diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
index 6a827ce89a0..adf059dfce6 100644
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@@ -88,6 +88,7 @@ spec:
     spec:
       priorityClassName: system-cluster-critical
       securityContext:
+        runAsNonRoot: true
         supplementalGroups: [ 65534 ]
         fsGroup: 65534
       tolerations:
@@ -150,6 +151,11 @@ spec:
         volumeMounts:
         - name: kube-dns-config
           mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 2001
       - name: dnsmasq
         image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
         livenessProbe:
@@ -190,6 +196,16 @@ spec:
         volumeMounts:
         - name: kube-dns-config
           mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: false
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
       - name: sidecar
         image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
         livenessProbe:
@@ -214,5 +230,10 @@ spec:
           requests:
             memory: 20Mi
             cpu: 10m
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
       dnsPolicy: Default  # Don't use cluster DNS.
       serviceAccountName: kube-dns