diff --git a/job-eks.yaml b/job-eks.yaml
index 6f82c3102bd16802ee3db2f58a22d80d6d105a9a..b0cac980f9a191bad5909bbe6e230be8458b19ea 100644
--- a/job-eks.yaml
+++ b/job-eks.yaml
@@ -15,10 +15,13 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job-iks.yaml b/job-iks.yaml
index 8a5fd38595608ec6730647a8d55b4253a3553356..3d3d07229302347630cf73d5008ac68bf62c664b 100644
--- a/job-iks.yaml
+++ b/job-iks.yaml
@@ -14,10 +14,13 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job-master.yaml b/job-master.yaml
index 5896bd312993e748b55c9155df2024fc7a0dbd70..27cecb2472d9fe1581c8b77de5712649b03e2061 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -20,12 +20,15 @@ spec:
           volumeMounts:
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd
diff --git a/job-node.yaml b/job-node.yaml
index 0bdc2a1f384915d3a628f54b1282e3e78a974e8d..b9133e98c3cd0fee120c8080d7706e048c6f016f 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -14,14 +14,18 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job.yaml b/job.yaml
index 411c16499f1c47cc15e94d964aa61220d4ebc8a4..5f096510f12262115d8daefd7765744f5bb4c1bb 100644
--- a/job.yaml
+++ b/job.yaml
@@ -17,16 +17,21 @@ spec:
           volumeMounts:
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
+              readOnly: true
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd