diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml
index 28b399e4..be0d11cf 100644
--- a/sonobuoy/templates/pod-api.yaml
+++ b/sonobuoy/templates/pod-api.yaml
@@ -63,6 +63,7 @@ metadata:
 spec:
   nodeSelector:
     {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}}
+{{ dict "envAll" $envAll "application" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   initContainers:
 {{ tuple $envAll "sonobuoy" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
   containers:
@@ -73,6 +74,7 @@ spec:
         fieldRef:
           fieldPath: status.podIP
 {{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }}
+{{ dict "envAll" $envAll "application" "sonobuoy" "container" "kube_sonobuoy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 4 }}
     command:
       - /run_master.sh
     volumeMounts:
diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml
index 82680058..67fd8e3c 100644
--- a/sonobuoy/values.yaml
+++ b/sonobuoy/values.yaml
@@ -39,6 +39,14 @@ dependencies:
       - sonobuoy-ks-user
 
 pod:
+  security_context:
+    sonobuoy:
+      pod:
+        runAsUser: 1000
+      container:
+        kube_sonobuoy:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
   resources:
     enabled: false
     jobs: