diff --git a/Dockerfile b/Dockerfile
index 308c4a3f63..9766fe45a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,12 +16,24 @@ ARG TARGETPLATFORM
 
 RUN GCFLAGS="${GCFLAGS}" LDFLAGS="${LDFLAGS}" DEV="${DEV}" make release-${TARGETPLATFORM}
 
-FROM ubuntu:20.04
+FROM cgr.dev/chainguard/wolfi-base:latest
 ARG VERSION
 ARG TARGETOS
 ARG TARGETARCH
 
-COPY fleet-server.yml /etc/fleet-server.yml
-COPY --from=builder /usr/src/fleet-server/build/binaries/fleet-server-${VERSION}-${TARGETOS:-linux}-*/fleet-server /usr/bin/fleet-server
+RUN for iter in {1..10}; do \
+        apk update && \
+        apk add --no-cache shadow && \
+        exit_code=0 && break || exit_code=$? && echo "apk error: retry $iter in 10s" && sleep 10; \
+    done; \
+    (exit $exit_code)
+
+RUN groupadd --gid 1000 fleet-server && \
+    useradd -M --uid 1000 --gid 1000 fleet-server
+
+USER fleet-server
+
+COPY --chown=fleet-server:fleet-server --chmod=644 fleet-server.yml /etc/fleet-server.yml
+COPY --chown=fleet-server:fleet-server --chmod=755 --from=builder /usr/src/fleet-server/build/binaries/fleet-server-${VERSION}-${TARGETOS:-linux}-*/fleet-server /usr/bin/fleet-server
 
 CMD /usr/bin/fleet-server -c /etc/fleet-server.yml