diff --git a/infrastructure/vpa/deployment-patch.yaml b/infrastructure/vpa/deployment-patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..839f86db7f2c70c6cd80a3c73af358a335295c2c
--- /dev/null
+++ b/infrastructure/vpa/deployment-patch.yaml
@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/containers/0/securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile: RuntimeDefault
+
diff --git a/infrastructure/vpa/kustomization.yaml b/infrastructure/vpa/kustomization.yaml
index cf18a953202551dee7e0142c83ebbf3618e1f19b..ccb0a0498e24301609dfc5c28aa927dd67fe7f5b 100644
--- a/infrastructure/vpa/kustomization.yaml
+++ b/infrastructure/vpa/kustomization.yaml
@@ -1,14 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: vpa-system
+
+commonLabels:
+  app.kubernetes.io/name: vertical-pod-autoscaler
+  app.kubernetes.io/instance: vpa-system
+
+
 resources:
   - namespace.yaml
   - certificate.yaml
   - https://git.shivering-isles.com/github-mirror/kubernetes/autoscaler.git//vertical-pod-autoscaler/deploy?ref=vpa-release-1.0
 
-commonLabels:
-  app.kubernetes.io/name: vertical-pod-autoscaler
-  app.kubernetes.io/instance: vpa-system
+patches:
+  - path: deployment-patch.yaml
+    target:
+      version: v1
+      group: apps
+      kind: Deployment
 
 components:
   - ../../shared/components/namespace-restricted