diff --git a/grafana-image/Dockerfile b/grafana-image/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..bac01b592e86bec53394f2692a8011d1e4190d54
--- /dev/null
+++ b/grafana-image/Dockerfile
@@ -0,0 +1,15 @@
+FROM debian:9.3-slim
+
+RUN apt-get update && apt-get install -qq -y wget tar sqlite && \
+    wget -O /tmp/grafana.tar.gz https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.linux-x64.tar.gz && \
+    tar -zxvf /tmp/grafana.tar.gz -C /tmp && mv /tmp/grafana-4.6.3 /grafana && \
+    rm -rf /tmp/grafana.tar.gz
+
+ADD config.toml /grafana/conf/config.toml
+
+USER       nobody
+EXPOSE     3000
+VOLUME     [ "/data" ]
+WORKDIR    /grafana
+ENTRYPOINT [ "/grafana/bin/grafana-server" ]
+CMD        [ "-config=/grafana/conf/config.toml" ]
diff --git a/grafana-image/Makefile b/grafana-image/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..12fc7b814357e50d361dbfc8ffc0b774319fe618
--- /dev/null
+++ b/grafana-image/Makefile
@@ -0,0 +1,2 @@
+container:
+	docker build . -t quay.io/coreos/monitoring-grafana:4.6.3-non-root
diff --git a/grafana-image/config.toml b/grafana-image/config.toml
new file mode 100644
index 0000000000000000000000000000000000000000..7ed992c685eb1e8d8e8bf79c6712128e462b12a1
--- /dev/null
+++ b/grafana-image/config.toml
@@ -0,0 +1,2 @@
+[database]
+path = /data/grafana.db
diff --git a/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml b/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
index 8a7b8c0220903929d886d9e48cddfc7e2d8459de..091d4e80a92704278025813b7cfae683dc08f08b 100644
--- a/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
+++ b/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
@@ -9,9 +9,12 @@ spec:
       labels:
         app: grafana
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       containers:
       - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
         env:
         - name: GF_AUTH_BASIC_ENABLED
           value: "true"
@@ -29,7 +32,7 @@ spec:
               key: password
         volumeMounts:
         - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
         ports:
         - name: web
           containerPort: 3000
diff --git a/manifests/grafana/grafana-deployment.yaml b/manifests/grafana/grafana-deployment.yaml
index 29dd9022f9cf9ebc06ae624b84cd30fd869b2961..d1b7c8061346dd024ce1aa7a43fb5e726f1a525a 100644
--- a/manifests/grafana/grafana-deployment.yaml
+++ b/manifests/grafana/grafana-deployment.yaml
@@ -9,9 +9,12 @@ spec:
       labels:
         app: grafana
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       containers:
       - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
         env:
         - name: GF_AUTH_BASIC_ENABLED
           value: "true"
@@ -29,7 +32,7 @@ spec:
               key: password
         volumeMounts:
         - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
         ports:
         - name: web
           containerPort: 3000
diff --git a/manifests/node-exporter/node-exporter-daemonset.yaml b/manifests/node-exporter/node-exporter-daemonset.yaml
index 250398bd4a14a570a85c177572ae044438017c86..f92113e87ccb0afd13b9a65ad2166a05b2911384 100644
--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -14,6 +14,9 @@ spec:
       name: node-exporter
     spec:
       serviceAccountName: node-exporter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       hostNetwork: true
       hostPID: true
       containers: