diff --git a/Dockerfile b/Dockerfile
index b85f5a79..2c6a1cea 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,7 @@ COPY --from=report /usr/local/static-report /tmp/analysis/report
 RUN microdnf -y install \
   sqlite \
  && microdnf -y clean all
+RUN echo "hub:x:1001:0:hub:/:/sbin/nologin" >> /etc/passwd
 ENTRYPOINT ["/usr/local/bin/tackle-hub"]
 
 LABEL name="konveyor/tackle2-hub" \
diff --git a/settings/hub.go b/settings/hub.go
index 3cfb8427..176fc289 100644
--- a/settings/hub.go
+++ b/settings/hub.go
@@ -2,6 +2,7 @@ package settings
 
 import (
 	"os"
+	"os/user"
 	"strconv"
 	"time"
 )
@@ -28,6 +29,7 @@ const (
 	EnvTaskPreemptDelayed      = "TASK_PREEMPT_DELAYED"
 	EnvTaskPreemptPostponed    = "TASK_PREEMPT_POSTPONED"
 	EnvTaskPreemptRate         = "TASK_PREEMPT_RATE"
+	EnvTaskUid                 = "TASK_UID"
 	EnvFrequencyTask           = "FREQUENCY_TASK"
 	EnvFrequencyReaper         = "FREQUENCY_REAPER"
 	EnvDevelopment             = "DEVELOPMENT"
@@ -94,6 +96,7 @@ type Hub struct {
 				Failed    int
 			}
 		}
+		UID int64
 	}
 	// Frequency
 	Frequency struct {
@@ -257,6 +260,27 @@ func (r *Hub) Load() (err error) {
 	} else {
 		r.Task.Preemption.Rate = 10
 	}
+	s, found = os.LookupEnv(EnvTaskUid)
+	if found {
+		var uid int64
+		uid, err = strconv.ParseInt(s, 10, 64)
+		if err != nil {
+			return
+		}
+		r.Task.UID = uid
+	} else {
+		var uid int64
+		var hubUser *user.User
+		hubUser, err = user.Current()
+		if err != nil {
+			return
+		}
+		uid, err = strconv.ParseInt(hubUser.Uid, 10, 64)
+		if err != nil {
+			return
+		}
+		r.Task.UID = uid
+	}
 	s, found = os.LookupEnv(EnvDevelopment)
 	if found {
 		b, _ := strconv.ParseBool(s)
diff --git a/task/manager.go b/task/manager.go
index c939c3d0..9152570b 100644
--- a/task/manager.go
+++ b/task/manager.go
@@ -1699,6 +1699,7 @@ func (r *Task) containers(
 			},
 		},
 	}
+	uid := Settings.Hub.Task.UID
 	plain = append(plain, addon.Spec.Container)
 	plain[0].Name = "addon"
 	for i := range extensions {
@@ -1714,6 +1715,9 @@ func (r *Task) containers(
 		container := &plain[i]
 		injector.Inject(container)
 		r.propagateEnv(&plain[0], container)
+		container.SecurityContext = &core.SecurityContext{
+			RunAsUser: &uid,
+		}
 		container.VolumeMounts = append(
 			container.VolumeMounts,
 			core.VolumeMount{