diff --git a/cluster-manifests/cluster-baseline-settings/aad-pod-identity.yaml b/cluster-manifests/cluster-baseline-settings/aad-pod-identity.yaml
index 5f47d6a8..14eb62f1 100644
--- a/cluster-manifests/cluster-baseline-settings/aad-pod-identity.yaml
+++ b/cluster-manifests/cluster-baseline-settings/aad-pod-identity.yaml
@@ -1,6 +1,7 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  # https://raw.githubusercontent.com/Azure/aad-pod-identity/v1.8.11/deploy/infra/deployment-rbac.yaml
   annotations:
     api-approved.kubernetes.io: unapproved
     controller-gen.kubebuilder.io/version: v0.5.0
@@ -520,7 +521,7 @@ spec:
           type: FileOrCreate
       containers:
       - name: nmi
-        image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.5"
+        image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.11"
         args:
           - "--node=$(NODE_NAME)"
           - "--http-probe-port=8085"
@@ -590,12 +591,13 @@ spec:
       serviceAccountName: aad-pod-id-mic-service-account
       containers:
       - name: mic
-        image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.5"
+        image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.11"
         args:
           - "--cloudconfig=/etc/kubernetes/azure.json"
           - "--logtostderr"
         securityContext:
           runAsUser: 0
+          readOnlyRootFilesystem: true
         env:
         - name: MIC_POD_NAMESPACE
           valueFrom: