diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
index 66a1c29d95..5a96cb043e 100644
--- a/config/101-podsecuritypolicy.yaml
+++ b/config/101-podsecuritypolicy.yaml
@@ -30,7 +30,7 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index 7fdef71dfd..4590885b90 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -35,7 +35,3 @@ rules:
   - apiGroups: ["triggers.tekton.dev"]
     resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status", "triggers/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
diff --git a/config/200-role.yaml b/config/200-role.yaml
new file mode 100644
index 0000000000..0bde307b64
--- /dev/null
+++ b/config/200-role.yaml
@@ -0,0 +1,26 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-triggers-admin
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-triggers"]
+    verbs: ["use"]
diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
new file mode 100644
index 0000000000..a58d5d3716
--- /dev/null
+++ b/config/201-rolebinding.yaml
@@ -0,0 +1,29 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-controller-admin
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-controller
+    namespace: tekton-pipelines
+roleRef:
+  kind: Role
+  name: tekton-triggers-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/controller.yaml b/config/controller.yaml
index d496df19eb..70305da9e1 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -52,6 +52,9 @@ spec:
       containers:
       - name: tekton-triggers-controller
         image: "ko://github.com/tektoncd/triggers/cmd/controller"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
         args: [
           "-logtostderr",
           "-stderrthreshold", "INFO",
diff --git a/config/webhook.yaml b/config/webhook.yaml
index a3f5a0bfc5..158df49a98 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -54,6 +54,9 @@ spec:
         # This is the Go import path for the binary that is containerized
         # and substituted here.
         image: "ko://github.com/tektoncd/triggers/cmd/webhook"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom: