diff --git a/cockroachdb.ystack.values.yaml b/cockroachdb.ystack.values.yaml
index 59d731f..2e46303 100644
--- a/cockroachdb.ystack.values.yaml
+++ b/cockroachdb.ystack.values.yaml
@@ -17,3 +17,10 @@ tls:
     selfSigner:
       enabled: false
       caProvided: false
+
+statefulset:
+  replicas: 1
+  conf:
+    single-node: true
+  serviceAccount:
+    create: false
diff --git a/cockroachdb/ystack/cockroachdb/templates/job.init.yaml b/cockroachdb/ystack/cockroachdb/templates/job.init.yaml
index b3f7c97..d339b7c 100644
--- a/cockroachdb/ystack/cockroachdb/templates/job.init.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/job.init.yaml
@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-init
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
@@ -22,11 +22,19 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: init
     spec:
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       restartPolicy: OnFailure
       terminationGracePeriodSeconds: 0
+      serviceAccountName: default
       containers:
         - name: cluster-init
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           # Run the command in an `while true` loop because this Job is bound
           # to come up before the CockroachDB Pods (due to the time needed to
@@ -64,3 +72,7 @@ spec:
 
               initCluster;
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
diff --git a/cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml b/cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml
index 10742d0..4882b2b 100644
--- a/cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml
@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-budget
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
diff --git a/cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml b/cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml
index eb136a5..49c66cc 100644
--- a/cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml
@@ -10,7 +10,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
diff --git a/cockroachdb/ystack/cockroachdb/templates/service.public.yaml b/cockroachdb/ystack/cockroachdb/templates/service.public.yaml
index 48be8bd..e0411ce 100644
--- a/cockroachdb/ystack/cockroachdb/templates/service.public.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/service.public.yaml
@@ -9,7 +9,7 @@ metadata:
   name: cockroachdb-public
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
diff --git a/cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml b/cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml
index b246a5f..322e2b5 100644
--- a/cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml
@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
diff --git a/cockroachdb/ystack/cockroachdb/templates/statefulset.yaml b/cockroachdb/ystack/cockroachdb/templates/statefulset.yaml
index db90f1b..3db3bf3 100644
--- a/cockroachdb/ystack/cockroachdb/templates/statefulset.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/statefulset.yaml
@@ -6,14 +6,14 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
     app.kubernetes.io/component: cockroachdb
 spec:
   serviceName: cockroachdb
-  replicas: 3
+  replicas: 1
   updateStrategy:
     type: RollingUpdate
   podManagementPolicy: "Parallel"
@@ -29,6 +29,7 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: cockroachdb
     spec:
+      serviceAccountName: default
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -54,7 +55,7 @@ spec:
       terminationGracePeriodSeconds: 60
       containers:
         - name: db
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           args:
             - shell
@@ -115,10 +116,24 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 5
             failureThreshold: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
       volumes:
         - name: datadir
           persistentVolumeClaim:
             claimName: datadir
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+        runAsNonRoot: true
   volumeClaimTemplates:
     - metadata:
         name: datadir
diff --git a/cockroachdb/ystack/cockroachdb/templates/tests/client.yaml b/cockroachdb/ystack/cockroachdb/templates/tests/client.yaml
index 0e5b435..4574b47 100644
--- a/cockroachdb/ystack/cockroachdb/templates/tests/client.yaml
+++ b/cockroachdb/ystack/cockroachdb/templates/tests/client.yaml
@@ -11,7 +11,7 @@ spec:
   restartPolicy: Never
   containers:
     - name: client-test
-      image: "cockroachdb/cockroach:v23.1.4"
+      image: "cockroachdb/cockroach:v23.1.12"
       imagePullPolicy: "IfNotPresent"
       command:
         - /cockroach/cockroach
diff --git a/cockroachdb/ystack/unhelm-namespace-placeholder.txt b/cockroachdb/ystack/unhelm-namespace-placeholder.txt
index 67590fd..f4800fb 100644
--- a/cockroachdb/ystack/unhelm-namespace-placeholder.txt
+++ b/cockroachdb/ystack/unhelm-namespace-placeholder.txt
@@ -10,7 +10,7 @@ Note the following instances of namespace strings that Kustomize won't replace
           value: cockroachdb.unhelm-namespace-placeholder.svc.cluster.local
         - name: COCKROACH_CHANNEL
           value: kubernetes-helm
-        image: cockroachdb/cockroach:v23.1.4
+        image: cockroachdb/cockroach:v23.1.12
         imagePullPolicy: IfNotPresent
         livenessProbe:
 --
@@ -36,4 +36,4 @@ Note the following instances of namespace strings that Kustomize won't replace
     - "26257"
     - -e
     - SHOW DATABASES;
-    image: cockroachdb/cockroach:v23.1.4
+    image: cockroachdb/cockroach:v23.1.12