub_controller/be/pod.go
index a3602474..a0b6b8b9 100644
--- a/pkg/controller/sub_controller/be/pod.go
+++ b/pkg/controller/sub_controller/be/pod.go
@@ -19,7 +19,9 @@ package be
 
 import (
 	"context"
+	"fmt"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 	"strconv"
 
 	v1 "github.com/apache/doris-operator/api/doris/v1"
@@ -36,7 +38,15 @@ func (be *Controller) buildBEPodTemplateSpec(dcr *v1.DorisCluster) corev1.PodTem
 	containers = append(containers, podTemplateSpec.Spec.Containers...)
 	beContainer := be.beContainer(dcr)
 	containers = append(containers, beContainer)
+
+	if dcr.Spec.BeSpec.EnableWorkloadGroup {
+		if dcr.Spec.BeSpec.ContainerSecurityContext == nil {
+			dcr.Spec.BeSpec.ContainerSecurityContext = &corev1.SecurityContext{}
+		}
+		dcr.Spec.BeSpec.ContainerSecurityContext.Privileged = pointer.Bool(true)
+	}
 	containers = resource.ApplySecurityContext(containers, dcr.Spec.BeSpec.ContainerSecurityContext)
+
 	podTemplateSpec.Spec.Containers = containers
 	return podTemplateSpec
 }
@@ -96,6 +106,13 @@ func (be *Controller) beContainer(dcr *v1.DorisCluster) corev1.Container {
 		Value: feQueryPort,
 	})
 
+	if dcr.Spec.BeSpec.EnableWorkloadGroup {
+		c.Env = append(c.Env, corev1.EnvVar{
+			Name:  resource.ENABLE_WORKLOAD_GROUP,
+			Value: fmt.Sprintf("%t", dcr.Spec.BeSpec.EnableWorkloadGroup),
+		})
+	}
+
 	return c
 }