diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index 4820a06a1..4df939bec 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -494,15 +494,30 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 				{
 					Name:  "copy-config",
 					Image: builder.Instance.Spec.Image,
+					SecurityContext: &corev1.SecurityContext{
+						RunAsUser: pointer.Int64Ptr(0),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{
+								// Remove default capabilities allowed by Docker except for CHOWN and FOWNER
+								"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+								"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+							},
+						},
+					},
 					Command: []string{
-						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
+						"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf " +
+							"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
+							"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config " +
+							"&& chown 999:999 /etc/rabbitmq/advanced.config ; " +
+							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf " +
+							"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; " +
 							"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
 							"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-							"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
+							"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; " +
+							"chgrp 999 /var/lib/rabbitmq/mnesia/",
 					},
 					Resources: corev1.ResourceRequirements{
 						Limits: map[corev1.ResourceName]k8sresource.Quantity{
@@ -535,6 +550,10 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							Name:      "erlang-cookie-secret",
 							MountPath: "/tmp/erlang-cookie-secret/",
 						},
+						{
+							Name:      "persistence",
+							MountPath: "/var/lib/rabbitmq/mnesia/",
+						},
 					},
 				},
 			},
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index 85eb1e9db..5cf72ea32 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -941,19 +941,24 @@ var _ = Describe("StatefulSet", func() {
 			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
-			Expect(len(initContainers)).To(Equal(1))
+			Expect(initContainers).To(HaveLen(1))
 
 			container := extractContainer(initContainers, "copy-config")
-			Expect(container.Command).To(Equal([]string{
-				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf && echo '' >> /etc/rabbitmq/rabbitmq.conf ; " +
-					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config ; " +
-					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf ; " +
-					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
-					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
-					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins " +
-					"&& chown 999:999 /etc/rabbitmq/enabled_plugins",
-			}))
+			Expect(container.Command).To(ConsistOf(
+				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf "+
+					"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; "+
+					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config "+
+					"&& chown 999:999 /etc/rabbitmq/advanced.config ; "+
+					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf "+
+					"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; "+
+					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie "+
+					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; "+
+					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins "+
+					"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; "+
+					"chgrp 999 /var/lib/rabbitmq/mnesia/",
+			))
 
 			Expect(container.VolumeMounts).To(ConsistOf(
 				corev1.VolumeMount{
@@ -977,9 +982,18 @@ var _ = Describe("StatefulSet", func() {
 					Name:      "erlang-cookie-secret",
 					MountPath: "/tmp/erlang-cookie-secret/",
 				},
+				corev1.VolumeMount{
+					Name:      "persistence",
+					MountPath: "/var/lib/rabbitmq/mnesia/",
+				},
 			))
 
 			Expect(container.Image).To(Equal("rabbitmq-image-from-cr"))
+			Expect(container.SecurityContext.RunAsUser).To(Equal(pointer.Int64Ptr(0)))
+			Expect(container.SecurityContext.Capabilities.Drop).To(ConsistOf([]corev1.Capability{
+				"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
+				"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+			}))
 		})
 
 		It("adds the required terminationGracePeriodSeconds", func() {