diff --git a/nonroot/fsgroup-65534.yaml b/nonroot/fsgroup-65534.yaml
new file mode 100644
index 00000000..5ebd6cba
--- /dev/null
+++ b/nonroot/fsgroup-65534.yaml
@@ -0,0 +1,4 @@
+- op: add
+  path: /spec/template/spec/securityContext
+  value:
+    fsGroup: 65534
diff --git a/nonroot/kustomization.yaml b/nonroot/kustomization.yaml
new file mode 100644
index 00000000..d23bcfa1
--- /dev/null
+++ b/nonroot/kustomization.yaml
@@ -0,0 +1,27 @@
+bases:
+- ../rbac-namespace-default
+- ../kafka
+- ../zookeeper
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: kafka
+  path: fsgroup-65534.yaml
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: pzoo
+  path: fsgroup-65534.yaml
+- target:
+    group: apps
+    version: v1
+    kind: StatefulSet
+    name: zoo
+  path: fsgroup-65534.yaml
+# https://github.com/kubernetes-sigs/kustomize/issues/915#issuecomment-477808963
+patchesStrategicMerge:
+- nonroot-image-kafka.yaml
+- nonroot-image-zookeeper.yaml
diff --git a/nonroot/nonroot-image-kafka.yaml b/nonroot/nonroot-image-kafka.yaml
new file mode 100644
index 00000000..37b643fa
--- /dev/null
+++ b/nonroot/nonroot-image-kafka.yaml
@@ -0,0 +1,10 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kafka
+spec:
+  template:
+    spec:
+      containers:
+      - name: broker
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f
diff --git a/nonroot/nonroot-image-zookeeper.yaml b/nonroot/nonroot-image-zookeeper.yaml
new file mode 100644
index 00000000..7e375f8e
--- /dev/null
+++ b/nonroot/nonroot-image-zookeeper.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: pzoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: zookeeper
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: zookeeper
+        image: solsson/kafka:nonroot-latest@sha256:c904e2dc2b432491f298b90e2b603447bc2e16d9675fda6b4a9ec1b8d4169c3f