diff --git a/charts/openab/templates/deployment.yaml b/charts/openab/templates/deployment.yaml
index f1ab9b0b..2d2185c1 100644
--- a/charts/openab/templates/deployment.yaml
+++ b/charts/openab/templates/deployment.yaml
@@ -72,6 +72,8 @@ spec:
               mountPath: {{ $cfg.workingDir | default "/home/agent" }}/AGENTS.md
               subPath: AGENTS.md
             {{- end }}
+            - name: tmp
+              mountPath: /tmp
       {{- with $cfg.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -93,5 +95,7 @@ spec:
           persistentVolumeClaim:
             claimName: {{ include "openab.agentFullname" $d }}
         {{- end }}
+        - name: tmp
+          emptyDir: {}
 {{- end }}
 {{- end }}
diff --git a/charts/openab/values.yaml b/charts/openab/values.yaml
index 1f7c2134..79a17d11 100644
--- a/charts/openab/values.yaml
+++ b/charts/openab/values.yaml
@@ -9,9 +9,12 @@ podSecurityContext:
   runAsUser: 1000
   runAsGroup: 1000
   fsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
   capabilities:
     drop:
       - ALL