diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index bb6f529b215fe7ba57e723000724ff866d6ab1c3..83e817451bf4cfdd8bb1e4a1572be37f32ac04d9 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -50,8 +50,11 @@ const (
 	adminPauseAnnotation = "admin-pause-reconcile"
 	oidcSecretName       = "oidc-client-secret"
 
-	ssoProxyLabel = "drupal.okd.cern.ch/full-sso"
-	sitePrimaryLabel = "drupal.webservices.cern.ch/isPrimary"
+	// Labels used by the Operator
+	ssoProxyLabel         = "drupal.okd.cern.ch/full-sso"
+	sitePrimaryLabel      = "drupal.webservices.cern.ch/isPrimary"
+	noCustomizationsLabel = "drupal.webservices.cern.ch/noCustomizations"
+	projectBlockedLabel   = "okd.cern.ch/project-blocked"
 )
 
 var (
@@ -248,10 +251,14 @@ func (r *DrupalSiteReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if drupalSite.Labels == nil {
 		drupalSite.Labels = map[string]string{}
 	}
-        if (namespace.Labels[ssoProxyLabel] == "true" || drupalSite.Labels[sitePrimaryLabel] != "true" ) && drupalSite.Labels[ssoProxyLabel] != "true" {
+	if (namespace.Labels[ssoProxyLabel] == "true" || drupalSite.Labels[sitePrimaryLabel] != "true") && drupalSite.Labels[ssoProxyLabel] != "true" {
 		drupalSite.Labels[ssoProxyLabel] = "true"
 		return r.updateCRorFailReconcile(ctx, log, drupalSite)
 	}
+	if namespace.Labels[noCustomizationsLabel] == "true" && drupalSite.Labels[noCustomizationsLabel] != "true" {
+		drupalSite.Labels[noCustomizationsLabel] = "true"
+		return r.updateCRorFailReconcile(ctx, log, drupalSite)
+	}
 
 	// 2. Check all conditions and update them if needed
 	update := false
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 3a66965abf6fbeec31a760a133eae1e64909aad4..77ad859791c63be77f4b87feaff82a44a1f9fc28 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -1172,6 +1172,37 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 			currentobject.Spec.Template.Spec.Containers[i].Image = WebDAVImage
 			currentobject.Spec.Template.Spec.Containers[i].Command = []string{"php-fpm"}
 			currentobject.Spec.Template.Spec.Containers[i].Resources = config.webDAVResources
+			currentobject.Spec.Template.Spec.Containers[i].VolumeMounts = []corev1.VolumeMount{
+				{
+					Name:      "drupal-directory-" + d.Name,
+					MountPath: "/drupal-data",
+				},
+				{
+					Name:      "webdav-volume",
+					MountPath: "/webdav/htdigest",
+					ReadOnly:  true,
+				},
+				{
+					Name:      "empty-dir",
+					MountPath: "/var/run/",
+				},
+			}
+			// Move this code section outside in case we apply to PHP-FPM container as well
+			readOnlyMountModule := corev1.VolumeMount{
+				Name:      "drupal-directory-" + d.Name,
+				MountPath: "/drupal-data/modules",
+				SubPath:   "modules",
+				ReadOnly:  true,
+			}
+			readOnlyMountTheme := corev1.VolumeMount{
+				Name:      "drupal-directory-" + d.Name,
+				MountPath: "/drupal-data/themes",
+				SubPath:   "themes",
+				ReadOnly:  true,
+			}
+			if d.Labels[noCustomizationsLabel] == "true" {
+				currentobject.Spec.Template.Spec.Containers[i].VolumeMounts = append(currentobject.Spec.Template.Spec.Containers[i].VolumeMounts, readOnlyMountModule, readOnlyMountTheme)
+			}
 		case "cron":
 			currentobject.Spec.Template.Spec.Containers[i].Command = []string{
 				"sh",
diff --git a/controllers/reconciler_common.go b/controllers/reconciler_common.go
index ab2a65e012f9cb6b482bc556193ae435b918f507..22324b47d98494211bb78b79adeb9982d286dd7b 100644
--- a/controllers/reconciler_common.go
+++ b/controllers/reconciler_common.go
@@ -60,8 +60,6 @@ type DeploymentConfig struct {
 	drupalLogsResources  corev1.ResourceRequirements
 }
 
-const projectBlockedLabel = "okd.cern.ch/project-blocked"
-
 func setReady(drp *webservicesv1a1.DrupalSite) (update bool) {
 	return drp.Status.Conditions.SetCondition(status.Condition{
 		Type:   "Ready",