diff --git a/packages/zarf-registry/chart/templates/deployment.yaml b/packages/zarf-registry/chart/templates/deployment.yaml
index e0e878eb82..f4263ca731 100644
--- a/packages/zarf-registry/chart/templates/deployment.yaml
+++ b/packages/zarf-registry/chart/templates/deployment.yaml
@@ -33,8 +33,11 @@ spec:
       {{- end }}
       priorityClassName: system-node-critical
       securityContext:
-        fsGroup: 1000
         runAsUser: 1000
+        fsGroup: 2000
+        runAsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -53,6 +56,12 @@ spec:
             httpGet:
               path: /
               port: 5000
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
 {{ toYaml .Values.resources | indent 12 }}
           env:
diff --git a/src/pkg/cluster/injector.go b/src/pkg/cluster/injector.go
index 48552ac5e1..b117e891d6 100644
--- a/src/pkg/cluster/injector.go
+++ b/src/pkg/cluster/injector.go
@@ -319,6 +319,9 @@ func hasBlockingTaints(taints []corev1.Taint) bool {
 
 func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum string, resReq corev1.ResourceRequirements) *corev1.Pod {
 	executeMode := int32(0777)
+	userID := int64(1000)
+	groupID := int64(2000)
+	fsGroupID := int64(2000)
 
 	pod := &corev1.Pod{
 		TypeMeta: metav1.TypeMeta{
@@ -337,6 +340,12 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
 			NodeName: nodeName,
 			// Do not try to restart the pod as it will be deleted/re-created instead.
 			RestartPolicy: corev1.RestartPolicyNever,
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser:      &userID,
+				RunAsGroup:     &groupID,
+				FSGroup:        &fsGroupID,
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            "injector",
@@ -366,6 +375,14 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
 							},
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   helpers.BoolPtr(true),
+						AllowPrivilegeEscalation: helpers.BoolPtr(false),
+						RunAsNonRoot:             helpers.BoolPtr(true),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+					},
 					Resources: resReq,
 				},
 			},