diff --git a/Dockerfile.webhook b/Dockerfile.webhook
index 2ea2c006d..7aa026e73 100644
--- a/Dockerfile.webhook
+++ b/Dockerfile.webhook
@@ -6,5 +6,6 @@ RUN make _build-webhook BIN_PATH=build/_output/cmd
 FROM quay.io/centos/centos:stream9
 LABEL io.k8s.display-name="sriov-network-webhook" \
       io.k8s.description="This is an admission controller webhook that mutates and validates customer resources of sriov network operator."
+USER 1001
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/sriov-network-operator/build/_output/cmd/webhook /usr/bin/webhook
 CMD ["/usr/bin/webhook"]
diff --git a/bindata/manifests/operator-webhook/server.yaml b/bindata/manifests/operator-webhook/server.yaml
index 41cfe6917..188a7f182 100644
--- a/bindata/manifests/operator-webhook/server.yaml
+++ b/bindata/manifests/operator-webhook/server.yaml
@@ -23,6 +23,8 @@ spec:
       labels:
         app: operator-webhook
     spec:
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: operator-webhook-sa
       priorityClassName: "system-cluster-critical"
       nodeSelector:
@@ -76,6 +78,9 @@ spec:
               fieldPath: metadata.namespace
         - name: DEV_MODE
           value: "{{.DevMode}}"
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         resources:
           requests:
             cpu: 10m
diff --git a/bindata/manifests/webhook/server.yaml b/bindata/manifests/webhook/server.yaml
index bf5739ac7..659f71b7e 100644
--- a/bindata/manifests/webhook/server.yaml
+++ b/bindata/manifests/webhook/server.yaml
@@ -26,6 +26,8 @@ spec:
         type: infra
         openshift.io/component: network
     spec:
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: network-resources-injector-sa
       priorityClassName: "system-cluster-critical"
       nodeSelector:
@@ -71,11 +73,16 @@ spec:
         - -tls-private-key-file=/etc/tls/tls.key
         - -tls-cert-file=/etc/tls/tls.crt
         - -insecure=true
+        - -logtostderr=true
+        - -alsologtostderr=true
         env:
         - name: NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         resources:
           requests:
             cpu: 10m
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 79adfe72a..586fa3f17 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -33,6 +33,7 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
         livenessProbe:
           httpGet:
             path: /healthz