diff --git a/Dockerfile b/Dockerfile
index 10e8f465..4b28635f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,11 @@
-FROM gcr.io/distroless/static:debug-nonroot
+FROM gcr.io/distroless/static:debug-nonroot AS builder
+
+# Stage 2: 
+FROM gcr.io/distroless/static:nonroot
+
+# Grab the cp binary so we can cp the unpack
+# binary to a shared volume in the bundle image.
+COPY --from=builder /busybox/cp /busybox/ls /
 
 WORKDIR /
 
diff --git a/pkg/source/image.go b/pkg/source/image.go
index 07f91898..13413c44 100644
--- a/pkg/source/image.go
+++ b/pkg/source/image.go
@@ -138,7 +138,7 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
 				WithName("install-unpacker").
 				WithImage(i.UnpackImage).
 				WithImagePullPolicy(corev1.PullIfNotPresent).
-				WithCommand("cp", "-Rv", "/unpack", "/util/bin/unpack").
+				WithCommand("/cp", "-Rv", "/unpack", "/util/bin/unpack").
 				WithVolumeMounts(applyconfigurationcorev1.VolumeMount().
 					WithName("util").
 					WithMountPath("/util/bin"),
@@ -154,7 +154,7 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
 					WithName("util").
 					WithMountPath("/bin"),
 				).
-				WithSecurityContext(containerSecurityContext).
+				WithSecurityContext(containerSecurityContext.WithRunAsUser(1001)).
 				WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError),
 			).
 			WithVolumes(applyconfigurationcorev1.Volume().
@@ -162,7 +162,7 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment
 				WithEmptyDir(applyconfigurationcorev1.EmptyDirVolumeSource()),
 			).
 			WithSecurityContext(applyconfigurationcorev1.PodSecurityContext().
-				WithRunAsNonRoot(false).
+				WithRunAsNonRoot(true).
 				WithSeccompProfile(applyconfigurationcorev1.SeccompProfile().
 					WithType(corev1.SeccompProfileTypeRuntimeDefault),
 				),
diff --git a/test/e2e/plain_provisioner_test.go b/test/e2e/plain_provisioner_test.go
index e1fc6095..b39472f4 100644
--- a/test/e2e/plain_provisioner_test.go
+++ b/test/e2e/plain_provisioner_test.go
@@ -1443,7 +1443,7 @@ func checkProvisionerBundleDeployment(ctx context.Context, object client.Object,
 		SubResource("exec").
 		VersionedParams(&corev1.PodExecOptions{
 			Container: "manager",
-			Command:   []string{"ls", filepath.Join(storage.DefaultBundleCacheDir, fmt.Sprintf("%s.tgz", object.GetName()))},
+			Command:   []string{"/ls", filepath.Join(storage.DefaultBundleCacheDir, fmt.Sprintf("%s.tgz", object.GetName()))},
 			Stdin:     true,
 			Stdout:    true,
 			Stderr:    true,