diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
index a5fd92693f3..c40de5b801a 100644
--- a/docs/pipelineruns.md
+++ b/docs/pipelineruns.md
@@ -24,6 +24,8 @@ weight: 204
     - [Mapping <code>ServiceAccount</code> credentials to <code>Tasks</code>](#mapping-serviceaccount-credentials-to-tasks)
     - [Specifying a <code>Pod</code> template](#specifying-a-pod-template)
     - [Specifying taskRunSpecs](#specifying-taskrunspecs)
+      - [Parameter Substitution in taskRunSpecs](#parameter-substitution-in-taskrunspecs)
+      - [Matrix Support with taskRunSpecs](#matrix-support-with-taskrunspecs)
     - [Specifying <code>Workspaces</code>](#specifying-workspaces)
       - [Propagated Workspaces](#propagated-workspaces)
         - [Referenced TaskRuns within Embedded PipelineRuns](#referenced-taskruns-within-embedded-pipelineruns)
@@ -1008,6 +1010,60 @@ spec:
 
 If a metadata key is present in different levels, the value that will be used in the `PipelineRun` is determined using this precedence order: `PipelineRun.spec.taskRunSpec.metadata` > `PipelineRun.metadata` > `Pipeline.spec.tasks.taskSpec.metadata`.
 
+#### Parameter Substitution in taskRunSpecs
+
+The `taskRunSpecs` supports parameter substitution in the `podTemplate` fields. This allows you to dynamically configure pod templates based on pipeline parameters, including those from Matrix tasks.
+
+For example, you can use parameter substitution to configure node selectors based on architecture parameters:
+
+```yaml
+spec:
+  taskRunSpecs:
+    - pipelineTaskName: build-task
+      podTemplate:
+        nodeSelector:
+          kubernetes.io/arch: $(params.arch)
+        tolerations:
+          - key: "environment"
+            operator: "Equal"
+            value: "$(params.env)"
+            effect: "NoSchedule"
+```
+
+#### Matrix Support with taskRunSpecs
+
+When using [`Matrix`](matrix.md) to fan out `PipelineTasks`, the `taskRunSpecs` can reference matrix parameters for dynamic pod template configuration. Each matrix combination will create a separate `TaskRun` with the appropriate parameter values substituted in the pod template.
+
+Here's an example showing how to use `taskRunSpecs` with matrix parameters:
+
+```yaml
+spec:
+  taskRunSpecs:
+    - pipelineTaskName: build-and-push-manifest
+      podTemplate:
+        nodeSelector:
+          kubernetes.io/arch: $(params.arch)
+  pipelineSpec:
+    tasks:
+      - name: build-and-push-manifest
+        matrix:
+          params:
+            - name: arch
+              value: ["amd64", "arm64"]
+        taskSpec:
+          params:
+            - name: arch
+          steps:
+            - name: build-and-push
+              image: ubuntu
+              script: |
+                echo "building on $(params.arch)"
+```
+
+In this example, the matrix will create two `TaskRuns` - one for `amd64` and one for `arm64`. Each will have its pod scheduled on the appropriate node architecture using the nodeSelector with the substituted parameter value.
+
+For a complete example, see [`pipelinerun-with-taskrunspecs-matrix-param-substitution.yaml`](../examples/v1/pipelineruns/pipelinerun-with-taskrunspecs-matrix-param-substitution.yaml).
+
 ### Specifying `Workspaces`
 
 If your `Pipeline` specifies one or more `Workspaces`, you must map those `Workspaces` to
diff --git a/docs/podtemplates.md b/docs/podtemplates.md
index 53bb70ca6e3..15ca621bd14 100644
--- a/docs/podtemplates.md
+++ b/docs/podtemplates.md
@@ -23,6 +23,29 @@ See the following for examples of specifying a Pod template:
 - [Specifying a Pod template for a `TaskRun`](./taskruns.md#specifying-a-pod-template)
 - [Specifying a Pod template for a `PipelineRun`](./pipelineruns.md#specifying-a-pod-template)
 
+## Parameter Substitution in Pod Templates
+
+When using Pod templates within `PipelineRun` [`taskRunSpecs`](./pipelineruns.md#specifying-taskrunspecs), you can use parameter substitution to dynamically configure Pod template fields based on pipeline parameters. This is particularly useful when working with [`Matrix`](./matrix.md) tasks that fan out with different parameter values.
+
+Parameter substitution uses the standard Tekton syntax `$(params.paramName)` and is supported in all Pod template fields that accept string values.
+
+Example with parameter substitution:
+```yaml
+taskRunSpecs:
+  - pipelineTaskName: build-task
+    podTemplate:
+      nodeSelector:
+        kubernetes.io/arch: $(params.arch)
+        environment: $(params.env)
+      tolerations:
+        - key: "workload-type"
+          operator: "Equal"
+          value: "$(params.workload)"
+          effect: "NoSchedule"
+```
+
+When used with Matrix tasks, each matrix combination will create a separate `TaskRun` with the parameter values substituted appropriately in the Pod template. For more information and examples, see [Matrix Support with taskRunSpecs](./pipelineruns.md#matrix-support-with-taskrunspecs).
+
 ## Supported fields
 
 Pod templates support fields listed in the table below.
diff --git a/docs/variables.md b/docs/variables.md
index 02450fd0989..23ba55812e8 100644
--- a/docs/variables.md
+++ b/docs/variables.md
@@ -176,3 +176,21 @@ For instructions on using variable substitutions see the relevant section of [th
 | `PipelineRun` | `spec.workspaces[].projected.sources[].configMap.items[].path`  |
 | `PipelineRun` | `spec.workspaces[].csi.driver`                                  |
 | `PipelineRun` | `spec.workspaces[].csi.nodePublishSecretRef.name`               |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.nodeSelector.*`                |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.tolerations[].key`             |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.tolerations[].operator`        |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.tolerations[].value`           |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.tolerations[].effect`          |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.affinity.*`                    |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.securityContext.*`             |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.volumes[].name`                |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.volumes[].configMap.name`      |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.volumes[].secret.secretName`   |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.runtimeClassName`              |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.schedulerName`                 |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.priorityClassName`             |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.imagePullSecrets[].name`       |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.hostAliases[].ip`              |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.hostAliases[].hostnames[*]`    |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.topologySpreadConstraints[].topologyKey` |
+| `PipelineRun` | `spec.taskRunSpecs[].podTemplate.topologySpreadConstraints[].whenUnsatisfiable` |
diff --git a/examples/v1/pipelineruns/beta/pipelinerun-with-matrix-and-taskrunspecs-param-substitution.yaml b/examples/v1/pipelineruns/beta/pipelinerun-with-matrix-and-taskrunspecs-param-substitution.yaml
new file mode 100644
index 00000000000..d51d40fbbd8
--- /dev/null
+++ b/examples/v1/pipelineruns/beta/pipelinerun-with-matrix-and-taskrunspecs-param-substitution.yaml
@@ -0,0 +1,43 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: matrix-podtemplate-taskrunspecs-test-
+spec:
+  taskRunSpecs:
+  - pipelineTaskName: build-and-push-manifest
+    podTemplate:
+      nodeSelector:
+        node-type: $(params.node-type)
+  - pipelineTaskName: create-manifest-list
+    podTemplate:
+      nodeSelector:
+        kubernetes.io/arch: amd64
+  pipelineSpec:
+    tasks:
+      - name: build-and-push-manifest
+        matrix:
+          params:
+          - name: node-type
+            value: ["worker-1", "worker-2"]
+        taskSpec:
+          results:
+            - name: manifest
+              type: string
+          params:
+            - name: node-type
+          steps:
+            - name: build-and-push
+              image: ubuntu
+              script: |
+                echo "building on $(params.node-type)"
+                echo "testmanifest-$(params.node-type)" | tee $(results.manifest.path)
+      - name: create-manifest-list
+        params:
+          - name: manifest
+            value: $(tasks.build-and-push-manifest.results.manifest[*])
+        taskSpec:
+          steps:
+            - name: echo-manifests
+              image: ubuntu
+              args: ["$(params.manifest[*])"]
+              script: echo "$@"
diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh
index 6f680361511..ba494c54c85 100755
--- a/hack/setup-kind.sh
+++ b/hack/setup-kind.sh
@@ -125,6 +125,8 @@ kind: Cluster
 nodes:
 - role: control-plane
   image: "${KIND_IMAGE}"
+  labels:
+    node-type: "control-plane"
 EOF
 
 for i in $(seq 1 1 "${NODE_COUNT}");
@@ -132,6 +134,8 @@ do
   cat >> kind.yaml <<EOF
 - role: worker
   image: "${KIND_IMAGE}"
+  labels:
+    node-type: "worker-${i}"
 EOF
 done
 
diff --git a/pkg/reconciler/taskrun/resources/apply.go b/pkg/reconciler/taskrun/resources/apply.go
index 18174faba46..853b8ab9b86 100644
--- a/pkg/reconciler/taskrun/resources/apply.go
+++ b/pkg/reconciler/taskrun/resources/apply.go
@@ -28,6 +28,7 @@ import (
 
