diff --git a/Makefile b/Makefile
index 0f98da180c806b0f6e73f213edabb0932ce9ab47..5637a058dc270b576ec82414744e7b0b6fb18ea1 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ data-server-image:
 	docker build -t tommylike/signatrust-data-server:$(GIT_COMMIT) --build-arg BINARY=data-server -f docker/Dockerfile.data-server .
 
 control-server-image:
-	docker build -t tommylike/signatrust-control-server:$(GIT_COMMIT) --build-arg BINARY=control-server -f docker/Dockerfile .
+	docker build -t tommylike/signatrust-control-server:$(GIT_COMMIT) --build-arg BINARY=control-server -f docker/Dockerfile.control-server .
 
 control-admin-image:
 	docker build -t tommylike/signatrust-control-admin:$(GIT_COMMIT) --build-arg BINARY=control-admin -f docker/Dockerfile .
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index c73b98f130991ce145638dbba3026d8712bc2ba1..285658ff7819dbc5833bbefd2ffd881d59c47553 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -17,15 +17,32 @@ spec:
         - name: init-mysql
           image: busybox:1.28
           command: [ "sh", "-c", "until nslookup signatrust-database.signatrust-local-development.svc.cluster.local; do echo waiting for mysql service ; sleep 2; done;" ]
+        - name: prepare-table
+          image: tommylike/rust-sqlx
+          env:
+            - name: DATABASE_URL
+              value: mysql://test:test@signatrust-database.signatrust-local-development.svc.cluster.local:3306/signatrust
+          command:
+            - /bin/sh
+            - -c
+            - |
+              # TODO: Use commit ID instead of latest master
+              git clone https://gitee.com/openeuler/signatrust
+              cd signatrust
+              sqlx database create
+              sqlx migrate run
       containers:
         - image: tommylike/signatrust-control-server:f1e04f2fd37a92b04dfc9a4fd78cba1956654970
           imagePullPolicy: Always
           name: signatrust-server
           command: ["/app/control-server"]
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
           resources:
             requests:
-              cpu: 4000m
-              memory: 4000Mi
+              cpu: 2000m
+              memory: 2000Mi
           ports:
             - containerPort: 8080
               name: http
@@ -75,25 +92,14 @@ spec:
         - name: init-mysql
           image: busybox:1.28
           command: [ "sh", "-c", "until nslookup signatrust-database.signatrust-local-development.svc.cluster.local; do echo waiting for mysql service ; sleep 2; done;" ]
-        - name: prepare-table
-          image: tommylike/rust-sqlx
-          env:
-            - name: DATABASE_URL
-              value: mysql://test:test@signatrust-database.signatrust-local-development.svc.cluster.local:3306/signatrust
-          command:
-            - /bin/sh
-            - -c
-            - |
-              # TODO: Use commit it instead of latest master
-              git clone https://gitee.com/openeuler/signatrust
-              cd signatrust
-              sqlx database create
-              sqlx migrate run
       containers:
         - image: tommylike/signatrust-control-admin:f1e04f2fd37a92b04dfc9a4fd78cba1956654970
           imagePullPolicy: Always
           name: signatrust-control-admin
           command: ["/bin/sleep", "10000"]
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
           env:
             - name: RUST_LOG
               value: debug
@@ -129,6 +135,9 @@ spec:
           imagePullPolicy: Always
           name: signatrust-server
           command: ["/app/data-server"]
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
           livenessProbe:
             exec:
               # NOTE: For production environment, we need to use grpc with client certificate,
@@ -151,8 +160,8 @@ spec:
             failureThreshold: 3
           resources:
             requests:
-              cpu: 4000m
-              memory: 4000Mi
+              cpu: 2000m
+              memory: 2000Mi
           ports:
             - containerPort: 8088
               name: http
@@ -244,6 +253,9 @@ spec:
         - image: tommylike/signatrust-client:f1e04f2fd37a92b04dfc9a4fd78cba1956654970
           imagePullPolicy: Always
           name: signatrust-client
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
           env:
             - name: RUST_LOG
               value: debug
diff --git a/docker-compose.yaml b/docker-compose.yaml
index b7c04740b697c5eaab5a2de9886d6046bf3989e8..c3c91ed34e072dde5dc0057f8a45fa8ab434d241 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -6,6 +6,7 @@ services:
       args:
         BINARY: data-server
         CONFIG: ./docker
+      dockerfile: ./docker/Dockerfile.data-server
     hostname: data-server
     entrypoint: ["/bin/bash", "-cx", "/app/sqlx database create; /app/sqlx migrate run; /app/data-server"]
     depends_on:
@@ -13,6 +14,7 @@ services:
       - database
     stdin_open: true
     tty: true
+    user: signatrust
     environment:
       RUST_LOG: $RUST_LOG
       DATABASE_URL: $DATABASE_URL
@@ -25,7 +27,7 @@ services:
       args:
         BINARY: control-server
         CONFIG: ./docker
-    hostname: control-server
+      dockerfile: ./docker/Dockerfile.data-server
     hostname: control-server
     depends_on:
       - redis
@@ -33,6 +35,7 @@ services:
       - data-server
     stdin_open: true
     tty: true
+    user: signatrust
     environment:
       RUST_LOG: $RUST_LOG
     entrypoint: ["/bin/bash", "-cx", "sleep 5; /app/control-server"]
@@ -42,7 +45,6 @@ services:
   redis:
     image: openeuler/redis:6.2.7-22.03-lts
     hostname: redis
-    command: /usr/bin/resalloc-server
     stdin_open: true
     tty: true
     volumes:
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 41caa7a55962cc512f12896b8882f8b911023123..72513a1d53df5c90b25443c9c030faf76af3a960 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -6,15 +6,22 @@ COPY .. /app
 
 
 RUN cargo +nightly build --release --bin $BINARY --target x86_64-unknown-linux-musl
-RUN cargo install sqlx-cli --no-default-features --features native-tls,mysql,openssl-vendored --root /app
 
 FROM openeuler/openeuler:22.03
+ARG USERNAME=signatrust
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
 ARG BINARY
 ARG CONFIG=./config
 ENV BINARY=${BINARY}
+
+RUN yum install -y shadow && groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
+USER $USERNAME
 WORKDIR /app
-COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/$BINARY /app
-COPY --from=builder /app/bin/sqlx /app
-COPY $CONFIG /app/config
-COPY ../migrations /app/migrations
+COPY --from=builder --chown=$USER_UID:$USER_GID /app/target/x86_64-unknown-linux-musl/release/$BINARY /app
+COPY --chown=$USER_UID:$USER_GID $CONFIG /app/config/
+
 ENTRYPOINT /app/$(echo $BINARY)
diff --git a/docker/Dockerfile.control-server b/docker/Dockerfile.control-server
new file mode 100644
index 0000000000000000000000000000000000000000..64e534786c0c3a11f74f4aabe99c5e8803ef12d2
--- /dev/null
+++ b/docker/Dockerfile.control-server
@@ -0,0 +1,32 @@
+FROM clux/muslrust:nightly as builder
+ARG BINARY
+LABEL Author=TommyLike<tommylikehu@gmail.com>
+WORKDIR /app
+COPY .. /app
+
+
+RUN cargo +nightly build --release --bin $BINARY --target x86_64-unknown-linux-musl
+
+#The sql-cli@0.7.1 binary is pre-build with dockerfile `Dockerfile.sqlx-cli`.
+FROM tommylike/sqlx-cli:0.7.1 as sqlx-cli
+
+FROM openeuler/openeuler:22.03
+ARG USERNAME=signatrust
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+ARG BINARY
+ARG CONFIG=./config
+ENV BINARY=${BINARY}
+
+RUN yum install -y shadow && groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
+USER $USERNAME
+WORKDIR /app
+COPY --from=builder --chown=$USER_UID:$USER_GID /app/target/x86_64-unknown-linux-musl/release/$BINARY /app
+COPY --from=sqlx-cli --chown=$USER_UID:$USER_GID /app/bin/sqlx /app
+COPY --chown=$USER_UID:$USER_GID $CONFIG /app/config/
+COPY --chown=$USER_UID:$USER_GID ../migrations /app/migrations
+
+ENTRYPOINT /app/$(echo $BINARY)
diff --git a/docker/Dockerfile.data-server b/docker/Dockerfile.data-server
index 89a11fddf4e60d913d914b6d9b35fd3ba3ed0501..92fe0908298c43f0e46a9573074d435f93aaa4f5 100644
--- a/docker/Dockerfile.data-server
+++ b/docker/Dockerfile.data-server
@@ -6,18 +6,25 @@ COPY .. /app
 
 
 RUN cargo +nightly build --release --bin $BINARY --target x86_64-unknown-linux-musl
-RUN cargo install sqlx-cli --no-default-features --features native-tls,mysql,openssl-vendored --root /app
 
 FROM openeuler/openeuler:22.03
+ARG USERNAME=signatrust
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
 ARG BINARY
 ARG CONFIG=./config
 ENV BINARY=${BINARY}
-WORKDIR /app
-COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/$BINARY /app
-COPY --from=builder /app/bin/sqlx /app
-COPY $CONFIG /app/config
-COPY ../migrations /app/migrations
+
+RUN yum install -y shadow && groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
 
 COPY ../docker/grpc_health_probe-linux-amd64 /app/grpc_health_probe
 CMD chmod +x /app/grpc_health_probe
+
+USER $USERNAME
+WORKDIR /app
+COPY --from=builder --chown=$USER_UID:$USER_GID /app/target/x86_64-unknown-linux-musl/release/$BINARY /app
+COPY --chown=$USER_UID:$USER_GID $CONFIG /app/config/
+
 ENTRYPOINT /app/$(echo $BINARY)
diff --git a/docker/Dockerfile.sqlx-cli b/docker/Dockerfile.sqlx-cli
new file mode 100644
index 0000000000000000000000000000000000000000..013497b3d849322885a2c0e2de707d84a6d3901e
--- /dev/null
+++ b/docker/Dockerfile.sqlx-cli
@@ -0,0 +1,5 @@
+FROM clux/muslrust:nightly as builder
+LABEL Author=TommyLike<tommylikehu@gmail.com>
+WORKDIR /app
+
+RUN cargo install sqlx-cli@0.7.1 --no-default-features --features native-tls,mysql,openssl-vendored --root /app