diff --git a/Changelog.md b/Changelog.md
index d03a70b23..5f5be9f3a 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,6 +4,23 @@
 
 **Image:**  `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.0`
 
+*Breaking changes:*
+
+Running as user requires an update in the deployment manifest.
+
+```yaml
+  securityContext:
+    capabilities:
+        drop:
+        - ALL
+        add:
+        - NET_BIND_SERVICE
+    # www-data -> 33
+    runAsUser: 33
+```
+
+Note: the deploy [guide](https://kubernetes.github.io/ingress-nginx/deploy/#mandatory-command) contains this change
+
 *New Features:*
 
 - Run as user dropping root privileges
diff --git a/deploy/mandatory.yaml b/deploy/mandatory.yaml
index 0d47fc33a..9546d0251 100644
--- a/deploy/mandatory.yaml
+++ b/deploy/mandatory.yaml
@@ -251,6 +251,14 @@ spec:
             - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
+          securityContext:
+            capabilities:
+                drop:
+                - ALL
+                add:
+                - NET_BIND_SERVICE
+            # www-data -> 33
+            runAsUser: 33
           env:
             - name: POD_NAME
               valueFrom:
diff --git a/deploy/with-rbac.yaml b/deploy/with-rbac.yaml
index fdc1354d1..e9d27fa2b 100644
--- a/deploy/with-rbac.yaml
+++ b/deploy/with-rbac.yaml
@@ -30,6 +30,14 @@ spec:
             - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
+          securityContext:
+            capabilities:
+                drop:
+                - ALL
+                add:
+                - NET_BIND_SERVICE
+            # www-data -> 33
+            runAsUser: 33
           env:
             - name: POD_NAME
               valueFrom: