diff --git a/config/operator.yaml b/config/operator.yaml
index f9bdf0ec..65ea4c44 100644
--- a/config/operator.yaml
+++ b/config/operator.yaml
@@ -59,7 +59,24 @@ spec:
             periodSeconds: 1
             successThreshold: 1
             timeoutSeconds: 15
+          securityContext:
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           terminationMessagePolicy: FallbackToLogsOnError
+      securityContext:
+        runAsUser: 65532
+        runAsGroup: 65532
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: spicedb-operator
 ---
 apiVersion: v1