diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml
index d7044bea..f5963549 100644
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -90,8 +90,8 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml
index 5bf74834..5aab13c8 100644
--- a/deploy/concierge/values.yaml
+++ b/deploy/concierge/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values
@@ -54,3 +54,6 @@ api_serving_certificate_renew_before_seconds: 2160000
 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer
 #! information), trace (timing information), all (kitchen sink).
 log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process
diff --git a/deploy/local-user-authenticator/deployment.yaml b/deploy/local-user-authenticator/deployment.yaml
index 73fc2c50..9845800a 100644
--- a/deploy/local-user-authenticator/deployment.yaml
+++ b/deploy/local-user-authenticator/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -48,8 +48,8 @@ spec:
         app: local-user-authenticator
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: local-user-authenticator
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
diff --git a/deploy/local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml
index 86a4248d..56f61748 100644
--- a/deploy/local-user-authenticator/values.yaml
+++ b/deploy/local-user-authenticator/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values
@@ -14,3 +14,6 @@ image_tag: latest
 #! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
 #! Optional.
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
+
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process
diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml
index 1e0c75c0..da9dba99 100644
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -64,8 +64,8 @@ spec:
       labels: #@ defaultLabel()
     spec:
       securityContext:
-        runAsUser: 1001
-        runAsGroup: 1001
+        runAsUser: #@ data.values.run_as_user
+        runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
       #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
       imagePullSecrets:
diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml
index a4575c3c..e522155f 100644
--- a/deploy/supervisor/values.yaml
+++ b/deploy/supervisor/values.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@data/values
@@ -56,3 +56,6 @@ service_loadbalancer_ip: #! e.g. 1.2.3.4
 #! Specify the verbosity of logging: info ("nice to know" information), debug (developer
 #! information), trace (timing information), all (kitchen sink).
 log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
+
+run_as_user: 1001 #! run_as_user specifies the user ID that will own the local-user-authenticator process
+run_as_group: 1001 #! run_as_group specifies the group ID that will own the local-user-authenticator process
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index cb455004..c1c40bf7 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -60,6 +60,8 @@ k8s_yaml(local([
     '--file', '../../../deploy/local-user-authenticator',
     '--data-value', 'image_repo=image/local-user-auth',
     '--data-value', 'image_tag=tilt-dev',
+    '--data-value-yaml', 'run_as_user=0',
+    '--data-value-yaml', 'run_as_group=0',
 ]))
 # Tell tilt to watch all of those files for changes.
 watch_file('../../../deploy/local-user-authenticator')
@@ -108,6 +110,8 @@ k8s_yaml(local([
     '--data-value-yaml', 'service_https_nodeport_nodeport=31243',
     '--data-value-yaml', 'service_https_clusterip_port=443',
     '--data-value-yaml', 'custom_labels={mySupervisorCustomLabelName: mySupervisorCustomLabelValue}',
+    '--data-value-yaml', 'run_as_user=0',
+    '--data-value-yaml', 'run_as_group=0',
 ]))
 # Tell tilt to watch all of those files for changes.
 watch_file('../../../deploy/supervisor')
@@ -152,7 +156,9 @@ k8s_yaml(local([
     '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/master|control plane/ {print $NF}\') ' +
     '--data-value log_level=debug ' +
     '--data-value-yaml replicas=1 ' +
-    '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}"'
+    '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}" ' +
+    '--data-value-yaml run_as_user=0 ' +
+    '--data-value-yaml run_as_group=0',
 ]))
 # Tell tilt to watch all of those files for changes.
 watch_file('../../../deploy/concierge')