 	"github.com/tektoncd/pipeline/internal/artifactref"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
+	podtpl "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/container"
 	"github.com/tektoncd/pipeline/pkg/internal/resultref"
@@ -35,6 +36,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/substitution"
 	"github.com/tektoncd/pipeline/pkg/workspace"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -744,3 +746,341 @@ func ApplyReplacements(spec *v1.TaskSpec, stringReplacements map[string]string,
 
 	return spec
 }
+
+// ApplyPodTemplateParameters applies parameter substitution to a PodTemplate
+func ApplyPodTemplateReplacements(podTemplate *podtpl.Template, tr *v1.TaskRun, defaults ...v1.ParamSpec) *podtpl.Template {
+	if podTemplate == nil {
+		return nil
+	}
+
+	result := podTemplate.DeepCopy()
+
+	stringReplacements, _, _ := getTaskParameters(nil, tr, defaults...)
+
+	// Apply substitution to NodeSelector
+	if result.NodeSelector != nil {
+		newNodeSelector := make(map[string]string)
+		for k, v := range result.NodeSelector {
+			newKey := substitution.ApplyReplacements(k, stringReplacements)
+			newValue := substitution.ApplyReplacements(v, stringReplacements)
+			newNodeSelector[newKey] = newValue
+		}
+		result.NodeSelector = newNodeSelector
+	}
+
+	// Apply substitution to Tolerations
+	for i := range result.Tolerations {
+		result.Tolerations[i].Key = substitution.ApplyReplacements(result.Tolerations[i].Key, stringReplacements)
+		result.Tolerations[i].Value = substitution.ApplyReplacements(result.Tolerations[i].Value, stringReplacements)
+		result.Tolerations[i].Operator = corev1.TolerationOperator(substitution.ApplyReplacements(string(result.Tolerations[i].Operator), stringReplacements))
+		result.Tolerations[i].Effect = corev1.TaintEffect(substitution.ApplyReplacements(string(result.Tolerations[i].Effect), stringReplacements))
+	}
+
+	// Apply substitution to Affinity
+	if result.Affinity != nil {
+		applyAffinityReplacements(result.Affinity, stringReplacements)
+	}
+
+	// Apply substitution to SecurityContext labels and annotations
+	if result.SecurityContext != nil {
+		applySecurityContextReplacements(result.SecurityContext, stringReplacements)
+	}
+
+	// Apply substitution to RuntimeClassName
+	if result.RuntimeClassName != nil {
+		runtimeClassName := substitution.ApplyReplacements(*result.RuntimeClassName, stringReplacements)
+		result.RuntimeClassName = &runtimeClassName
+	}
+
+	// Apply substitution to SchedulerName
+	if result.SchedulerName != "" {
+		result.SchedulerName = substitution.ApplyReplacements(result.SchedulerName, stringReplacements)
+	}
+
+	// Apply substitution to PriorityClassName
+	if result.PriorityClassName != nil {
+		priorityClassName := substitution.ApplyReplacements(*result.PriorityClassName, stringReplacements)
+		result.PriorityClassName = &priorityClassName
+	}
+
+	// Apply substitution to ImagePullSecrets
+	for i := range result.ImagePullSecrets {
+		result.ImagePullSecrets[i].Name = substitution.ApplyReplacements(result.ImagePullSecrets[i].Name, stringReplacements)
+	}
+
+	// Apply substitution to HostAliases
+	for i := range result.HostAliases {
+		result.HostAliases[i].IP = substitution.ApplyReplacements(result.HostAliases[i].IP, stringReplacements)
+		for j := range result.HostAliases[i].Hostnames {
+			result.HostAliases[i].Hostnames[j] = substitution.ApplyReplacements(result.HostAliases[i].Hostnames[j], stringReplacements)
+		}
+	}
+
+	// Apply substitution to TopologySpreadConstraints
+	for i := range result.TopologySpreadConstraints {
+		result.TopologySpreadConstraints[i].TopologyKey = substitution.ApplyReplacements(result.TopologySpreadConstraints[i].TopologyKey, stringReplacements)
+		if result.TopologySpreadConstraints[i].LabelSelector != nil {
+			applyLabelSelectorReplacements(result.TopologySpreadConstraints[i].LabelSelector, stringReplacements)
+		}
+	}
+
+	// Apply substitution to DNSPolicy
+	if result.DNSPolicy != nil {
+		dnsPolicy := corev1.DNSPolicy(substitution.ApplyReplacements(string(*result.DNSPolicy), stringReplacements))
+		result.DNSPolicy = &dnsPolicy
+	}
+
+	// Apply substitution to DNSConfig
+	if result.DNSConfig != nil {
+		applyDNSConfigReplacements(result.DNSConfig, stringReplacements)
+	}
+
+	// Apply substitution to Volumes
+	for i := range result.Volumes {
+		applyVolumeReplacements(&result.Volumes[i], stringReplacements)
+	}
+
+	// Apply substitution to Env
+	for i := range result.Env {
+		result.Env[i].Name = substitution.ApplyReplacements(result.Env[i].Name, stringReplacements)
+		result.Env[i].Value = substitution.ApplyReplacements(result.Env[i].Value, stringReplacements)
+		if result.Env[i].ValueFrom != nil {
+			applyEnvVarSourceReplacements(result.Env[i].ValueFrom, stringReplacements)
+		}
+	}
+
+	return result
+}
+
+func applyAffinityReplacements(affinity *corev1.Affinity, stringReplacements map[string]string) {
+	if affinity.NodeAffinity != nil {
+		applyNodeAffinityReplacements(affinity.NodeAffinity, stringReplacements)
+	}
+	if affinity.PodAffinity != nil {
+		applyPodAffinityReplacements(affinity.PodAffinity, stringReplacements)
+	}
+	if affinity.PodAntiAffinity != nil {
+		applyPodAntiAffinityReplacements(affinity.PodAntiAffinity, stringReplacements)
+	}
+}
+
+func applyNodeAffinityReplacements(nodeAffinity *corev1.NodeAffinity, stringReplacements map[string]string) {
+	if nodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		for i := range nodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms {
+			applyNodeSelectorTermReplacements(&nodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms[i], stringReplacements)
+		}
+	}
+	for i := range nodeAffinity.PreferredDuringSchedulingIgnoredDuringExecution {
+		applyNodeSelectorTermReplacements(&nodeAffinity.PreferredDuringSchedulingIgnoredDuringExecution[i].Preference, stringReplacements)
+	}
+}
+
+func applyNodeSelectorTermReplacements(term *corev1.NodeSelectorTerm, stringReplacements map[string]string) {
+	for i := range term.MatchExpressions {
+		term.MatchExpressions[i].Key = substitution.ApplyReplacements(term.MatchExpressions[i].Key, stringReplacements)
+		for j := range term.MatchExpressions[i].Values {
+			term.MatchExpressions[i].Values[j] = substitution.ApplyReplacements(term.MatchExpressions[i].Values[j], stringReplacements)
+		}
+	}
+	for i := range term.MatchFields {
+		term.MatchFields[i].Key = substitution.ApplyReplacements(term.MatchFields[i].Key, stringReplacements)
+		for j := range term.MatchFields[i].Values {
+			term.MatchFields[i].Values[j] = substitution.ApplyReplacements(term.MatchFields[i].Values[j], stringReplacements)
+		}
+	}
+}
+
+func applyPodAffinityReplacements(podAffinity *corev1.PodAffinity, stringReplacements map[string]string) {
+	for i := range podAffinity.RequiredDuringSchedulingIgnoredDuringExecution {
+		applyPodAffinityTermReplacements(&podAffinity.RequiredDuringSchedulingIgnoredDuringExecution[i], stringReplacements)
+	}
+	for i := range podAffinity.PreferredDuringSchedulingIgnoredDuringExecution {
+		applyPodAffinityTermReplacements(&podAffinity.PreferredDuringSchedulingIgnoredDuringExecution[i].PodAffinityTerm, stringReplacements)
+	}
+}
+
+func applyPodAntiAffinityReplacements(podAntiAffinity *corev1.PodAntiAffinity, stringReplacements map[string]string) {
+	for i := range podAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution {
+		applyPodAffinityTermReplacements(&podAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution[i], stringReplacements)
+	}
+	for i := range podAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution {
+		applyPodAffinityTermReplacements(&podAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution[i].PodAffinityTerm, stringReplacements)
+	}
+}
+
+func applyPodAffinityTermReplacements(term *corev1.PodAffinityTerm, stringReplacements map[string]string) {
+	if term.LabelSelector != nil {
+		applyLabelSelectorReplacements(term.LabelSelector, stringReplacements)
+	}
+	term.TopologyKey = substitution.ApplyReplacements(term.TopologyKey, stringReplacements)
+	if term.NamespaceSelector != nil {
+		applyLabelSelectorReplacements(term.NamespaceSelector, stringReplacements)
+	}
+	for i := range term.Namespaces {
+		term.Namespaces[i] = substitution.ApplyReplacements(term.Namespaces[i], stringReplacements)
+	}
+}
+
+func applyLabelSelectorReplacements(selector *metav1.LabelSelector, stringReplacements map[string]string) {
+	if selector.MatchLabels != nil {
+		newMatchLabels := make(map[string]string)
+		for k, v := range selector.MatchLabels {
+			newKey := substitution.ApplyReplacements(k, stringReplacements)
+			newValue := substitution.ApplyReplacements(v, stringReplacements)
+			newMatchLabels[newKey] = newValue
+		}
+		selector.MatchLabels = newMatchLabels
+	}
+	for i := range selector.MatchExpressions {
+		selector.MatchExpressions[i].Key = substitution.ApplyReplacements(selector.MatchExpressions[i].Key, stringReplacements)
+		for j := range selector.MatchExpressions[i].Values {
+			selector.MatchExpressions[i].Values[j] = substitution.ApplyReplacements(selector.MatchExpressions[i].Values[j], stringReplacements)
+		}
+	}
+}
+
+func applySecurityContextReplacements(securityContext *corev1.PodSecurityContext, stringReplacements map[string]string) {
+	// Apply substitution to SELinuxOptions
+	if securityContext.SELinuxOptions != nil {
+		securityContext.SELinuxOptions.User = substitution.ApplyReplacements(securityContext.SELinuxOptions.User, stringReplacements)
+		securityContext.SELinuxOptions.Role = substitution.ApplyReplacements(securityContext.SELinuxOptions.Role, stringReplacements)
+		securityContext.SELinuxOptions.Type = substitution.ApplyReplacements(securityContext.SELinuxOptions.Type, stringReplacements)
+		securityContext.SELinuxOptions.Level = substitution.ApplyReplacements(securityContext.SELinuxOptions.Level, stringReplacements)
+	}
+
+	// Apply substitution to WindowsOptions
+	if securityContext.WindowsOptions != nil {
+		if securityContext.WindowsOptions.GMSACredentialSpecName != nil {
+			gmsaCredentialSpecName := substitution.ApplyReplacements(*securityContext.WindowsOptions.GMSACredentialSpecName, stringReplacements)
+			securityContext.WindowsOptions.GMSACredentialSpecName = &gmsaCredentialSpecName
+		}
+		if securityContext.WindowsOptions.GMSACredentialSpec != nil {
+			gmsaCredentialSpec := substitution.ApplyReplacements(*securityContext.WindowsOptions.GMSACredentialSpec, stringReplacements)
+			securityContext.WindowsOptions.GMSACredentialSpec = &gmsaCredentialSpec
+		}
+		if securityContext.WindowsOptions.RunAsUserName != nil {
+			runAsUserName := substitution.ApplyReplacements(*securityContext.WindowsOptions.RunAsUserName, stringReplacements)
+			securityContext.WindowsOptions.RunAsUserName = &runAsUserName
+		}
+	}
+
+	// Apply substitution to SupplementalGroupsPolicy
+	if securityContext.SupplementalGroupsPolicy != nil {
+		supplementalGroupsPolicy := corev1.SupplementalGroupsPolicy(substitution.ApplyReplacements(string(*securityContext.SupplementalGroupsPolicy), stringReplacements))
+		securityContext.SupplementalGroupsPolicy = &supplementalGroupsPolicy
+	}
+
+	// Apply substitution to Sysctls
+	for i := range securityContext.Sysctls {
+		securityContext.Sysctls[i].Name = substitution.ApplyReplacements(securityContext.Sysctls[i].Name, stringReplacements)
+		securityContext.Sysctls[i].Value = substitution.ApplyReplacements(securityContext.Sysctls[i].Value, stringReplacements)
+	}
+
+	// Apply substitution to FSGroupChangePolicy
+	if securityContext.FSGroupChangePolicy != nil {
+		fsGroupChangePolicy := corev1.PodFSGroupChangePolicy(substitution.ApplyReplacements(string(*securityContext.FSGroupChangePolicy), stringReplacements))
+		securityContext.FSGroupChangePolicy = &fsGroupChangePolicy
+	}
+
+	// Apply substitution to SeccompProfile
+	if securityContext.SeccompProfile != nil {
+		securityContext.SeccompProfile.Type = corev1.SeccompProfileType(substitution.ApplyReplacements(string(securityContext.SeccompProfile.Type), stringReplacements))
+		if securityContext.SeccompProfile.LocalhostProfile != nil {
+			localhostProfile := substitution.ApplyReplacements(*securityContext.SeccompProfile.LocalhostProfile, stringReplacements)
+			securityContext.SeccompProfile.LocalhostProfile = &localhostProfile
+		}
+	}
+
+	// Apply substitution to AppArmorProfile
+	if securityContext.AppArmorProfile != nil {
+		securityContext.AppArmorProfile.Type = corev1.AppArmorProfileType(substitution.ApplyReplacements(string(securityContext.AppArmorProfile.Type), stringReplacements))
+		if securityContext.AppArmorProfile.LocalhostProfile != nil {
+			localhostProfile := substitution.ApplyReplacements(*securityContext.AppArmorProfile.LocalhostProfile, stringReplacements)
+			securityContext.AppArmorProfile.LocalhostProfile = &localhostProfile
+		}
+	}
+
+	// Apply substitution to SELinuxChangePolicy
+	if securityContext.SELinuxChangePolicy != nil {
+		seLinuxChangePolicy := corev1.PodSELinuxChangePolicy(substitution.ApplyReplacements(string(*securityContext.SELinuxChangePolicy), stringReplacements))
+		securityContext.SELinuxChangePolicy = &seLinuxChangePolicy
+	}
+}
+
+func applyDNSConfigReplacements(dnsConfig *corev1.PodDNSConfig, stringReplacements map[string]string) {
+	for i := range dnsConfig.Nameservers {
+		dnsConfig.Nameservers[i] = substitution.ApplyReplacements(dnsConfig.Nameservers[i], stringReplacements)
+	}
+	for i := range dnsConfig.Searches {
+		dnsConfig.Searches[i] = substitution.ApplyReplacements(dnsConfig.Searches[i], stringReplacements)
+	}
+	for i := range dnsConfig.Options {
+		dnsConfig.Options[i].Name = substitution.ApplyReplacements(dnsConfig.Options[i].Name, stringReplacements)
+		if dnsConfig.Options[i].Value != nil {
+			value := substitution.ApplyReplacements(*dnsConfig.Options[i].Value, stringReplacements)
+			dnsConfig.Options[i].Value = &value
+		}
+	}
+}
+
+func applyVolumeReplacements(volume *corev1.Volume, stringReplacements map[string]string) {
+	volume.Name = substitution.ApplyReplacements(volume.Name, stringReplacements)
+	if volume.ConfigMap != nil {
+		volume.ConfigMap.Name = substitution.ApplyReplacements(volume.ConfigMap.Name, stringReplacements)
+		for i := range volume.ConfigMap.Items {
+			volume.ConfigMap.Items[i].Key = substitution.ApplyReplacements(volume.ConfigMap.Items[i].Key, stringReplacements)
+			volume.ConfigMap.Items[i].Path = substitution.ApplyReplacements(volume.ConfigMap.Items[i].Path, stringReplacements)
+		}
+	}
+	if volume.Secret != nil {
+		volume.Secret.SecretName = substitution.ApplyReplacements(volume.Secret.SecretName, stringReplacements)
+		for i := range volume.Secret.Items {
+			volume.Secret.Items[i].Key = substitution.ApplyReplacements(volume.Secret.Items[i].Key, stringReplacements)
+			volume.Secret.Items[i].Path = substitution.ApplyReplacements(volume.Secret.Items[i].Path, stringReplacements)
+		}
+	}
+	if volume.PersistentVolumeClaim != nil {
+		volume.PersistentVolumeClaim.ClaimName = substitution.ApplyReplacements(volume.PersistentVolumeClaim.ClaimName, stringReplacements)
+	}
+	if volume.Projected != nil {
+		for _, s := range volume.Projected.Sources {
+			if s.ConfigMap != nil {
+				s.ConfigMap.Name = substitution.ApplyReplacements(s.ConfigMap.Name, stringReplacements)
+			}
+			if s.Secret != nil {
+				s.Secret.Name = substitution.ApplyReplacements(s.Secret.Name, stringReplacements)
+			}
+			if s.ServiceAccountToken != nil {
+				s.ServiceAccountToken.Audience = substitution.ApplyReplacements(s.ServiceAccountToken.Audience, stringReplacements)
+			}
+		}
+	}
+	if volume.CSI != nil {
+		if volume.CSI.NodePublishSecretRef != nil {
+			volume.CSI.NodePublishSecretRef.Name = substitution.ApplyReplacements(volume.CSI.NodePublishSecretRef.Name, stringReplacements)
+		}
+		if volume.CSI.VolumeAttributes != nil {
+			for key, value := range volume.CSI.VolumeAttributes {
+				volume.CSI.VolumeAttributes[key] = substitution.ApplyReplacements(value, stringReplacements)
+			}
+		}
+	}
+}
+
+func applyEnvVarSourceReplacements(valueFrom *corev1.EnvVarSource, stringReplacements map[string]string) {
+	if valueFrom.ConfigMapKeyRef != nil {
+		valueFrom.ConfigMapKeyRef.Name = substitution.ApplyReplacements(valueFrom.ConfigMapKeyRef.Name, stringReplacements)
+		valueFrom.ConfigMapKeyRef.Key = substitution.ApplyReplacements(valueFrom.ConfigMapKeyRef.Key, stringReplacements)
+	}
+	if valueFrom.SecretKeyRef != nil {
+		valueFrom.SecretKeyRef.Name = substitution.ApplyReplacements(valueFrom.SecretKeyRef.Name, stringReplacements)
+		valueFrom.SecretKeyRef.Key = substitution.ApplyReplacements(valueFrom.SecretKeyRef.Key, stringReplacements)
+	}
+	if valueFrom.FieldRef != nil {
+		valueFrom.FieldRef.FieldPath = substitution.ApplyReplacements(valueFrom.FieldRef.FieldPath, stringReplacements)
+	}
+	if valueFrom.ResourceFieldRef != nil {
+		valueFrom.ResourceFieldRef.Resource = substitution.ApplyReplacements(valueFrom.ResourceFieldRef.Resource, stringReplacements)
+		valueFrom.ResourceFieldRef.ContainerName = substitution.ApplyReplacements(valueFrom.ResourceFieldRef.ContainerName, stringReplacements)
+	}
+}
diff --git a/pkg/reconciler/taskrun/resources/apply_test.go b/pkg/reconciler/taskrun/resources/apply_test.go
index d0eee83229b..9b8d44bc72c 100644
--- a/pkg/reconciler/taskrun/resources/apply_test.go
+++ b/pkg/reconciler/taskrun/resources/apply_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	podtpl "github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/reconciler/taskrun/resources"
 	"github.com/tektoncd/pipeline/pkg/workspace"
@@ -27,6 +28,7 @@ import (
 	"github.com/tektoncd/pipeline/test/names"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	"knative.dev/pkg/apis"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
@@ -783,6 +785,238 @@ func TestApplyParameters(t *testing.T) {
 				Name:  "FOO",
 				Value: *v1.NewStructuredValues("world"),
 			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "$(params.myimage)",
+					"disktype":           "$(params.FOO)",
+					"static":             "value",
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "$(params.myimage)",
+					Value:    "$(params.FOO)",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("$(params.myimage)"),
+				SchedulerName:     "$(params.FOO)",
+				PriorityClassName: ptr.To("$(params.myimage)"),
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "$(params.myimage)"},
+					{Name: "$(params.FOO)"},
+				},
+				HostAliases: []corev1.HostAlias{{
+					IP:        "$(params.myimage)",
+					Hostnames: []string{"$(params.FOO).example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "$(params.myimage)", Value: "$(params.FOO)"},
+					{Name: "STATIC_VAR", Value: "static_value"},
+					{Name: "FROM_CONFIG", ValueFrom: &corev1.EnvVarSource{
+						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "config-$(params.myimage)"},
+							Key:                  "config-key-$(params.FOO)",
+						},
+					}},
+					{Name: "FROM_SECRET", ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret-$(params.myimage)"},
+							Key:                  "secret-key-$(params.FOO)",
+						},
+					}},
+					{Name: "FROM_FIELD", ValueFrom: &corev1.EnvVarSource{
+						FieldRef: &corev1.ObjectFieldSelector{
+							FieldPath: "spec.nodeName.$(params.myimage)",
+						},
+					}},
+					{Name: "FROM_RESOURCE", ValueFrom: &corev1.EnvVarSource{
+						ResourceFieldRef: &corev1.ResourceFieldSelector{
+							Resource:      "limits.memory.$(params.FOO)",
+							ContainerName: "container-$(params.myimage)",
+						},
+					}},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"$(params.myimage)", "$(params.FOO)"},
+					Searches:    []string{"$(params.FOO).local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "$(params.myimage)", Value: ptr.To("$(params.FOO)")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "$(params.myimage)",
+						Role:  "$(params.FOO)",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("$(params.myimage)"),
+						GMSACredentialSpec:     ptr.To("$(params.FOO)"),
+						RunAsUserName:          ptr.To("$(params.myimage)"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.myimage)"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "$(params.myimage)",
+						Value: "$(params.FOO)",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.FOO)"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO)"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO)"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO)"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage)": "$(params.FOO)",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "$(params.myimage)",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"$(params.FOO)"},
+								}},
+							},
+							TopologyKey: "$(params.myimage)",
+							Namespaces:  []string{"$(params.FOO)"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage)": "$(params.FOO)",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"$(params.myimage)": "$(params.FOO)",
+									},
+								},
+								TopologyKey: "$(params.myimage)",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage)": "$(params.FOO)",
+								},
+							},
+							TopologyKey: "$(params.myimage)",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "$(params.myimage)",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "$(params.FOO)",
+						},
+					},
+				}},
+				Volumes: []corev1.Volume{{
+					Name: "$(params.myimage)",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "$(params.myimage)",
+							},
+							Items: []corev1.KeyToPath{{
+								Key:  "$(params.myimage)",
+								Path: "$(params.FOO)",
+							}},
+						},
+					},
+				}, {
+					Name: "secret-volume",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: "$(params.myimage)",
+							Items: []corev1.KeyToPath{{
+								Key:  "$(params.myimage)",
+								Path: "$(params.FOO)",
+							}},
+						},
+					},
+				}, {
+					Name: "pvc-volume",
+					VolumeSource: corev1.VolumeSource{
+						PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+							ClaimName: "$(params.myimage)",
+						},
+					},
+				}, {
+					Name: "projected-volume",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{{
+								ConfigMap: &corev1.ConfigMapProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "$(params.myimage)",
+									},
+								},
+								Secret: &corev1.SecretProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "$(params.myimage)",
+									},
+								},
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience: "$(params.FOO)",
+								},
+							}},
+						},
+					},
+				}, {
+					Name: "csi-volume",
+					VolumeSource: corev1.VolumeSource{
+						CSI: &corev1.CSIVolumeSource{
+							VolumeAttributes: map[string]string{
+								"secretProviderClass": "$(params.myimage)",
+							},
+							NodePublishSecretRef: &corev1.LocalObjectReference{
+								Name: "$(params.myimage)",
+							},
+						},
+					},
+				}},
+			},
 		},
 	}
 	dp := []v1.ParamSpec{{
@@ -834,10 +1068,259 @@ func TestApplyParameters(t *testing.T) {
 		spec.Sidecars[0].Image = "bar"
 		spec.Sidecars[0].Env[0].Value = "world"
 	})
+	wantTr := &v1.TaskRun{
+		Spec: v1.TaskRunSpec{
+			Params: []v1.Param{{
+				Name:  "myimage",
+				Value: *v1.NewStructuredValues("bar"),
+			}, {
+				Name:  "FOO",
+				Value: *v1.NewStructuredValues("world"),
+			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "bar",
+					"disktype":           "world",
+					"static":             "value",
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "bar",
+					Value:    "world",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("bar"),
+				SchedulerName:     "world",
+				PriorityClassName: ptr.To("bar"),
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "bar"},
+					{Name: "world"},
+				},
+				HostAliases: []corev1.HostAlias{{
+					IP:        "bar",
+					Hostnames: []string{"world.example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "bar", Value: "world"},
+					{Name: "STATIC_VAR", Value: "static_value"},
+					{Name: "FROM_CONFIG", ValueFrom: &corev1.EnvVarSource{
+						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "config-bar"},
+							Key:                  "config-key-world",
+						},
+					}},
+					{Name: "FROM_SECRET", ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret-bar"},
+							Key:                  "secret-key-world",
+						},
+					}},
+					{Name: "FROM_FIELD", ValueFrom: &corev1.EnvVarSource{
+						FieldRef: &corev1.ObjectFieldSelector{
+							FieldPath: "spec.nodeName.bar",
+						},
+					}},
+					{Name: "FROM_RESOURCE", ValueFrom: &corev1.EnvVarSource{
+						ResourceFieldRef: &corev1.ResourceFieldSelector{
+							Resource:      "limits.memory.world",
+							ContainerName: "container-bar",
+						},
+					}},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"bar", "world"},
+					Searches:    []string{"world.local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "bar", Value: ptr.To("world")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "bar",
+						Role:  "world",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("bar"),
+						GMSACredentialSpec:     ptr.To("world"),
+						RunAsUserName:          ptr.To("bar"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("bar"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "bar",
+						Value: "world",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("world"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "bar",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							},
+							TopologyKey: "bar",
+							Namespaces:  []string{"world"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"bar": "world",
+									},
+								},
+								TopologyKey: "bar",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+							},
+							TopologyKey: "bar",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "bar",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "world",
+						},
+					},
+				}},
+				Volumes: []corev1.Volume{{
+					Name: "bar",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "bar",
+							},
+							Items: []corev1.KeyToPath{{
+								Key:  "bar",
+								Path: "world",
+							}},
+						},
+					},
+				}, {
+					Name: "secret-volume",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: "bar",
+							Items: []corev1.KeyToPath{{
+								Key:  "bar",
+								Path: "world",
+							}},
+						},
+					},
+				}, {
+					Name: "pvc-volume",
+					VolumeSource: corev1.VolumeSource{
+						PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+							ClaimName: "bar",
+						},
+					},
+				}, {
+					Name: "projected-volume",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{{
+								ConfigMap: &corev1.ConfigMapProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "bar",
+									},
+								},
+								Secret: &corev1.SecretProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "bar",
+									},
+								},
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience: "world",
+								},
+							}},
+						},
+					},
+				}, {
+					Name: "csi-volume",
+					VolumeSource: corev1.VolumeSource{
+						CSI: &corev1.CSIVolumeSource{
+							VolumeAttributes: map[string]string{
+								"secretProviderClass": "bar",
+							},
+							NodePublishSecretRef: &corev1.LocalObjectReference{
+								Name: "bar",
+							},
+						},
+					},
+				}},
+			},
+		},
+	}
 	got := resources.ApplyParameters(simpleTaskSpec, tr, dp...)
 	if d := cmp.Diff(want, got); d != "" {
 		t.Errorf("ApplyParameters() got diff %s", diff.PrintWantGot(d))
 	}
+
+	gotTr := tr.DeepCopy()
+	gotTr.Spec.PodTemplate = resources.ApplyPodTemplateReplacements(tr.Spec.PodTemplate, tr)
+	if d := cmp.Diff(wantTr, gotTr); d != "" {
+		t.Errorf("ApplyPodTemplateParameters() got diff %s", diff.PrintWantGot(d))
+	}
 }
 
 func TestApplyParameters_ArrayIndexing(t *testing.T) {
@@ -850,6 +1333,237 @@ func TestApplyParameters_ArrayIndexing(t *testing.T) {
 				Name:  "FOO",
 				Value: *v1.NewStructuredValues("hello", "world"),
 			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "$(params.myimage[0])",
+					"disktype":           "$(params.FOO[1])",
+				},
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "$(params.myimage[0])"},
+					{Name: "$(params.FOO[1])"},
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "$(params.myimage[0])",
+					Value:    "$(params.FOO[1])",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("$(params.myimage[0])"),
+				SchedulerName:     "$(params.FOO[1])",
+				PriorityClassName: ptr.To("$(params.myimage[0])"),
+				HostAliases: []corev1.HostAlias{{
+					IP:        "$(params.myimage[0])",
+					Hostnames: []string{"$(params.FOO[1]).example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "$(params.myimage[0])", Value: "$(params.FOO[1])"},
+					{Name: "STATIC_VAR", Value: "static_value"},
+					{Name: "FROM_CONFIG", ValueFrom: &corev1.EnvVarSource{
+						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "config-$(params.myimage[0])"},
+							Key:                  "config-key-$(params.FOO[1])",
+						},
+					}},
+					{Name: "FROM_SECRET", ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret-$(params.myimage[0])"},
+							Key:                  "secret-key-$(params.FOO[1])",
+						},
+					}},
+					{Name: "FROM_FIELD", ValueFrom: &corev1.EnvVarSource{
+						FieldRef: &corev1.ObjectFieldSelector{
+							FieldPath: "spec.nodeName.$(params.myimage[0])",
+						},
+					}},
+					{Name: "FROM_RESOURCE", ValueFrom: &corev1.EnvVarSource{
+						ResourceFieldRef: &corev1.ResourceFieldSelector{
+							Resource:      "limits.memory.$(params.FOO[1])",
+							ContainerName: "container-$(params.myimage[0])",
+						},
+					}},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"$(params.myimage[0])", "$(params.FOO[1])"},
+					Searches:    []string{"$(params.FOO[1]).local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "$(params.myimage[0])", Value: ptr.To("$(params.FOO[1])")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "$(params.myimage[0])",
+						Role:  "$(params.FOO[1])",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("$(params.myimage[0])"),
+						GMSACredentialSpec:     ptr.To("$(params.FOO[1])"),
+						RunAsUserName:          ptr.To("$(params.myimage[0])"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.myimage[0])"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "$(params.myimage[0])",
+						Value: "$(params.FOO[1])",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.FOO[1])"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage[0])",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO[1])"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage[0])",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO[1])"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myimage[0])",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.FOO[1])"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage[0])": "$(params.FOO[1])",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "$(params.myimage[0])",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"$(params.FOO[1])"},
+								}},
+							},
+							TopologyKey: "$(params.myimage[0])",
+							Namespaces:  []string{"$(params.FOO[1])"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage[0])": "$(params.FOO[1])",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"$(params.myimage[0])": "$(params.FOO[1])",
+									},
+								},
+								TopologyKey: "$(params.myimage[0])",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myimage[0])": "$(params.FOO[1])",
+								},
+							},
+							TopologyKey: "$(params.myimage[0])",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "$(params.myimage[0])",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "$(params.FOO[1])",
+						},
+					},
+				}},
+				Volumes: []corev1.Volume{{
+					Name: "$(params.myimage[0])",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "$(params.myimage[0])",
+							},
+							Items: []corev1.KeyToPath{{
+								Key:  "$(params.myimage[0])",
+								Path: "$(params.FOO[1])",
+							}},
+						},
+					},
+				}, {
+					Name: "secret-volume",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: "$(params.myimage[0])",
+							Items: []corev1.KeyToPath{{
+								Key:  "$(params.myimage[0])",
+								Path: "$(params.FOO[1])",
+							}},
+						},
+					},
+				}, {
+					Name: "pvc-volume",
+					VolumeSource: corev1.VolumeSource{
+						PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+							ClaimName: "$(params.myimage[0])",
+						},
+					},
+				}, {
+					Name: "projected-volume",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{{
+								ConfigMap: &corev1.ConfigMapProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "$(params.myimage[0])",
+									},
+								},
+								Secret: &corev1.SecretProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "$(params.myimage[0])",
+									},
+								},
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience: "$(params.FOO[1])",
+								},
+							}},
+						},
+					},
+				}, {
+					Name: "csi-volume",
+					VolumeSource: corev1.VolumeSource{
+						CSI: &corev1.CSIVolumeSource{
+							VolumeAttributes: map[string]string{
+								"secretProviderClass": "$(params.myimage[0])",
+							},
+							NodePublishSecretRef: &corev1.LocalObjectReference{
+								Name: "$(params.myimage[0])",
+							},
+						},
+					},
+				}},
+			},
 		},
 	}
 	dp := []v1.ParamSpec{{
@@ -900,10 +1614,259 @@ func TestApplyParameters_ArrayIndexing(t *testing.T) {
 		spec.Sidecars[0].Image = "bar"
 		spec.Sidecars[0].Env[0].Value = "world"
 	})
+	wantTr := &v1.TaskRun{
+		Spec: v1.TaskRunSpec{
+			Params: []v1.Param{{
+				Name:  "myimage",
+				Value: *v1.NewStructuredValues("bar", "foo"),
+			}, {
+				Name:  "FOO",
+				Value: *v1.NewStructuredValues("hello", "world"),
+			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "bar",
+					"disktype":           "world",
+				},
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "bar"},
+					{Name: "world"},
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "bar",
+					Value:    "world",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("bar"),
+				SchedulerName:     "world",
+				PriorityClassName: ptr.To("bar"),
+				HostAliases: []corev1.HostAlias{{
+					IP:        "bar",
+					Hostnames: []string{"world.example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "bar", Value: "world"},
+					{Name: "STATIC_VAR", Value: "static_value"},
+					{Name: "FROM_CONFIG", ValueFrom: &corev1.EnvVarSource{
+						ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "config-bar"},
+							Key:                  "config-key-world",
+						},
+					}},
+					{Name: "FROM_SECRET", ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret-bar"},
+							Key:                  "secret-key-world",
+						},
+					}},
+					{Name: "FROM_FIELD", ValueFrom: &corev1.EnvVarSource{
+						FieldRef: &corev1.ObjectFieldSelector{
+							FieldPath: "spec.nodeName.bar",
+						},
+					}},
+					{Name: "FROM_RESOURCE", ValueFrom: &corev1.EnvVarSource{
+						ResourceFieldRef: &corev1.ResourceFieldSelector{
+							Resource:      "limits.memory.world",
+							ContainerName: "container-bar",
+						},
+					}},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"bar", "world"},
+					Searches:    []string{"world.local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "bar", Value: ptr.To("world")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "bar",
+						Role:  "world",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("bar"),
+						GMSACredentialSpec:     ptr.To("world"),
+						RunAsUserName:          ptr.To("bar"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("bar"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "bar",
+						Value: "world",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("world"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "bar",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "bar",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"world"},
+								}},
+							},
+							TopologyKey: "bar",
+							Namespaces:  []string{"world"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"bar": "world",
+									},
+								},
+								TopologyKey: "bar",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"bar": "world",
+								},
+							},
+							TopologyKey: "bar",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "bar",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "world",
+						},
+					},
+				}},
+				Volumes: []corev1.Volume{{
+					Name: "bar",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "bar",
+							},
+							Items: []corev1.KeyToPath{{
+								Key:  "bar",
+								Path: "world",
+							}},
+						},
+					},
+				}, {
+					Name: "secret-volume",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: "bar",
+							Items: []corev1.KeyToPath{{
+								Key:  "bar",
+								Path: "world",
+							}},
+						},
+					},
+				}, {
+					Name: "pvc-volume",
+					VolumeSource: corev1.VolumeSource{
+						PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+							ClaimName: "bar",
+						},
+					},
+				}, {
+					Name: "projected-volume",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{{
+								ConfigMap: &corev1.ConfigMapProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "bar",
+									},
+								},
+								Secret: &corev1.SecretProjection{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "bar",
+									},
+								},
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience: "world",
+								},
+							}},
+						},
+					},
+				}, {
+					Name: "csi-volume",
+					VolumeSource: corev1.VolumeSource{
+						CSI: &corev1.CSIVolumeSource{
+							VolumeAttributes: map[string]string{
+								"secretProviderClass": "bar",
+							},
+							NodePublishSecretRef: &corev1.LocalObjectReference{
+								Name: "bar",
+							},
+						},
+					},
+				}},
+			},
+		},
+	}
 	got := resources.ApplyParameters(simpleTaskSpecArrayIndexing, tr, dp...)
 	if d := cmp.Diff(want, got); d != "" {
 		t.Errorf("ApplyParameters() got diff %s", diff.PrintWantGot(d))
 	}
+
+	// Test PodTemplate parameter substitution
+	gotTr := tr.DeepCopy()
+	gotTr.Spec.PodTemplate = resources.ApplyPodTemplateReplacements(tr.Spec.PodTemplate, tr)
+	if d := cmp.Diff(wantTr, gotTr); d != "" {
+		t.Errorf("ApplyPodTemplateParameters() got diff %s", diff.PrintWantGot(d))
+	}
 }
 
