diff --git a/Dockerfile b/Dockerfile
index 605fef062c..4627a61f71 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,6 +25,9 @@ RUN make test
 # Create production image for running node feature discovery
 FROM debian:stretch-slim
 
+# Run as unprivileged user
+USER 65534:65534
+
 # Use more verbose logging of gRPC
 ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
 
diff --git a/nfd-daemonset-combined.yaml.template b/nfd-daemonset-combined.yaml.template
index 60feaaea59..738fd6dab0 100644
--- a/nfd-daemonset-combined.yaml.template
+++ b/nfd-daemonset-combined.yaml.template
@@ -64,6 +64,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-master"
         - env:
@@ -73,6 +79,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args:
diff --git a/nfd-master.yaml.template b/nfd-master.yaml.template
index 767bc9f49b..04351888b0 100644
--- a/nfd-master.yaml.template
+++ b/nfd-master.yaml.template
@@ -79,6 +79,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-master"
 ## Enable TLS authentication
diff --git a/nfd-worker-daemonset.yaml.template b/nfd-worker-daemonset.yaml.template
index 0142b5a835..8b58715027 100644
--- a/nfd-worker-daemonset.yaml.template
+++ b/nfd-worker-daemonset.yaml.template
@@ -23,6 +23,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args:
diff --git a/nfd-worker-job.yaml.template b/nfd-worker-job.yaml.template
index deb2344e1b..776adf97be 100644
--- a/nfd-worker-job.yaml.template
+++ b/nfd-worker-job.yaml.template
@@ -32,6 +32,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args: