diff --git a/tutor/templates/k8s/deployments.yml b/tutor/templates/k8s/deployments.yml
index 2c39804b7c0b80e5425c4022f97ba0f5d7b1489b..853cc720640abb833fdc3b7dc782cd4d982f07c4 100644
--- a/tutor/templates/k8s/deployments.yml
+++ b/tutor/templates/k8s/deployments.yml
@@ -238,6 +238,11 @@ spec:
           volumeMounts:
             - mountPath: /usr/share/elasticsearch/data
               name: data
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 105
+        runAsGroup: 108
+        fsGroup: 108
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -266,6 +271,11 @@ spec:
           image: {{ DOCKER_REGISTRY }}{{ DOCKER_IMAGE_MEMCACHED }}
           ports:
             - containerPort: 11211
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
 {% endif %}
 {% if ACTIVATE_MONGODB %}
 ---
@@ -296,7 +306,11 @@ spec:
           volumeMounts:
             - mountPath: /data/db
               name: data
-
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -344,6 +358,11 @@ spec:
               name: data
             - mountPath: /etc/mysql
               name: mysql-cnf
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -465,6 +484,11 @@ spec:
           volumeMounts:
             - mountPath: /var/lib/rabbitmq
               name: data
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 100
+        runAsGroup: 101
+        fsGroup: 101
       volumes:
         - name: data
           persistentVolumeClaim:
diff --git a/tutor/templates/k8s/services.yml b/tutor/templates/k8s/services.yml
index 6aded5e43a97ce693120d16d9d6ccf1b0d4986ab..0380e269c2e880b4d24f5daf2158ca492e4791a2 100644
--- a/tutor/templates/k8s/services.yml
+++ b/tutor/templates/k8s/services.yml
@@ -4,7 +4,7 @@ kind: Service
 metadata:
   name: cms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -17,7 +17,7 @@ kind: Service
 metadata:
   name: forum
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 4567
       protocol: TCP
@@ -30,7 +30,7 @@ kind: Service
 metadata:
   name: lms
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 8000
       protocol: TCP
@@ -43,7 +43,7 @@ kind: Service
 metadata:
   name: elasticsearch
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 9200
       protocol: TCP
@@ -57,7 +57,7 @@ kind: Service
 metadata:
   name: memcached
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 11211
       protocol: TCP
@@ -71,7 +71,7 @@ kind: Service
 metadata:
   name: mongodb
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 27017
       protocol: TCP
@@ -85,7 +85,7 @@ kind: Service
 metadata:
   name: mysql
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 3306
       protocol: TCP
@@ -98,7 +98,7 @@ kind: Service
 metadata:
   name: nginx
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 80
       name: http
@@ -113,7 +113,7 @@ kind: Service
 metadata:
   name: rabbitmq
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 5672
       protocol: TCP
@@ -127,11 +127,11 @@ kind: Service
 metadata:
   name: smtp
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
     - port: 25
       protocol: TCP
   selector:
     app.kubernetes.io/name: smtp
 {% endif %}
-{{ patch("k8s-services") }}
\ No newline at end of file
+{{ patch("k8s-services") }}