diff --git a/.ci/lib.sh b/.ci/lib.sh
index 14d6d0776..6de2dee64 100755
--- a/.ci/lib.sh
+++ b/.ci/lib.sh
@@ -6,6 +6,14 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+# Ensure GOPATH set
+if command -v go > /dev/null; then
+	export GOPATH=${GOPATH:-$(go env GOPATH)}
+else
+	# if go isn't installed, set default location for GOPATH
+	export GOPATH="${GOPATH:-$HOME/go}"
+fi
+
 export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no}
 export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"}
 export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml"
@@ -36,14 +44,6 @@ export KATA_NET_TIMEOUT=30
 
 source /etc/os-release || source /usr/lib/os-release
 
-# Ensure GOPATH set
-if command -v go > /dev/null; then
-	export GOPATH=${GOPATH:-$(go env GOPATH)}
-else
-	# if go isn't installed, set default location for GOPATH
-	export GOPATH="${GOPATH:-$HOME/go}"
-fi
-
 # Support Golang 1.16.x.
 # By default in Golang >= 1.16 GO111MODULE is set to "on",
 # some subprojects in this repo may not support "go modules",
diff --git a/.ci/openshift-ci/smoke/http-server.yaml b/.ci/openshift-ci/smoke/http-server.yaml
index b10b82ff5..ce73ad9ff 100644
--- a/.ci/openshift-ci/smoke/http-server.yaml
+++ b/.ci/openshift-ci/smoke/http-server.yaml
@@ -18,4 +18,13 @@ spec:
         - containerPort: 8080
       command: ["python3"]
       args: [ "-m", "http.server", "8080"]
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
   runtimeClassName: kata-qemu
diff --git a/VERSION b/VERSION
index bb48c8b0a..2f290ae1b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.2.0-alpha3
+3.2.0-rc0
diff --git a/kata-webhook/deploy/webhook.yaml b/kata-webhook/deploy/webhook.yaml
index c54b4bc90..07e8a57a2 100644
--- a/kata-webhook/deploy/webhook.yaml
+++ b/kata-webhook/deploy/webhook.yaml
@@ -41,6 +41,15 @@ spec:
             requests:
               cpu: "100m"
               memory: "250Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+                drop:
+                    - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+                type: RuntimeDefault
       volumes:
         - name: webhook-certs
           secret:
diff --git a/kata-webhook/webhook-check.sh b/kata-webhook/webhook-check.sh
index c5b05feac..2341442ff 100755
--- a/kata-webhook/webhook-check.sh
+++ b/kata-webhook/webhook-check.sh
@@ -57,6 +57,15 @@ check_working() {
 	      image: quay.io/prometheus/busybox:latest
 	      command: ["echo", "Hello Webhook"]
 	      imagePullPolicy: IfNotPresent
+	      securityContext:
+	        allowPrivilegeEscalation: false
+	        capabilities:
+	          drop:
+	            - ALL
+	        runAsNonRoot: true
+	        runAsUser: 1000
+	        seccompProfile:
+	          type: RuntimeDefault
 	EOF
 	local class_name=$(kubectl get -n ${WEBHOOK_NS} \
 		-o jsonpath='{.spec.runtimeClassName}' pod/${hello_pod})