diff --git a/config/deployment.yaml b/config/deployment.yaml
index 170a429bc..53dc2b7d2 100644
--- a/config/deployment.yaml
+++ b/config/deployment.yaml
@@ -61,6 +61,13 @@ spec:
           requests:
             memory: "1G"
             cpu: ".5"
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65533
+          capabilities:
+            drop:
+            - all
       volumes:
       - name: fulcio-config
         configMap: