diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml
index b77e8631c..a518dcb8e 100644
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@@ -50,6 +50,8 @@ spec:
         # a failure.  This annotation works in tandem with the toleration below.
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       serviceAccountName: {{ $serviceAccountName }}
       tolerations:
         # This taint is set by all kubelets running `--cloud-provider=external`
diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml
index 0a0f56502..4fbb3fed7 100644
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@@ -118,6 +118,8 @@ spec:
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
 {{- end }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       hostNetwork: true
diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml
index 9ae9ca581..b06e7be07 100644
--- a/calico/templates/deployment-calico-kube-controllers.yaml
+++ b/calico/templates/deployment-calico-kube-controllers.yaml
@@ -92,6 +92,8 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       # The controllers must run in the host network namespace so that