 func TestApplyObjectParameters(t *testing.T) {
@@ -917,6 +1880,149 @@ func TestApplyObjectParameters(t *testing.T) {
 					"key2": "taskrun-value-for-key2",
 				}),
 			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "$(params.myObject.key1)",
+					"zone":               "$(params.myObject.key2)",
+					"static":             "value",
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "$(params.myObject.key1)",
+					Value:    "$(params.myObject.key2)",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("$(params.myObject.key1)"),
+				SchedulerName:     "$(params.myObject.key2)",
+				PriorityClassName: ptr.To("$(params.myObject.key1)"),
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "$(params.myObject.key1)"},
+					{Name: "$(params.myObject.key2)"},
+				},
+				HostAliases: []corev1.HostAlias{{
+					IP:        "$(params.myObject.key1)",
+					Hostnames: []string{"$(params.myObject.key2).example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "DEPLOYMENT_ENV", Value: "$(params.myObject.key1)"},
+					{Name: "VERSION", Value: "$(params.myObject.key2)"},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"$(params.myObject.key1)", "$(params.myObject.key2)"},
+					Searches:    []string{"$(params.myObject.key2).local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "$(params.myObject.key1)", Value: ptr.To("$(params.myObject.key2)")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "$(params.myObject.key1)",
+						Role:  "$(params.myObject.key2)",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("$(params.myObject.key1)"),
+						RunAsUserName:          ptr.To("$(params.myObject.key2)"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.myObject.key1)"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "$(params.myObject.key1)",
+						Value: "$(params.myObject.key2)",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("$(params.myObject.key2)"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myObject.key1)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.myObject.key2)"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myObject.key1)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.myObject.key2)"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "$(params.myObject.key1)",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"$(params.myObject.key2)"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myObject.key1)": "$(params.myObject.key2)",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "$(params.myObject.key1)",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"$(params.myObject.key2)"},
+								}},
+							},
+							TopologyKey: "$(params.myObject.key1)",
+							Namespaces:  []string{"$(params.myObject.key2)"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myObject.key1)": "$(params.myObject.key2)",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"$(params.myObject.key1)": "$(params.myObject.key2)",
+									},
+								},
+								TopologyKey: "$(params.myObject.key1)",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"$(params.myObject.key1)": "$(params.myObject.key2)",
+								},
+							},
+							TopologyKey: "$(params.myObject.key1)",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "$(params.myObject.key1)",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "$(params.myObject.key2)",
+						},
+					},
+				}},
+			},
 		},
 	}
 	dp := []v1.ParamSpec{{
@@ -966,10 +2072,171 @@ func TestApplyObjectParameters(t *testing.T) {
 		spec.Volumes[3].VolumeSource.CSI.VolumeAttributes["secretProviderClass"] = "taskrun-value-for-key1"
 		spec.Volumes[3].VolumeSource.CSI.NodePublishSecretRef.Name = "taskrun-value-for-key1"
 	})
+	wantTr := &v1.TaskRun{
+		Spec: v1.TaskRunSpec{
+			Params: []v1.Param{{
+				Name: "myObject",
+				Value: *v1.NewObject(map[string]string{
+					"key1": "taskrun-value-for-key1",
+					"key2": "taskrun-value-for-key2",
+				}),
+			}},
+			PodTemplate: &podtpl.Template{
+				NodeSelector: map[string]string{
+					"kubernetes.io/arch": "taskrun-value-for-key1",
+					"zone":               "taskrun-value-for-key2",
+					"static":             "value",
+				},
+				Tolerations: []corev1.Toleration{{
+					Key:      "taskrun-value-for-key1",
+					Value:    "taskrun-value-for-key2",
+					Operator: corev1.TolerationOpEqual,
+					Effect:   corev1.TaintEffectNoSchedule,
+				}},
+				RuntimeClassName:  ptr.To("taskrun-value-for-key1"),
+				SchedulerName:     "taskrun-value-for-key2",
+				PriorityClassName: ptr.To("taskrun-value-for-key1"),
+				ImagePullSecrets: []corev1.LocalObjectReference{
+					{Name: "taskrun-value-for-key1"},
+					{Name: "taskrun-value-for-key2"},
+				},
+				HostAliases: []corev1.HostAlias{{
+					IP:        "taskrun-value-for-key1",
+					Hostnames: []string{"taskrun-value-for-key2.example.com", "host2.example.com"},
+				}},
+				Env: []corev1.EnvVar{
+					{Name: "DEPLOYMENT_ENV", Value: "taskrun-value-for-key1"},
+					{Name: "VERSION", Value: "taskrun-value-for-key2"},
+				},
+				DNSConfig: &corev1.PodDNSConfig{
+					Nameservers: []string{"taskrun-value-for-key1", "taskrun-value-for-key2"},
+					Searches:    []string{"taskrun-value-for-key2.local"},
+					Options: []corev1.PodDNSConfigOption{
+						{Name: "taskrun-value-for-key1", Value: ptr.To("taskrun-value-for-key2")},
+					},
+				},
+				DNSPolicy: &[]corev1.DNSPolicy{corev1.DNSClusterFirst}[0],
+				SecurityContext: &corev1.PodSecurityContext{
+					SELinuxOptions: &corev1.SELinuxOptions{
+						User:  "taskrun-value-for-key1",
+						Role:  "taskrun-value-for-key2",
+						Type:  "container_t",
+						Level: "s0:c123,c456",
+					},
+					WindowsOptions: &corev1.WindowsSecurityContextOptions{
+						GMSACredentialSpecName: ptr.To("taskrun-value-for-key1"),
+						RunAsUserName:          ptr.To("taskrun-value-for-key2"),
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type:             corev1.AppArmorProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("taskrun-value-for-key1"),
+					},
+					Sysctls: []corev1.Sysctl{{
+						Name:  "taskrun-value-for-key1",
+						Value: "taskrun-value-for-key2",
+					}},
+					FSGroupChangePolicy:      &[]corev1.PodFSGroupChangePolicy{corev1.FSGroupChangeOnRootMismatch}[0],
+					SupplementalGroupsPolicy: &[]corev1.SupplementalGroupsPolicy{corev1.SupplementalGroupsPolicyMerge}[0],
+					SeccompProfile: &corev1.SeccompProfile{
+						Type:             corev1.SeccompProfileTypeLocalhost,
+						LocalhostProfile: ptr.To("taskrun-value-for-key2"),
+					},
+					SELinuxChangePolicy: &[]corev1.PodSELinuxChangePolicy{corev1.SELinuxChangePolicyMountOption}[0],
+				},
+				Affinity: &corev1.Affinity{
+					NodeAffinity: &corev1.NodeAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+							NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "taskrun-value-for-key1",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"taskrun-value-for-key2"},
+								}},
+								MatchFields: []corev1.NodeSelectorRequirement{{
+									Key:      "taskrun-value-for-key1",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"taskrun-value-for-key2"},
+								}},
+							}},
+						},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.PreferredSchedulingTerm{{
+							Weight: 1,
+							Preference: corev1.NodeSelectorTerm{
+								MatchExpressions: []corev1.NodeSelectorRequirement{{
+									Key:      "taskrun-value-for-key1",
+									Operator: corev1.NodeSelectorOpIn,
+									Values:   []string{"taskrun-value-for-key2"},
+								}},
+							},
+						}},
+					},
+					PodAffinity: &corev1.PodAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"taskrun-value-for-key1": "taskrun-value-for-key2",
+								},
+								MatchExpressions: []metav1.LabelSelectorRequirement{{
+									Key:      "taskrun-value-for-key1",
+									Operator: metav1.LabelSelectorOpIn,
+									Values:   []string{"taskrun-value-for-key2"},
+								}},
+							},
+							TopologyKey: "taskrun-value-for-key1",
+							Namespaces:  []string{"taskrun-value-for-key2"},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"taskrun-value-for-key1": "taskrun-value-for-key2",
+								},
+							},
+						}},
+						PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{
+							Weight: 1,
+							PodAffinityTerm: corev1.PodAffinityTerm{
+								LabelSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"taskrun-value-for-key1": "taskrun-value-for-key2",
+									},
+								},
+								TopologyKey: "taskrun-value-for-key1",
+							},
+						}},
+					},
+					PodAntiAffinity: &corev1.PodAntiAffinity{
+						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{
+							LabelSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"taskrun-value-for-key1": "taskrun-value-for-key2",
+								},
+							},
+							TopologyKey: "taskrun-value-for-key1",
+						}},
+					},
+				},
+				TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+					MaxSkew:           1,
+					TopologyKey:       "taskrun-value-for-key1",
+					WhenUnsatisfiable: corev1.DoNotSchedule,
+					LabelSelector: &metav1.LabelSelector{
+						MatchLabels: map[string]string{
+							"app": "taskrun-value-for-key2",
+						},
+					},
+				}},
+			},
+		},
+	}
 	got := resources.ApplyParameters(objectParamTaskSpec, tr, dp...)
 	if d := cmp.Diff(want, got); d != "" {
 		t.Errorf("ApplyParameters() got diff %s", diff.PrintWantGot(d))
 	}
+
+	// Test PodTemplate parameter substitution
+	gotTr := tr.DeepCopy()
+	gotTr.Spec.PodTemplate = resources.ApplyPodTemplateReplacements(tr.Spec.PodTemplate, tr)
+	if d := cmp.Diff(wantTr, gotTr); d != "" {
+		t.Errorf("ApplyPodTemplateParameters() got diff %s", diff.PrintWantGot(d))
+	}
 }
 
 func TestApplyStepParameters(t *testing.T) {
diff --git a/pkg/reconciler/taskrun/taskrun.go b/pkg/reconciler/taskrun/taskrun.go
index cbbc600e965..a3a03db5606 100644
--- a/pkg/reconciler/taskrun/taskrun.go
+++ b/pkg/reconciler/taskrun/taskrun.go
@@ -889,6 +889,20 @@ func (c *Reconciler) createPod(ctx context.Context, ts *v1.TaskSpec, tr *v1.Task
 	// Apply path substitutions for the legacy credentials helper (aka "creds-init")
 	ts = resources.ApplyCredentialsPath(ts, pipeline.CredsDir)
 
+	// Apply parameter substitution to PodTemplate if it exists
+	if tr.Spec.PodTemplate != nil {
+		var defaults []v1.ParamSpec
+		if len(ts.Params) > 0 {
+			defaults = append(defaults, ts.Params...)
+		}
+		updatedPodTemplate := resources.ApplyPodTemplateReplacements(tr.Spec.PodTemplate, tr, defaults...)
+		if updatedPodTemplate != nil {
+			trCopy := tr.DeepCopy()
+			trCopy.Spec.PodTemplate = updatedPodTemplate
+			tr = trCopy
+		}
+	}
+
 	podbuilder := podconvert.Builder{
 		Images:          c.Images,
 		KubeClient:      c.KubeClientSet,
diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go
index f8875b085c1..8fa2f189173 100644
--- a/pkg/reconciler/taskrun/taskrun_test.go
+++ b/pkg/reconciler/taskrun/taskrun_test.go
@@ -79,6 +79,7 @@ import (
 	ktesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/record"
 	clock "k8s.io/utils/clock/testing"
+	"k8s.io/utils/ptr"
 	"knative.dev/pkg/apis"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	cminformer "knative.dev/pkg/configmap/informer"
@@ -777,8 +778,7 @@ spec:
 
 	taskruns := []*v1.TaskRun{
 		taskRunSuccess, taskRunWithSaSuccess, taskRunSubstitution,
-		taskRunWithTaskSpec,
-		taskRunWithLabels, taskRunWithAnnotations, taskRunWithPod,
+		taskRunWithTaskSpec, taskRunWithLabels, taskRunWithAnnotations, taskRunWithPod,
 		taskRunWithCredentialsVariable, taskRunBundle,
 	}
 
