Thanks for your question, very good one. We are currently looking to find the right balance of what perms should be OutOfBox and what should be custom setup. E.g. Running things like telepresence CNCF need sshd. And running sshd needs root (and RunAsAny). We are working closely with them and just proposed a work version which should be fine with less perms (currently for Openshift), and then we can tighten such things also in k8s.