diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..a765bfd
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+/docs
+/build
diff --git a/build/container/Dockerfile b/build/container/Dockerfile
index 072aad0..b0832f1 100644
--- a/build/container/Dockerfile
+++ b/build/container/Dockerfile
@@ -22,4 +22,13 @@ LABEL org.opencontainers.image.description="Lightweight, elastic, kubernetes-nat
 
 WORKDIR /work/
 COPY --from=builder /build/barco .
+
+RUN mkdir /var/lib/barco
+
+RUN chgrp -R 0 /var/lib/barco && \
+    chmod -R g=u /var/lib/barco && \
+    chown -R 1001:0 /var/lib/barco
+
+USER 1001
+
 CMD ["/work/barco"]
diff --git a/deploy/kubernetes/barco.yaml b/deploy/kubernetes/barco.yaml
index f6f2798..ab880de 100644
--- a/deploy/kubernetes/barco.yaml
+++ b/deploy/kubernetes/barco.yaml
@@ -101,6 +101,14 @@ spec:
       - name: barco
         image: barcostreams/barco:dev1
         imagePullPolicy: Always
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
         - containerPort: 9250
           name: discovery