diff --git a/deploy/deploy.yaml b/deploy/deploy.yaml
index 2ff2e46..5ccbab2 100644
--- a/deploy/deploy.yaml
+++ b/deploy/deploy.yaml
@@ -20,6 +20,12 @@ spec:
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 3
       containers:
         - image: noaas
           imagePullPolicy: IfNotPresent
@@ -31,6 +37,8 @@ spec:
             httpGet:
               path: /health
               port: 3000
+            initialDelaySeconds: 15
+            periodSeconds: 20
           resources:
             limits:
               cpu: 1
@@ -45,3 +53,10 @@ spec:
                 - all
             privileged: false
             readOnlyRootFilesystem: true
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: noaas
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index 926c4d8..2c69bf3 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
 - service.yaml
 - ingress.yaml
 - netpol.yaml
+- pdb.yaml
 images:
 - name: noaas
   newName: <my-harbor-url>/library/no-as-a-service
diff --git a/deploy/pdb.yaml b/deploy/pdb.yaml
new file mode 100644
index 0000000..4e81c40
--- /dev/null
+++ b/deploy/pdb.yaml
@@ -0,0 +1,9 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: noaas-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: noaas