diff --git a/Containerfile b/Containerfile
index 1d3da7d..f1414ba 100644
--- a/Containerfile
+++ b/Containerfile
@@ -18,6 +18,11 @@ WORKDIR /app
 
 COPY --from=builder /app/control-plane .
 
+# OpenShift runs arbitrary UIDs in group 0; g+rwX keeps /app usable.
+RUN chown -R 1001:0 /app && chmod -R g+rwX /app
+
+USER 1001
+
 EXPOSE 8080
 
 ENTRYPOINT ["./control-plane"]
diff --git a/deploy/helm/dcm/templates/control-plane.yaml b/deploy/helm/dcm/templates/control-plane.yaml
index 25ec3b5..aa03beb 100644
--- a/deploy/helm/dcm/templates/control-plane.yaml
+++ b/deploy/helm/dcm/templates/control-plane.yaml
@@ -20,6 +20,8 @@ spec:
       containers:
         - name: control-plane
           image: "{{ .Values.controlPlane.image }}:{{ include "dcm.imageTag" (dict "tag" .Values.controlPlane.tag "global" .Values.global) }}"
+          securityContext:
+            {{- toYaml .Values.controlPlane.securityContext | nindent 12 }}
           ports:
             - containerPort: 8080
               protocol: TCP
diff --git a/deploy/helm/dcm/values.yaml b/deploy/helm/dcm/values.yaml
index d3c26ad..1b6167d 100644
--- a/deploy/helm/dcm/values.yaml
+++ b/deploy/helm/dcm/values.yaml
@@ -18,6 +18,13 @@ nats:
 controlPlane:
   image: quay.io/dcm-project/control-plane
   tag: ""  # defaults to global.imageTag
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
   route:
     enabled: true
     host: ""  # leave empty for auto-generated OpenShift hostname