@@ -7172,3 +7172,421 @@ status:
 		})
 	}
 }
+
+// TestReconcile_PodTemplateParameterSubstitution tests that PodTemplate parameters
+// are properly substituted when a TaskRun is reconciled
+func TestReconcile_PodTemplateParameterSubstitution(t *testing.T) {
+	task := parse.MustParseV1Task(t, `
+metadata:
+  name: test-task
+  namespace: foo
+spec:
+  params:
+  - name: arch
+    type: string
+    default: amd64
+  - name: region
+    type: string
+    default: us-west-1
+  - name: selinuxuser
+    type: string
+    default: myuser
+  - name: selinuxrole
+    type: string
+    default: myrole
+  - name: gmsacredential
+    type: string  
+    default: mycredential
+  - name: apparmor
+    type: string
+    default: localhost/myprofile
+  - name: hostname
+    type: string
+    default: example.com
+  - name: volumename
+    type: string
+    default: my-volume
+  - name: disktype
+    type: string
+    default: hdd
+  steps:
+  - name: echo
+    image: busybox
+    script: echo hello
+`)
+
+	tr := parse.MustParseV1TaskRun(t, `
+metadata:
+  name: test-taskrun
+  namespace: foo
+spec:
+  params:
+  - name: arch
+    value: arm64
+  - name: region
+    value: us-east-1
+  - name: selinuxuser
+    value: customuser
+  - name: selinuxrole
+    value: customrole
+  - name: gmsacredential
+    value: customcredential
+  - name: apparmor
+    value: localhost/customprofile
+  - name: hostname
+    value: custom.example.com
+  - name: volumename
+    value: custom-volume
+  - name: disktype
+    value: nvme
+  taskRef:
+    name: test-task
+  podTemplate:
+    nodeSelector:
+      kubernetes.io/arch: $(params.arch)
+      region: $(params.region)
+    tolerations:
+    - key: arch
+      operator: Equal
+      value: $(params.arch)
+      effect: NoSchedule
+    runtimeClassName: "gvisor-$(params.arch)"
+    schedulerName: "custom-scheduler-$(params.region)"
+    priorityClassName: "priority-$(params.arch)"
+    imagePullSecrets:
+    - name: "secret-$(params.region)"
+    env:
+    - name: ARCH
+      value: $(params.arch)
+    - name: REGION
+      value: $(params.region)
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: disktype
+              operator: In
+              values:
+              - $(params.disktype)
+    dnsPolicy: ClusterFirst
+    securityContext:
+      seLinuxOptions:
+        user: $(params.selinuxuser)
+        role: $(params.selinuxrole)
+        type: container_t
+        level: s0:c123,c456
+      windowsOptions:
+        gmsaCredentialSpecName: $(params.gmsacredential)
+        runAsUserName: $(params.arch)-user
+      appArmorProfile:
+        type: Localhost
+        localhostProfile: $(params.apparmor)
+      sysctls:
+      - name: kernel.$(params.arch)
+        value: $(params.region)
+    hostAliases:
+    - ip: "192.168.1.1"
+      hostnames:
+      - "$(params.hostname)"
+      - "alias.$(params.hostname)"
+    topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: zone-$(params.region)
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: myapp-$(params.arch)
+    dnsConfig:
+      nameservers:
+      - "8.8.8.8"
+      - "$(params.arch).dns.example.com"
+      searches:
+      - "$(params.region).local"
+      options:
+      - name: ndots
+        value: "2"
+    volumes:
+    - name: $(params.volumename)
+      configMap:
+        name: config-$(params.region)
+    - name: secret-volume
+      secret:
+        secretName: secret-$(params.arch)
+        items:
+        - key: $(params.region)
+          path: secret/$(params.arch)
+    - name: projected-volume
+      projected:
+        sources:
+        - configMap:
+            name: projected-config-$(params.region)
+        - secret:
+            name: projected-secret-$(params.arch)
+        - serviceAccountToken:
+            audience: audience-$(params.region)
+    - name: csi-volume
+      csi:
+        driver: csi.example.com
+        nodePublishSecretRef:
+          name: csi-secret-$(params.arch)
+        volumeAttributes:
+          foo: $(params.region)
+`)
+
+	d := test.Data{
+		TaskRuns: []*v1.TaskRun{tr},
+		Tasks:    []*v1.Task{task},
+	}
+	testAssets, cancel := getTaskRunController(t, d)
+	defer cancel()
+	createServiceAccount(t, testAssets, "default", tr.Namespace)
+
+	err := testAssets.Controller.Reconciler.Reconcile(testAssets.Ctx, getRunName(tr))
+	if err == nil {
+		t.Errorf("Expected reconcile to return a requeue indicating the pod was created, but got nil")
+	} else if ok, _ := controller.IsRequeueKey(err); !ok {
+		t.Errorf("Expected a requeue error, got: %v", err)
+	}
+
+	// Get the created pod and verify parameter substitution
+	pods, err := testAssets.Clients.Kube.CoreV1().Pods(tr.Namespace).List(testAssets.Ctx, metav1.ListOptions{})
+	if err != nil {
+		t.Fatalf("Error listing pods: %v", err)
+	}
+
+	if len(pods.Items) != 1 {
+		t.Fatalf("Expected 1 pod to be created, got %d", len(pods.Items))
+	}
+
+	pod := pods.Items[0]
+
+	// Verify nodeSelector substitution
+	expectedNodeSelector := map[string]string{
+		"kubernetes.io/arch": "arm64",
+		"region":             "us-east-1",
+	}
+	if d := cmp.Diff(expectedNodeSelector, pod.Spec.NodeSelector); d != "" {
+		t.Errorf("NodeSelector mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify tolerations substitution
+	expectedTolerations := []corev1.Toleration{{
+		Key:      "arch",
+		Operator: corev1.TolerationOpEqual,
+		Value:    "arm64",
+		Effect:   corev1.TaintEffectNoSchedule,
+	}}
+	if d := cmp.Diff(expectedTolerations, pod.Spec.Tolerations); d != "" {
+		t.Errorf("Tolerations mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify runtime class substitution
+	expectedRuntimeClassName := "gvisor-arm64"
+	if d := cmp.Diff(&expectedRuntimeClassName, pod.Spec.RuntimeClassName); d != "" {
+		t.Errorf("RuntimeClassName mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify scheduler name substitution
+	expectedSchedulerName := "custom-scheduler-us-east-1"
+	if d := cmp.Diff(expectedSchedulerName, pod.Spec.SchedulerName); d != "" {
+		t.Errorf("SchedulerName mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify priority class name substitution
+	expectedPriorityClassName := "priority-arm64"
+	if d := cmp.Diff(expectedPriorityClassName, pod.Spec.PriorityClassName); d != "" {
+		t.Errorf("PriorityClassName mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify image pull secrets substitution
+	expectedImagePullSecrets := []corev1.LocalObjectReference{{
+		Name: "secret-us-east-1",
+	}}
+	if d := cmp.Diff(expectedImagePullSecrets, pod.Spec.ImagePullSecrets); d != "" {
+		t.Errorf("ImagePullSecrets mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify environment variables substitution in all containers
+	expectedEnvVars := []corev1.EnvVar{
+		{Name: "ARCH", Value: "arm64"},
+		{Name: "REGION", Value: "us-east-1"},
+	}
+
+	for _, container := range pod.Spec.Containers {
+		// Find our added env vars
+		var actualEnvVars []corev1.EnvVar
+		for _, env := range container.Env {
+			if env.Name == "ARCH" || env.Name == "REGION" {
+				actualEnvVars = append(actualEnvVars, env)
+			}
+		}
+
+		if d := cmp.Diff(expectedEnvVars, actualEnvVars); d != "" {
+			t.Errorf("Environment variables mismatch in container %s: %s", container.Name, diff.PrintWantGot(d))
+		}
+	}
+
+	// Verify affinity substitution
+	expectedAffinity := &corev1.Affinity{
+		NodeAffinity: &corev1.NodeAffinity{
+			RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{
+				NodeSelectorTerms: []corev1.NodeSelectorTerm{{
+					MatchExpressions: []corev1.NodeSelectorRequirement{{
+						Key:      "disktype",
+						Operator: corev1.NodeSelectorOpIn,
+						Values:   []string{"nvme"},
+					}},
+				}},
+			},
+		},
+	}
+	if d := cmp.Diff(expectedAffinity, pod.Spec.Affinity); d != "" {
+		t.Errorf("Affinity mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify dnsPolicy substitution
+	expectedDNSPolicy := corev1.DNSClusterFirst
+	if d := cmp.Diff(expectedDNSPolicy, pod.Spec.DNSPolicy); d != "" {
+		t.Errorf("DNSPolicy mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify securityContext substitution (string fields only, excluding int/bool fields)
+	expectedSecurityContext := &corev1.PodSecurityContext{
+		SELinuxOptions: &corev1.SELinuxOptions{
+			User:  "customuser",
+			Role:  "customrole",
+			Type:  "container_t",
+			Level: "s0:c123,c456",
+		},
+		WindowsOptions: &corev1.WindowsSecurityContextOptions{
+			GMSACredentialSpecName: ptr.To("customcredential"),
+			RunAsUserName:          ptr.To("arm64-user"),
+		},
+		AppArmorProfile: &corev1.AppArmorProfile{
+			Type:             corev1.AppArmorProfileTypeLocalhost,
+			LocalhostProfile: ptr.To("localhost/customprofile"),
+		},
+		Sysctls: []corev1.Sysctl{{
+			Name:  "kernel.arm64",
+			Value: "us-east-1",
+		}},
+	}
+	if d := cmp.Diff(expectedSecurityContext, pod.Spec.SecurityContext); d != "" {
+		t.Errorf("SecurityContext mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify hostAliases substitution
+	expectedHostAliases := []corev1.HostAlias{{
+		IP:        "192.168.1.1",
+		Hostnames: []string{"custom.example.com", "alias.custom.example.com"},
+	}}
+	if d := cmp.Diff(expectedHostAliases, pod.Spec.HostAliases); d != "" {
+		t.Errorf("HostAliases mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify topologySpreadConstraints substitution
+	expectedTopologySpreadConstraints := []corev1.TopologySpreadConstraint{{
+		MaxSkew:           1,
+		TopologyKey:       "zone-us-east-1",
+		WhenUnsatisfiable: corev1.DoNotSchedule,
+		LabelSelector: &metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"app": "myapp-arm64",
+			},
+		},
+	}}
+	if d := cmp.Diff(expectedTopologySpreadConstraints, pod.Spec.TopologySpreadConstraints); d != "" {
+		t.Errorf("TopologySpreadConstraints mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify dnsConfig substitution
+	expectedDNSConfig := &corev1.PodDNSConfig{
+		Nameservers: []string{"8.8.8.8", "arm64.dns.example.com"},
+		Searches:    []string{"us-east-1.local"},
+		Options: []corev1.PodDNSConfigOption{{
+			Name:  "ndots",
+			Value: ptr.To("2"),
+		}},
+	}
+	if d := cmp.Diff(expectedDNSConfig, pod.Spec.DNSConfig); d != "" {
+		t.Errorf("DNSConfig mismatch: %s", diff.PrintWantGot(d))
+	}
+
+	// Verify volumes substitution
+	expectedVolumes := []corev1.Volume{{
+		Name: "custom-volume",
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: "config-us-east-1",
+				},
+			},
+		},
+	}, {
+		Name: "secret-volume",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: "secret-arm64",
+				Items: []corev1.KeyToPath{{
+					Key:  "us-east-1",
+					Path: "secret/arm64",
+				}},
+			},
+		},
+	}, {
+		Name: "projected-volume",
+		VolumeSource: corev1.VolumeSource{
+			Projected: &corev1.ProjectedVolumeSource{
+				Sources: []corev1.VolumeProjection{{
+					ConfigMap: &corev1.ConfigMapProjection{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "projected-config-us-east-1",
+						},
+					},
+				}, {
+					Secret: &corev1.SecretProjection{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "projected-secret-arm64",
+						},
+					},
+				}, {
+					ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+						Audience: "audience-us-east-1",
+					},
+				}},
+			},
+		},
+	}, {
+		Name: "csi-volume",
+		VolumeSource: corev1.VolumeSource{
+			CSI: &corev1.CSIVolumeSource{
+				Driver: "csi.example.com",
+				NodePublishSecretRef: &corev1.LocalObjectReference{
+					Name: "csi-secret-arm64",
+				},
+				VolumeAttributes: map[string]string{
+					"foo": "us-east-1",
+				},
+			},
+		},
+	}}
+
+	// Filter out system volumes (like tekton volumes) to focus on our custom volumes
+	var actualCustomVolumes []corev1.Volume
+	customVolumeNames := map[string]bool{
+		"custom-volume":    true,
+		"secret-volume":    true,
+		"projected-volume": true,
+		"csi-volume":       true,
+	}
+	for _, vol := range pod.Spec.Volumes {
+		if customVolumeNames[vol.Name] {
+			actualCustomVolumes = append(actualCustomVolumes, vol)
+		}
+	}
+
+	if d := cmp.Diff(expectedVolumes, actualCustomVolumes); d != "" {
+		t.Errorf("Custom volumes mismatch: %s", diff.PrintWantGot(d))
+	}
+}