diff --git a/.kube-linter.yaml b/.kube-linter.yaml
index 886d17a..daab52d 100644
--- a/.kube-linter.yaml
+++ b/.kube-linter.yaml
@@ -1,2 +1,3 @@
 checks:
-  exclude: []
+  exclude:
+    - "latest-tag"
diff --git a/argocd/base/resources/claudecodeui/deployment.yaml b/argocd/base/resources/claudecodeui/deployment.yaml
index 9f9b159..cb3e614 100644
--- a/argocd/base/resources/claudecodeui/deployment.yaml
+++ b/argocd/base/resources/claudecodeui/deployment.yaml
@@ -69,6 +69,10 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 10
             timeoutSeconds: 5
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
       volumes:
         - name: data
           persistentVolumeClaim:
diff --git a/argocd/base/resources/n8n/api-key-init.yaml b/argocd/base/resources/n8n/api-key-init.yaml
index e5fc6ec..1472130 100644
--- a/argocd/base/resources/n8n/api-key-init.yaml
+++ b/argocd/base/resources/n8n/api-key-init.yaml
@@ -60,6 +60,9 @@ spec:
         - name: init-api-key
           image: governmentpaas/psql:latest
           securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]