diff --git a/charts/primary-site/templates/cronjobs/garbage-collector.yaml b/charts/primary-site/templates/cronjobs/garbage-collector.yaml
index 7b712b2..71acdcb 100644
--- a/charts/primary-site/templates/cronjobs/garbage-collector.yaml
+++ b/charts/primary-site/templates/cronjobs/garbage-collector.yaml
@@ -34,10 +34,16 @@ spec:
             - name: garbage-collector
               image: {{ .Values.garbageCollector.deployment.image }}:{{ .Chart.AppVersion }}
               securityContext:
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
                 allowPrivilegeEscalation: false
                 runAsNonRoot: true
                 runAsUser: 65534
                 runAsGroup: 65534
+                seccompProfile:
+                  type: RuntimeDefault
               volumeMounts:
                 - mountPath: /secrets
                   name: cloud-credentials
diff --git a/charts/primary-site/templates/deployments/_inbox-container.tpl b/charts/primary-site/templates/deployments/_inbox-container.tpl
index 0c3a786..c66838a 100644
--- a/charts/primary-site/templates/deployments/_inbox-container.tpl
+++ b/charts/primary-site/templates/deployments/_inbox-container.tpl
@@ -42,9 +42,15 @@ template:
         image: {{ .Values.inboxListener.deployment.image }}:{{ .Chart.AppVersion }}
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65534
           runAsGroup: 65534
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             cpu: {{ .Values.inboxListener.deployment.resources.requests.cpu }}
diff --git a/charts/primary-site/templates/deployments/query-server.yaml b/charts/primary-site/templates/deployments/query-server.yaml
index 06272aa..a53c544 100644
--- a/charts/primary-site/templates/deployments/query-server.yaml
+++ b/charts/primary-site/templates/deployments/query-server.yaml
@@ -45,9 +45,15 @@ spec:
           image: {{ $values.deployment.image }}:{{ .Chart.AppVersion }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ $values.deployment.resources.requests.cpu }}
diff --git a/charts/primary-site/templates/deployments/site-controller.yaml b/charts/primary-site/templates/deployments/site-controller.yaml
index 34d6fce..c855dca 100644
--- a/charts/primary-site/templates/deployments/site-controller.yaml
+++ b/charts/primary-site/templates/deployments/site-controller.yaml
@@ -37,9 +37,15 @@ spec:
           image: {{ .Values.siteController.deployment.image }}:{{ .Chart.AppVersion }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ .Values.siteController.deployment.resources.requests.cpu }}