diff --git a/Dockerfile b/Dockerfile
index bf3b691a277b..f3cfcec7447c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,11 +18,15 @@ FROM golang:1.12.5 as builder
 ARG ARCH
 
 # Copy in the go src
-WORKDIR $GOPATH/src/sigs.k8s.io/cluster-api
+WORKDIR ${GOPATH}/src/sigs.k8s.io/cluster-api
 COPY pkg/    pkg/
 COPY cmd/    cmd/
 COPY vendor/ vendor/
 
+#create non-root user
+RUN groupadd -g 999 cluster-api-manager && \
+    useradd -r -u 999 -g cluster-api-manager cluster-api-manager
+
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -a -ldflags '-extldflags "-static"' -o manager sigs.k8s.io/cluster-api/cmd/manager
 
@@ -30,4 +34,6 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -a -ldflags '-extldflags "-
 FROM gcr.io/distroless/static:latest
 WORKDIR /
 COPY --from=builder /go/src/sigs.k8s.io/cluster-api/manager .
+COPY --from=builder /etc/passwd /etc/passwd
+USER cluster-api-manager
 ENTRYPOINT ["/manager"]