diff --git a/jupyterhub/sec.py b/jupyterhub/sec.py
new file mode 100644
index 0000000000000000000000000000000000000000..7a61fd58a91d93d55fa90268515d6556b8fc6b7c
--- /dev/null
+++ b/jupyterhub/sec.py
@@ -0,0 +1,2 @@
+async def bootstrap_pre_spawn(spawner):
+    spawner.container_security_context = {"capabilities": {"drop": ["ALL"]}}