diff --git a/pkg/cli/admin/nodeimage/create.go b/pkg/cli/admin/nodeimage/create.go
index 074617e81d..0fd03cc636 100644
--- a/pkg/cli/admin/nodeimage/create.go
+++ b/pkg/cli/admin/nodeimage/create.go
@@ -745,6 +745,13 @@ func (o *CreateOptions) createPod(ctx context.Context) error {
 					Name:            nodeJoinerContainer,
 					ImagePullPolicy: corev1.PullIfNotPresent,
 					Image:           o.nodeJoinerImage,
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: &[]bool{false}[0],
+						RunAsNonRoot:             &[]bool{true}[0],
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+					},
 					VolumeMounts: []corev1.VolumeMount{
 						{
 							Name:      "nodes-config",
diff --git a/pkg/cli/admin/nodeimage/monitor.go b/pkg/cli/admin/nodeimage/monitor.go
index e2a75f353e..790d44c778 100644
--- a/pkg/cli/admin/nodeimage/monitor.go
+++ b/pkg/cli/admin/nodeimage/monitor.go
@@ -287,6 +287,13 @@ func (o *MonitorOptions) createPod(ctx context.Context) error {
 					Name:            nodeJoinerMonitorContainer,
 					ImagePullPolicy: corev1.PullIfNotPresent,
 					Image:           o.nodeJoinerImage,
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: &[]bool{false}[0],
+						RunAsNonRoot:             &[]bool{true}[0],
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+					},
 					VolumeMounts: []corev1.VolumeMount{
 						{
 							Name:      "assets",