diff --git a/config/default/namespace.yaml b/config/default/namespace.yaml
index 1ab3a72555d..d331b0ad036 100644
--- a/config/default/namespace.yaml
+++ b/config/default/namespace.yaml
@@ -2,3 +2,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: system
+  labels:
+    # this is required due to the nmi daemonset
+    pod-security.kubernetes.io/enforce: privileged
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 98b04bd30b0..0375abd93a7 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -57,6 +57,17 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsUser: 65532
+            runAsGroup: 65532
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       terminationGracePeriodSeconds: 10
       serviceAccountName: manager
       tolerations: