diff --git a/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml b/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml
index 262976f0da..72d4908c7d 100644
--- a/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml
+++ b/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml
@@ -72,6 +72,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1
diff --git a/kubernetes/main/apps/downloads/qbittorrent/tools/helmrelease.yaml b/kubernetes/main/apps/downloads/qbittorrent/tools/helmrelease.yaml
index 91421bb886..f787cf4c7e 100644
--- a/kubernetes/main/apps/downloads/qbittorrent/tools/helmrelease.yaml
+++ b/kubernetes/main/apps/downloads/qbittorrent/tools/helmrelease.yaml
@@ -59,4 +59,5 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
diff --git a/kubernetes/main/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/main/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
index 95c5e8a865..79b0a56d4f 100644
--- a/kubernetes/main/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
+++ b/kubernetes/main/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
@@ -58,6 +58,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       affinity:
         nodeAffinity:
diff --git a/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml
index 0e65aaa548..1a165bf85b 100644
--- a/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml
+++ b/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml
@@ -74,6 +74,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1
diff --git a/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml b/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml
index f89be9af3c..9c906abe4d 100644
--- a/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml
+++ b/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml
@@ -65,6 +65,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1
diff --git a/kubernetes/main/apps/observability/karma/app/helmrelease.yaml b/kubernetes/main/apps/observability/karma/app/helmrelease.yaml
index 13e09c525b..f9f9df4137 100644
--- a/kubernetes/main/apps/observability/karma/app/helmrelease.yaml
+++ b/kubernetes/main/apps/observability/karma/app/helmrelease.yaml
@@ -50,6 +50,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1
diff --git a/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml
index 8bc13d5151..3b6c301565 100644
--- a/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml
+++ b/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml
@@ -53,6 +53,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
     service:
       app:
diff --git a/kubernetes/utility/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/utility/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
index 95c5e8a865..79b0a56d4f 100644
--- a/kubernetes/utility/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
+++ b/kubernetes/utility/apps/kube-tools/system-upgrade-controller/app/helmrelease.yaml
@@ -58,6 +58,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       affinity:
         nodeAffinity:
diff --git a/kubernetes/utility/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/utility/apps/network/cloudflared/app/helmrelease.yaml
index 5e3f67a33a..69edf991a2 100644
--- a/kubernetes/utility/apps/network/cloudflared/app/helmrelease.yaml
+++ b/kubernetes/utility/apps/network/cloudflared/app/helmrelease.yaml
@@ -71,6 +71,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1
diff --git a/kubernetes/utility/apps/network/echo-server/app/helmrelease.yaml b/kubernetes/utility/apps/network/echo-server/app/helmrelease.yaml
index 1658ca9473..821458656a 100644
--- a/kubernetes/utility/apps/network/echo-server/app/helmrelease.yaml
+++ b/kubernetes/utility/apps/network/echo-server/app/helmrelease.yaml
@@ -66,6 +66,7 @@ spec:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile: { type: RuntimeDefault }
       topologySpreadConstraints:
         - maxSkew: 1