diff --git a/kube/deploy/core/secrets/reflector/app/hr.yaml b/kube/deploy/core/secrets/reflector/app/hr.yaml
index 6d96e0cd..6fe30393 100644
--- a/kube/deploy/core/secrets/reflector/app/hr.yaml
+++ b/kube/deploy/core/secrets/reflector/app/hr.yaml
@@ -20,4 +20,17 @@ spec:
     priorityClassName: "system-cluster-critical"
     tolerations:
       - key: "node-role.kubernetes.io/control-plane"
-        operator: "Exists"
\ No newline at end of file
+        operator: "Exists"
+    # restricted PSS
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: &uid ${APP_UID_REFLECTOR:=1000}
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: "Always"
+      seccompProfile: { type: "RuntimeDefault" }
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
\ No newline at end of file
diff --git a/kube/deploy/core/secrets/reflector/ks.yaml b/kube/deploy/core/secrets/reflector/ks.yaml
index 97628502..b3981c7b 100644
--- a/kube/deploy/core/secrets/reflector/ks.yaml
+++ b/kube/deploy/core/secrets/reflector/ks.yaml
@@ -6,9 +6,11 @@ metadata:
   namespace: flux-system
   labels: &l
     app.kubernetes.io/name: "reflector"
+    wait.flux.home.arpa/disabled: "true"
 spec:
   commonMetadata:
     labels: *l
   path: ./kube/deploy/core/secrets/reflector/app
   targetNamespace: "reflector"
+  wait: false
   dependsOn: []
\ No newline at end of file