diff --git a/cost-analyzer/charts/grafana/templates/deployment.yaml b/cost-analyzer/charts/grafana/templates/deployment.yaml
index 4c1218a..68f5530 100644
--- a/cost-analyzer/charts/grafana/templates/deployment.yaml
+++ b/cost-analyzer/charts/grafana/templates/deployment.yaml
@@ -23,7 +23,7 @@ spec:
     type: {{ .Values.deploymentStrategy }}
   {{- if ne .Values.deploymentStrategy "RollingUpdate" }}
     rollingUpdate: null
-  {{- end }}    
+  {{- end }}
   template:
     metadata:
       labels:
@@ -76,6 +76,9 @@ spec:
       containers:
 {{- if .Values.sidecar.dashboards.enabled }}
         - name: {{ template "grafana.name" . }}-sc-dashboard
+        {{- if .Values.sidecar.containerSecurityContext }}
+          {{- toYaml .Values.sidecar.containerSecurityContext | nindent 10 }}
+        {{- end }}
           image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}"
           imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }}
           env:
@@ -93,6 +96,9 @@ spec:
 {{- end}}
 {{- if .Values.sidecar.datasources.enabled }}
         - name: {{ template "grafana.name" . }}-sc-datasources
+        {{- if .Values.sidecar.containerSecurityContext }}
+          {{- toYaml .Values.sidecar.containerSecurityContext | nindent 10 }}
+        {{- end }}
           image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}"
           imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }}
           env:
@@ -110,6 +116,9 @@ spec:
 {{- end}}
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        {{- if .Values.grafana.containerSecurityContext }}
+          {{- toYaml .Values.grafana.containerSecurityContext | nindent 10 }}
+        {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           volumeMounts:
             - name: config
diff --git a/cost-analyzer/charts/prometheus/templates/server-deployment.yaml b/cost-analyzer/charts/prometheus/templates/server-deployment.yaml
index 6e0f951..b8c0876 100644
--- a/cost-analyzer/charts/prometheus/templates/server-deployment.yaml
+++ b/cost-analyzer/charts/prometheus/templates/server-deployment.yaml
@@ -48,6 +48,9 @@ spec:
         {{- if .Values.configmapReload.prometheus.enabled }}
         - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }}
           image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}"
+        {{- if .Values.configmapReload.containerSecurityContext }}
+          {{- toYaml .Values.configmapReload.containerSecurityContext | nindent 10 }}
+        {{- end }}
           imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}"
           args:
             - --volume-dir=/etc/config
@@ -129,7 +132,7 @@ spec:
             failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }}
             successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }}
           resources:
-{{ toYaml .Values.server.resources | indent 12 }}
+            {{ toYaml .Values.server.resources | indent 12 }}
           {{- with .Values.server.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
diff --git a/cost-analyzer/values-thanos.yaml b/cost-analyzer/values-thanos.yaml
index a1dd98b..6642a15 100644
--- a/cost-analyzer/values-thanos.yaml
+++ b/cost-analyzer/values-thanos.yaml
@@ -7,7 +7,7 @@ global:
 # will greatly assist in reduction memory bloat in query.
 kubecostModel:
   maxQueryConcurrency: 5
-  # This configuration is applied to thanos only. Expresses the resolution to 
+  # This configuration is applied to thanos only. Expresses the resolution to
   # use for longer query ranges. Options: raw, 5m, 1h - Default: raw
   maxSourceResolution: 5m
 
@@ -30,8 +30,14 @@ prometheus:
     - name: thanos-sidecar
       image: thanosio/thanos:v0.29.0
       securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
-        runAsUser: 1001
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       args:
       - sidecar
       - --log.level=debug
@@ -62,7 +68,7 @@ prometheus:
         subPath: ""
       - name: object-store-volume
         mountPath: /etc/config
-    
+
 thanos:
   store:
     enabled: true
@@ -73,10 +79,10 @@ thanos:
         value: "100"
       - name: GODEBUG
         value: "madvdontneed=1"
-    resources: 
+    resources:
       requests:
         memory: "2.5Gi"
-  query: 
+  query:
     enabled: true
     timeout: 3m
     # Maximum number of queries processed concurrently by query node.
@@ -99,7 +105,7 @@ thanos:
     compressResponses: true
     # Downstream Tripper Configuration
     downstreamTripper:
-      enabled: true 
+      enabled: true
       idleConnectionTimeout: 90s
       responseHeaderTimeout: 2m
       tlsHandshakeTimeout: 10s
@@ -108,10 +114,10 @@ thanos:
       maxIdleConnectionsPerHost: 100
       maxConnectionsPerHost: 0
     # Response Cache Configuration
-    # Configure either a max size constraint or max items. 
+    # Configure either a max size constraint or max items.
     responseCache:
       enabled: true
-      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be applied.      
+      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be applied.
       maxSize: 1.25GB
       # Maximum number of entries in the cache.
       maxSizeItems: 0
@@ -128,7 +134,7 @@ thanos:
 
   # Thanos Sidecar Service Discovery
   # Disabling removes the prometheus sidecar from querier store discovery. This ensures
-  # that all clusters read from the same data in remote store. 
+  # that all clusters read from the same data in remote store.
   sidecar:
     enabled: true
   bucket: