diff --git a/internal/cnpgi/operator/lifecycle.go b/internal/cnpgi/operator/lifecycle.go
index f7c55de..a6e95d0 100644
--- a/internal/cnpgi/operator/lifecycle.go
+++ b/internal/cnpgi/operator/lifecycle.go
@@ -299,6 +299,18 @@ func reconcilePodSpec(
 	sidecarConfig.Image = viper.GetString("sidecar-image")
 	sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy
 	sidecarConfig.StartupProbe = baseProbe.DeepCopy()
+	sidecarConfig.SecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.To(false),
+		RunAsNonRoot:             ptr.To(true),
+		Privileged:               ptr.To(false),
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
 
 	// merge the main container envs if they aren't already set
 	for _, container := range spec.Containers {
diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
index acc0ab4..756f1dd 100644
--- a/kubernetes/deployment.yaml
+++ b/kubernetes/deployment.yaml
@@ -16,6 +16,10 @@ spec:
       labels:
         app: barman-cloud
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: plugin-barman-cloud
       containers:
       - image: plugin-barman-cloud:latest
@@ -48,6 +52,16 @@ spec:
         - mountPath: /client
           name: client
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
       volumes:
       - name: server
         secret:
diff --git a/manifest.yaml b/manifest.yaml
index a05623a..10e8021 100644
--- a/manifest.yaml
+++ b/manifest.yaml
@@ -871,11 +871,25 @@ spec:
           tcpSocket:
             port: 9090
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /server
           name: server
         - mountPath: /client
           name: client
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: plugin-barman-cloud
       volumes:
       - name: server