diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index c1a40770b2..be72fde151 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -56,9 +56,11 @@ spec:
             - name: glance-bin
               mountPath: /tmp/bootstrap.sh
               subPath: bootstrap.sh
+              readOnly: true
             - name: glance-etc
               mountPath: /etc/glance/glance-api.conf
               subPath: glance-api.conf
+              readOnly: true
       volumes:
         - name: imagedir
           emptyDir: {}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 3fa464e343..983dfbcad0 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -68,12 +68,15 @@ spec:
             - name: startsh
               mountPath: /tmp/start.sh
               subPath: start.sh
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/apache2/sites-enabled/000-default.conf
               subPath: horizon.conf
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/openstack-dashboard/local_settings
               subPath: local_settings
+              readOnly: true
 {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
           securityContext:
             runAsUser: 0
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 0311e7905c..d1ca94da54 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -85,21 +85,27 @@ spec:
             - name: mariadb-bin
               mountPath: /tmp/readiness.sh
               subPath: readiness.sh
+              readOnly: true
             - name: mariadb-bin
               mountPath: /tmp/start.sh
               subPath: start.sh
+              readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/my.cnf
+              readOnly: true
               subPath: my.cnf
             - name: mariadb-etc
               mountPath: /etc/mysql/conf.d/00-base.cnf
               subPath: 00-base.cnf
+              readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/conf.d/20-override.cnf
               subPath: 20-override.cnf
+              readOnly: true
             - name: mariadb-etc
               mountPath: /etc/mysql/conf.d/99-force.cnf
               subPath: 99-force.cnf
+              readOnly: true
             - name: mysql-data
               mountPath: /var/lib/mysql
       volumes:
diff --git a/mistral/templates/job-db-sync.yaml b/mistral/templates/job-db-sync.yaml
index cd11967547..2a17fd99cc 100644
--- a/mistral/templates/job-db-sync.yaml
+++ b/mistral/templates/job-db-sync.yaml
@@ -56,6 +56,7 @@ spec:
             - name: mistral-bin
               mountPath: /tmp/db-sync.sh
               subPath: db-sync.sh
+              readOnly: true
       volumes:
         - name: pod-etc-mistral
           emptyDir: {}
diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml
index 07f4aef759..03061fe0fe 100644
--- a/rabbitmq/templates/deployment.yaml
+++ b/rabbitmq/templates/deployment.yaml
@@ -108,12 +108,16 @@ spec:
             - name: rabbitmq-etc
               mountPath: /etc/rabbitmq/enabled_plugins
               subPath: enabled_plugins
+              readOnly: true
             - name: rabbitmq-etc
               mountPath: /etc/rabbitmq/erlang.cookie
               subPath: erlang.cookie
+              readOnly: true
             - name: rabbitmq-etc
               mountPath: /etc/rabbitmq/rabbitmq-env.conf
               subPath: rabbitmq-env.conf
+              readOnly: true
             - name: rabbitmq-etc
               mountPath: /etc/rabbitmq/rabbitmq.config
               subPath: rabbitmq.config
+              readOnly: true