diff --git a/apps/k8s01/dns/dns.yaml b/apps/k8s01/dns/dns.yaml
index 7e6374f7ecb28947dc39764042c6bbbeb04aeb1a..0d768cd25e172a0923cef64d55dd4a819f5c03b8 100644
--- a/apps/k8s01/dns/dns.yaml
+++ b/apps/k8s01/dns/dns.yaml
@@ -49,6 +49,10 @@ spec:
             - name: tls-secret
               mountPath: "/etc/pki/dnsproxy"
               readOnly: true
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
       automountServiceAccountToken: false
       volumes:
         - name: tls-secret
@@ -56,6 +60,8 @@ spec:
             secretName: ingress-dns-tls
             optional: false
       securityContext:
+        allowPrivilegeEscalation: false
+        unAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
         sysctls: