diff --git a/.ko.yaml b/.ko.yaml
new file mode 100644
index 00000000000..b1075a3cd32
--- /dev/null
+++ b/.ko.yaml
@@ -0,0 +1,2 @@
+# Use :nonroot base image for all containers
+defaultBaseImage: gcr.io/distroless/static:nonroot
diff --git a/config/channels/in-memory-channel/500-controller.yaml b/config/channels/in-memory-channel/500-controller.yaml
index a47a1544f9f..fae0357446a 100644
--- a/config/channels/in-memory-channel/500-controller.yaml
+++ b/config/channels/in-memory-channel/500-controller.yaml
@@ -33,6 +33,7 @@ spec:
       containers:
       - name: controller
         image: knative.dev/eventing/cmd/in_memory/channel_controller
+
         env:
           - name: CONFIG_LOGGING_NAME
             value: config-logging
@@ -44,13 +45,12 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
-          - containerPort: 9090
-            name: metrics
-        volumeMounts:
-          - name: config-logging
-            mountPath: /etc/config-logging
-      volumes:
-        - name: config-logging
-          configMap:
-            name: config-logging
+        - name: metrics
+          containerPort: 9090
+        - name: profiling
+          containerPort: 8008
diff --git a/config/core/deployments/controller.yaml b/config/core/deployments/controller.yaml
index 5fb89d48175..280be1ad0a8 100644
--- a/config/core/deployments/controller.yaml
+++ b/config/core/deployments/controller.yaml
@@ -59,6 +59,9 @@ spec:
           - name: BROKER_IMAGE_PULL_SECRET_NAME
             value:
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
         - name: metrics
           containerPort: 9090
diff --git a/config/core/deployments/sources-controller.yaml b/config/core/deployments/sources-controller.yaml
index 1bf2fb13c25..123853cd580 100644
--- a/config/core/deployments/sources-controller.yaml
+++ b/config/core/deployments/sources-controller.yaml
@@ -62,6 +62,9 @@ spec:
             # that is containerized and substituted here.
             value: knative.dev/eventing/cmd/apiserver_receive_adapter
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
           - name: metrics
             containerPort: 9090
diff --git a/config/core/deployments/webhook.yaml b/config/core/deployments/webhook.yaml
index 7a731353dbf..845100edd13 100644
--- a/config/core/deployments/webhook.yaml
+++ b/config/core/deployments/webhook.yaml
@@ -61,6 +61,9 @@ spec:
         - name: WEBHOOK_NAME
           value: eventing-webhook
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
         - name: https-webhook
           containerPort: 8443