diff --git a/kubernetes/README.md b/kubernetes/README.md
index ffe7544..8af4ffc 100644
--- a/kubernetes/README.md
+++ b/kubernetes/README.md
@@ -34,5 +34,5 @@ When you first log in with your admin credentials, you will be prompted to enter
 Otherwise, run this command to verify all users in the database:
 
 ```bash
-kubectl -n plausible exec deploy/plausible-db -- /bin/bash -c 'psql -U $POSTGRES_USER -d $POSTGRES_DB -c "UPDATE users SET email_verified = true;"'
+kubectl -n plausible exec statefulset/plausible-db -- /bin/bash -c 'psql -U $POSTGRES_USER -d $POSTGRES_DB -c "UPDATE users SET email_verified = true;"'
 ```
diff --git a/kubernetes/plausible-db.yaml b/kubernetes/plausible-db.yaml
index ff72387..f1353d1 100644
--- a/kubernetes/plausible-db.yaml
+++ b/kubernetes/plausible-db.yaml
@@ -42,6 +42,11 @@ spec:
         app.kubernetes.io/part-of: plausible
     spec:
       restartPolicy: Always
+      # see https://github.com/docker-library/postgres/blob/6bbf1c7b308d1c4288251d73c37f6caf75f8a3d4/14/buster/Dockerfile
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
       containers:
         - name: plausible-db
           image: postgres:latest
diff --git a/kubernetes/plausible-events-db.yaml b/kubernetes/plausible-events-db.yaml
index 4f6b43c..086d16d 100644
--- a/kubernetes/plausible-events-db.yaml
+++ b/kubernetes/plausible-events-db.yaml
@@ -18,6 +18,36 @@ spec:
     app.kubernetes.io/component: database
     app.kubernetes.io/part-of: plausible
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: plausible-events-db-config
+data:
+  clickhouse-config.xml: |
+    <yandex>
+        <logger>
+            <level>warning</level>
+            <console>true</console>
+        </logger>
+
+        <!-- Stop all the unnecessary logging -->
+        <query_thread_log remove="remove"/>
+        <query_log remove="remove"/>
+        <text_log remove="remove"/>
+        <trace_log remove="remove"/>
+        <metric_log remove="remove"/>
+        <asynchronous_metric_log remove="remove"/>
+    </yandex>
+  clickhouse-user-config.xml: |
+    <yandex>
+        <profiles>
+            <default>
+                <log_queries>0</log_queries>
+                <log_query_threads>0</log_query_threads>
+            </default>
+        </profiles>
+    </yandex>
+---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -42,6 +72,11 @@ spec:
         app.kubernetes.io/part-of: plausible
     spec:
       restartPolicy: Always
+      # see https://github.com/ClickHouse/ClickHouse/blob/master/docker/server/Dockerfile
+      securityContext:
+        runAsUser: 101
+        runAsGroup: 101
+        fsGroup: 101
       containers:
         - name: plausible-events-db
           image: yandex/clickhouse-server:latest
@@ -51,6 +86,14 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /var/lib/clickhouse
+            - name: config
+              mountPath: /etc/clickhouse-server/config.d/logging.xml
+              subPath: clickhouse-config.xml
+              readOnly: true
+            - name: config
+              mountPath: /etc/clickhouse-server/users.d/logging.xml"
+              subPath: clickhouse-user-config.xml
+              readOnly: true
           env:
             - name: CLICKHOUSE_DB
               value: plausible
@@ -87,6 +130,10 @@ spec:
             initialDelaySeconds: 30
             failureThreshold: 3
             periodSeconds: 10
+      volumes:
+        - name: config
+          configMap:
+            name: plausible-events-db-config
   volumeClaimTemplates:
     - metadata:
         name: data
diff --git a/kubernetes/plausible.yaml b/kubernetes/plausible.yaml
index 434eb0c..952cb6d 100644
--- a/kubernetes/plausible.yaml
+++ b/kubernetes/plausible.yaml
@@ -36,14 +36,62 @@ spec:
         app.kubernetes.io/component: server
     spec:
       restartPolicy: Always
+      # see https://github.com/plausible/analytics/blob/master/Dockerfile
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: plausible-init
+          image: plausible/analytics:latest
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - sleep 30 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh db init-admin
+          envFrom:
+            - configMapRef:
+                name: plausible-config
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: plausible-db-user
+                  key: username
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: plausible-db-user
+                  key: password
+            - name: CLICKHOUSE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: plausible-events-db-user
+                  key: username
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: plausible-events-db-user
+                  key: password
+            - name: DATABASE_URL
+              value: postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@$(PLAUSIBLE_DB_SERVICE_HOST):$(PLAUSIBLE_DB_SERVICE_PORT)/plausible
+            - name: CLICKHOUSE_DATABASE_URL
+              value: http://$(CLICKHOUSE_USER):$(CLICKHOUSE_PASSWORD)@$(PLAUSIBLE_EVENTS_DB_SERVICE_HOST):$(PLAUSIBLE_EVENTS_DB_SERVICE_PORT)/plausible
+            - name: SMTP_HOST_ADDR
+              value: $(PLAUSIBLE_SMTP_SERVICE_HOST)
+          securityContext:
+            allowPrivilegeEscalation: false
+          resources:
+            limits:
+              memory: 2Gi
+              cpu: 1500m
+            requests:
+              memory: 50Mi
+              cpu: 10m
       containers:
         - name: plausible
           image: plausible/analytics:latest
           imagePullPolicy: Always
-          args:
-            - /bin/sh
-            - -c
-            - sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh db init-admin && /entrypoint.sh run
           ports:
             - containerPort: 8000
           envFrom: