diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml
index 062d3797..17853b45 100644
--- a/charts/centralidp/templates/job-seeding.yaml
+++ b/charts/centralidp/templates/job-seeding.yaml
@@ -226,6 +226,13 @@ spec:
             mountPath: "app/realms"
       initContainers:
         - name: init-cx-central
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           image: {{ .Values.realmSeeding.initContainer.image.name }}
           imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
           command:
@@ -239,7 +246,15 @@ spec:
           - name: realms
             mountPath: "app/realms"
         - name: wait-for-keycloak
-          image: appropriate/curl:latest
+          image: alpine/curl:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 3000
           {{ if .Values.realmSeeding.keycloakServiceTls -}}
           command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
           {{- else -}}
diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml
index bc668796..3f3ad8b0 100644
--- a/charts/sharedidp/templates/job-seeding.yaml
+++ b/charts/sharedidp/templates/job-seeding.yaml
@@ -192,6 +192,13 @@ spec:
             mountPath: "app/realms"
       initContainers:
         - name: init-cx-central
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           image: {{ .Values.realmSeeding.initContainer.image.name }}
           imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
           command:
@@ -205,7 +212,15 @@ spec:
           - name: realms
             mountPath: "app/realms"
         - name: wait-for-keycloak
-          image: appropriate/curl:latest
+          image: alpine/curl:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 3000
           {{ if .Values.realmSeeding.keycloakServiceTls -}}
           command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
           {{- else -}}