diff --git a/devtools/kube/sourcegraph.libsonnet b/devtools/kube/sourcegraph.libsonnet
index 9e2454d3..c7e977f2 100644
--- a/devtools/kube/sourcegraph.libsonnet
+++ b/devtools/kube/sourcegraph.libsonnet
@@ -21,7 +21,19 @@ local kube = import "../../kube/kube.libsonnet";
             },
             securityContext: {
                 runAsUser: 0,
-                fsGroup: 70,
+                fsGroup: 0,
+            },
+            // This container fixes some permissions that Kubernetes volume mounts break.
+            initContainer: sourcegraph.Container("fixperms") {
+                image: "alpine:3",
+                volumeMounts_+: {
+                    data: { mountPath: "/var/opt/sourcegraph" },
+                },
+                ports_: {},
+                command: [
+                    "sh", "-c",
+                    "chmod 755 /var/opt/sourcegraph; chmod -R 700 /var/opt/sourcegraph/postgresql",
+                ],
             },
             container: sourcegraph.Container("main") {
                 volumeMounts_+: {
diff --git a/kube/mirko.libsonnet b/kube/mirko.libsonnet
index 134c7859..5203afd7 100644
--- a/kube/mirko.libsonnet
+++ b/kube/mirko.libsonnet
@@ -129,6 +129,7 @@ local kube = import "kube.libsonnet";
             nodeSelector: null,
             securityContext: {},
             container:: error "container(s) must be set",
+            initContainer:: null,
             ports:: {
                 publicHTTP: {}, // name -> { port: no, dns: fqdn }
                 grpc: { main: 4200 }, // name -> port no
@@ -189,6 +190,7 @@ local kube = import "kube.libsonnet";
                             },
                         } + cfg.volumes,
                         containers_: cfg.containers,
+                        [if cfg.initContainer != null then "initContainers"]: [cfg.initContainer],
                         nodeSelector: cfg.nodeSelector,
 
                         serviceAccountName: component.sa.metadata.name,