Does goofys require CAP_SYS_ADMIN / privileged mode to mount in Kubernetes?

[saurabhkanawadenice]

Hello,

I’m running goofys inside a Kubernetes container as part of my Flink job setup. My entry point looks like this:

#!/usr/bin/env bash
echo "Mounting DL binaries bucket name is $S3BinariesBucket"
goofys -f -o allow_other --subdomain $S3BinariesBucket /opt/s3binaries &
/docker-entrypoint.sh "$@"

When I run the pod with:

securityContext:
privileged: true

➡️ The bucket mounts correctly and Flink can read the JAR from /opt/s3binaries/....

But when I switch to:

securityContext:
privileged: false

➡️ The mount no longer works — the directory stays empty, and Flink fails with:

JAR file does not exist '/opt/s3binaries/...jar'

---

Question:

• Does goofys require privileged: true to run inside Kubernetes?
• Or is it enough to add narrower permissions like:

securityContext:
capabilities:
add: ["SYS_ADMIN"]
devices:
- /dev/fuse

• Is there a way to run goofys without privileged containers while still allowing the mount to succeed?

Why I’m asking:

• Kubernetes/Docker documentation mentions that FUSE mounts require CAP_SYS_ADMIN and access to /dev/fuse, but I’d like to confirm the official requirement for goofys.
• Running privileged: true is a big security concern in production, so narrowing down to the minimal required permissions would be very helpful.

Thanks!