diff --git a/config/rekor.yaml b/config/rekor.yaml
index 5a7cdceb09112d6d3535391a9759061379f374d1..19ff2e5b1af45f61958bb8bb14191a9eaf06240c 100644
--- a/config/rekor.yaml
+++ b/config/rekor.yaml
@@ -79,6 +79,12 @@ spec:
           requests:
             memory: "1G"
             cpu: ".5"
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - all
 ---
 apiVersion: v1
 kind: Service
diff --git a/config/watcher.yaml b/config/watcher.yaml
index 072eb2028803583e16e0b54a4bd93df98e636cbc..659ad098d8872ca90f8d01a08165dac10f456dbd 100644
--- a/config/watcher.yaml
+++ b/config/watcher.yaml
@@ -54,3 +54,9 @@ spec:
           requests:
             memory: "1G"
             cpu: ".5"
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - all