diff --git a/charts/haproxy/templates/bin/_anchor.tpl b/charts/haproxy/templates/bin/_anchor.tpl
index 77ede688..b70c1da6 100644
--- a/charts/haproxy/templates/bin/_anchor.tpl
+++ b/charts/haproxy/templates/bin/_anchor.tpl
@@ -114,6 +114,7 @@ install_config() {
             echo HAProxy config file unchanged.
         fi
         chmod -R go-rwx $(dirname "$HAPROXY_CONF")
+        chown -R $RUNASUSER:$RUNASUSER $(dirname "$HAPROXY_CONF")
     fi
 }
 
diff --git a/charts/haproxy/templates/bin/_perms_update.tpl b/charts/haproxy/templates/bin/_perms_update.tpl
new file mode 100644
index 00000000..dbe63336
--- /dev/null
+++ b/charts/haproxy/templates/bin/_perms_update.tpl
@@ -0,0 +1,24 @@
+#!/bin/sh
+{{/*
+Copyright 2019 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $envAll := . }}
+
+set -x
+
+RUNASUSER={{ .Values.pod.security_context.haproxy.pod.runAsUser }}
+chown -R $RUNASUSER:$RUNASUSER $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
+chmod -R go-rwx $(dirname /host{{ .Values.conf.haproxy.host_config_dir }}/haproxy.cfg)
diff --git a/charts/haproxy/templates/configmap-bin.yaml b/charts/haproxy/templates/configmap-bin.yaml
index 367f0f2f..ba66a093 100644
--- a/charts/haproxy/templates/configmap-bin.yaml
+++ b/charts/haproxy/templates/configmap-bin.yaml
@@ -23,3 +23,5 @@ data:
 {{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   pre_stop.sh: |
 {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  perms_update.sh: |
+{{ tuple "bin/_perms_update.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
diff --git a/charts/haproxy/templates/daemonset.yaml b/charts/haproxy/templates/daemonset.yaml
index 448fafff..53dddff4 100644
--- a/charts/haproxy/templates/daemonset.yaml
+++ b/charts/haproxy/templates/daemonset.yaml
@@ -46,6 +46,23 @@ spec:
           operator: Exists
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.haproxy_anchor.timeout }}
       serviceAccountName: haproxy-anchor
+      initContainers:
+        - name: haproxy-perms
+          image: {{ .Values.images.tags.anchor }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ dict "envAll" $envAll "application" "haproxy" "container" "haproxy_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.haproxy_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/perms_update.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: haproxy-bin
+              mountPath: /tmp/perms_update.sh
+              subPath: perms_update.sh
+              readOnly: false
+            - name: host
+              mountPath: /host
       containers:
         - name: anchor
           image: {{ .Values.images.tags.anchor }}
@@ -66,6 +83,8 @@ spec:
               value: /var/run/secrets/kubernetes.io/serviceaccount/token
             - name: KUBE_URL
               value: {{ .Values.conf.anchor.kubernetes_url | quote }}
+            - name: RUNASUSER
+              value: {{ .Values.pod.security_context.haproxy.pod.runAsUser | quote }}
           command:
             - /tmp/bin/anchor.sh
           lifecycle:
@@ -92,3 +111,5 @@ spec:
         - name: host
           hostPath:
             path: /
+        - name: pod-tmp
+          emptyDir: {}
diff --git a/charts/haproxy/templates/etc/_haproxy.yaml.tpl b/charts/haproxy/templates/etc/_haproxy.yaml.tpl
index 6b701ad3..baf20b49 100644
--- a/charts/haproxy/templates/etc/_haproxy.yaml.tpl
+++ b/charts/haproxy/templates/etc/_haproxy.yaml.tpl
@@ -52,6 +52,7 @@ spec:
             cat "$HAPROXY_CONF"
             echo
             cp "$HAPROXY_CONF" "$LIVE_HAPROXY_CONF"
+            chmod 700 $LIVE_HAPROXY_CONF
 
             # NOTE(mark-burnett): sleep for clearer log output
             sleep 1
@@ -97,3 +98,4 @@ spec:
     - name: etc
       hostPath:
         path: {{ .Values.conf.haproxy.host_config_dir }}
+{{ dict "envAll" $envAll "application" "haproxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
diff --git a/charts/haproxy/values.yaml b/charts/haproxy/values.yaml
index 387fc80b..f8d40a16 100644
--- a/charts/haproxy/values.yaml
+++ b/charts/haproxy/values.yaml
@@ -86,6 +86,12 @@ pod:
           runAsUser: 0
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+    haproxy:
+      pod:
+        runAsUser: 65534
+      container:
+        haproxy_perms:
+          runAsUser: 0
   lifecycle:
     upgrades:
       daemonsets:
diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml
index a233eac5..6afbf091 100644
--- a/examples/basic/Genesis.yaml
+++ b/examples/basic/Genesis.yaml
@@ -44,6 +44,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:
diff --git a/examples/complete/Genesis.yaml b/examples/complete/Genesis.yaml
index 4534823c..7841d33c 100644
--- a/examples/complete/Genesis.yaml
+++ b/examples/complete/Genesis.yaml
@@ -30,6 +30,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:
diff --git a/examples/gate/Genesis.yaml b/examples/gate/Genesis.yaml
index e4697664..c4a9f8eb 100644
--- a/examples/gate/Genesis.yaml
+++ b/examples/gate/Genesis.yaml
@@ -44,6 +44,8 @@ data:
       - kubernetes-scheduler=enabled
       - promenade-genesis=enabled
       - ucp-control-plane=enabled
+  haproxy:
+    run_as_user: 65534
   images:
     armada: quay.io/airshipit/armada:master-ubuntu_xenial
     helm:
diff --git a/promenade/schemas/Genesis.yaml b/promenade/schemas/Genesis.yaml
index c104d454..d9af9d7e 100644
--- a/promenade/schemas/Genesis.yaml
+++ b/promenade/schemas/Genesis.yaml
@@ -121,6 +121,13 @@ data:
       items:
         $ref: '#/definitions/file'
 
+    haproxy:
+      type: object
+      properties:
+        run_as_user:
+          type: integer
+      additionalProperties: false
+
     hostname:
       $ref: '#/definitions/hostname'
 
diff --git a/promenade/templates/roles/common/etc/kubernetes/manifests/haproxy.yaml b/promenade/templates/roles/common/etc/kubernetes/manifests/haproxy.yaml
index 0ff79125..4430ae74 100644
--- a/promenade/templates/roles/common/etc/kubernetes/manifests/haproxy.yaml
+++ b/promenade/templates/roles/common/etc/kubernetes/manifests/haproxy.yaml
@@ -37,3 +37,5 @@ spec:
     - name: etc
       hostPath:
         path: /etc/promenade/haproxy
+  securityContext:
+    runAsUser: {{ config.get_path('Genesis:haproxy.run_as_user', '65534') }}