diff --git a/Dockerfile b/Dockerfile
index 60ccc0c..6e1b466 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -122,8 +122,18 @@ EXPOSE 8082 3001
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD curl -f http://localhost:8082/ || exit 1
 
-# Set entrypoint (init-config.sh runs as root, copies configs, then switches to socktop user)
-ENTRYPOINT ["/init-config.sh"]
+# Create a wrapper script that detects if running as root or socktop user
+RUN echo '#!/bin/bash\n\
+    if [ "$(id -u)" -eq 0 ]; then\n\
+    # Running as root - use init-config.sh to set up and switch to socktop\n\
+    exec /init-config.sh "$@"\n\
+    else\n\
+    # Running as socktop user - directly execute entrypoint\n\
+    exec /entrypoint.sh "$@"\n\
+    fi' > /docker-entrypoint.sh && chmod +x /docker-entrypoint.sh
+
+# Set entrypoint to the wrapper
+ENTRYPOINT ["/docker-entrypoint.sh"]
 
 # Default command - use restricted shell that only allows socktop commands
-CMD ["/entrypoint.sh", "webterm-server", "--host", "0.0.0.0", "--port", "8082", "--command", "/usr/local/bin/restricted-shell.sh"]
+CMD ["webterm-server", "--host", "0.0.0.0", "--port", "8082", "--command", "/usr/local/bin/restricted-shell.sh"]
diff --git a/kubernetes/03-deployment.yaml b/kubernetes/03-deployment.yaml
index b8d7540..8240bc8 100644
--- a/kubernetes/03-deployment.yaml
+++ b/kubernetes/03-deployment.yaml
@@ -18,11 +18,88 @@ spec:
       hostNetwork: false
       dnsPolicy: ClusterFirst
 
+      # Security context for the pod
+      securityContext:
+        runAsUser: 100
+        runAsGroup: 101
+        fsGroup: 101
+
+      # Init container to set up configuration
+      initContainers:
+        - name: init-config
+          image: gt.wittyoneoff.com/jason/socktop-webterm:0.2.2
+          imagePullPolicy: Always
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              set -e
+              echo "Setting up configuration directories..."
+              mkdir -p /var/lib/socktop/.config/socktop/certs
+              mkdir -p /var/lib/socktop/.config/alacritty
+
+              if [ -f "/home/socktop/.config/socktop/profiles.json" ]; then
+                cp /home/socktop/.config/socktop/profiles.json /var/lib/socktop/.config/socktop/profiles.json
+                echo "Copied profiles.json"
+              fi
+
+              if [ -f "/home/socktop/.config/alacritty/alacritty.toml" ]; then
+                cp /home/socktop/.config/alacritty/alacritty.toml /var/lib/socktop/.config/alacritty/alacritty.toml
+                echo "Copied alacritty.toml"
+              fi
+
+              if [ -f "/home/socktop/.config/alacritty/catppuccin-frappe.toml" ]; then
+                cp /home/socktop/.config/alacritty/catppuccin-frappe.toml /var/lib/socktop/.config/alacritty/catppuccin-frappe.toml
+                echo "Copied catppuccin-frappe.toml"
+              fi
+
+              if [ -d "/home/socktop/.config/socktop/certs" ]; then
+                cp /home/socktop/.config/socktop/certs/*.pem /var/lib/socktop/.config/socktop/certs/ 2>/dev/null || true
+                echo "Copied certificates"
+              fi
+
+              # Fix paths in profiles.json
+              if [ -f "/var/lib/socktop/.config/socktop/profiles.json" ]; then
+                sed -i 's|/home/socktop/.config/socktop/rpi-|/var/lib/socktop/.config/socktop/certs/rpi-|g' /var/lib/socktop/.config/socktop/profiles.json
+                echo "Updated certificate paths"
+              fi
+
+              echo "Configuration setup complete"
+          volumeMounts:
+            - name: config
+              mountPath: /home/socktop/.config/socktop/profiles.json
+              subPath: profiles.json
+            - name: config
+              mountPath: /home/socktop/.config/alacritty/alacritty.toml
+              subPath: alacritty.toml
+            - name: config
+              mountPath: /home/socktop/.config/alacritty/catppuccin-frappe.toml
+              subPath: catppuccin-frappe.toml
+            - name: certs
+              mountPath: /home/socktop/.config/socktop/certs
+              readOnly: true
+            - name: socktop-home
+              mountPath: /var/lib/socktop
+          securityContext:
+            runAsUser: 100
+            runAsGroup: 101
+
       containers:
         - name: webterm
           image: gt.wittyoneoff.com/jason/socktop-webterm:0.2.2
           imagePullPolicy: Always
 
+          command: ["/docker-entrypoint.sh"]
+          args:
+            [
+              "webterm-server",
+              "--host",
+              "0.0.0.0",
+              "--port",
+              "8082",
+              "--command",
+              "/usr/local/bin/restricted-shell.sh",
+            ]
+
           ports:
             - name: http
               containerPort: 8082
@@ -78,6 +155,8 @@ spec:
             - name: certs
               mountPath: /home/socktop/.config/socktop/certs
               readOnly: true
+            - name: socktop-home
+              mountPath: /var/lib/socktop
 
           securityContext:
             allowPrivilegeEscalation: false
@@ -85,7 +164,8 @@ spec:
               drop:
                 - ALL
             readOnlyRootFilesystem: false
-            runAsNonRoot: false
+            runAsUser: 100
+            runAsGroup: 101
 
       volumes:
         - name: config
@@ -95,5 +175,7 @@ spec:
           secret:
             secretName: socktop-webterm-certs
             optional: true
+        - name: socktop-home
+          emptyDir: {}
 
       restartPolicy: Always