diff --git a/config/controller.yaml b/config/controller.yaml
index dad4866396b..4e70e1c4a53 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -112,6 +112,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"
diff --git a/config/events.yaml b/config/events.yaml
index 088c0e28c15..03914c8a346 100644
--- a/config/events.yaml
+++ b/config/events.yaml
@@ -90,6 +90,7 @@ spec:
           value: /etc/ssl/certs
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"
diff --git a/config/webhook.yaml b/config/webhook.yaml
index 41922fa1c1b..e80a5bc93df 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -126,6 +126,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"