diff --git a/README.md b/README.md
index ed1c5c2..90b05c3 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ To begin contributing, please read the [contributing](CONTRIBUTING.md) doc.
 
 ## Installation and Usage
 
-The Cert Injection Webhook for Kubernetes is deployed using the [Carvel](hhttps://carvel.dev/) tool suite.
+The Cert Injection Webhook for Kubernetes is deployed using the [Carvel](https://carvel.dev/) tool suite.
 
 ### Install using kapp controller
 If you would like to install with [Tanzu Community Edition](https://tanzucommunityedition.io/). See [this guide](packaging/README.md)
diff --git a/config/_namespace.yaml b/config/_namespace.yaml
index 3cdf2f4..add6431 100644
--- a/config/_namespace.yaml
+++ b/config/_namespace.yaml
@@ -2,4 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: cert-injection-webhook
\ No newline at end of file
+  name: cert-injection-webhook
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.25
diff --git a/config/deployment.yaml b/config/deployment.yaml
index b79d22a..416c3ff 100644
--- a/config/deployment.yaml
+++ b/config/deployment.yaml
@@ -33,9 +33,22 @@ spec:
         app: cert-injection-webhook
     spec:
       serviceAccountName: cert-injection-webhook-sa
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: #@ data.values.webhook_image or assert.fail("missing webhook_image")
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            privileged: false
+            seccompProfile:
+              type: "RuntimeDefault"
+            capabilities:
+              drop:
+                - ALL
           imagePullPolicy: Always
           volumeMounts:
             - name: webhook-ca-cert