diff --git a/kube/deploy/apps/minecraft/app/hr.yaml b/kube/deploy/apps/minecraft/app/hr.yaml
index 900328ec..e9f82227 100644
--- a/kube/deploy/apps/minecraft/app/hr.yaml
+++ b/kube/deploy/apps/minecraft/app/hr.yaml
@@ -91,7 +91,7 @@ spec:
                   exec: *probeexec
             securityContext:
               readOnlyRootFilesystem: true
-              allowPrivilegeEscalation: false
+              allowPrivilegeEscalation: true
               capabilities:
                 drop: ["ALL"]
                 add: ["NET_RAW", "SETUID", "SETGID", "DAC_READ_SEARCH", "AUDIT_WRITE"] # used for autopause, Cilium claims it's safe to use without kube-proxy: https://cilium.io/blog/2020/12/11/kube-proxy-free-cve-mitigation/
@@ -118,17 +118,17 @@ spec:
               globalMounts:
                 - path: "/data"
                   readOnly: false
-        # initContainers:
-        #   01-knockd-cp: &init
-        #     command: ["/usr/bin/cp", "/usr/local/sbin/knockd", "/knockd/knockd"]
-        #     # image: "{{ .Values.controllers.main.containers.main.image.repository }}:{{ .Values.controllers.main.containers.main.image.tag }}"
-        #     image: *image
-        #     imagePullPolicy: IfNotPresent
-        #   02-knockd-add-caps:
-        #     <<: *init
-        #     command: ["/usr/sbin/setcap", "cap_net_raw=ep", "/knockd/knockd"]
-        #     securityContext:
-        #       runAsUser: 0
+        initContainers:
+          01-knockd-cp: &init
+            command: ["/usr/bin/cp", "/usr/local/sbin/knockd", "/knockd/knockd"]
+            # image: "{{ .Values.controllers.main.containers.main.image.repository }}:{{ .Values.controllers.main.containers.main.image.tag }}"
+            image: *image
+            imagePullPolicy: IfNotPresent
+          02-knockd-add-caps:
+            <<: *init
+            command: ["/usr/sbin/setcap", "cap_net_raw=ep", "/knockd/knockd"]
+            securityContext:
+              runAsUser: 0
     service:
       main:
         enabled: true
@@ -154,7 +154,7 @@ spec:
         # runAsUser: &uid ${APP_UID_MINECRAFT}
         runAsGroup: *uid
         fsGroup: *uid
-        runAsNonRoot: true
+        runAsNonRoot: false
         seccompProfile: {type: "RuntimeDefault"}
         fsGroupChangePolicy: "Always"
     persistence:
@@ -165,12 +165,12 @@ spec:
         globalMounts:
           - path: /tmp
             readOnly: false
-      # knockd:
-      #   enabled: true
-      #   type: emptyDir
-      #   medium: Memory
-      #   advancedMounts:
-      #     main:
-      #       main: [{path: "/usr/local/sbin"}] # janky gamble, given that knockd is the only thing installed at this path as of 2023-10-08
-      #       01-knockd-cp: [{path: "/knockd"}]
-      #       02-knockd-add-caps: [{path: "/knockd"}]
\ No newline at end of file
+      knockd:
+        enabled: true
+        type: emptyDir
+        medium: Memory
+        advancedMounts:
+          main:
+            main: [{path: "/usr/local/sbin"}] # janky gamble, given that knockd is the only thing installed at this path as of 2023-10-08
+            01-knockd-cp: [{path: "/knockd"}]
+            02-knockd-add-caps: [{path: "/knockd"}]
\ No newline at end of file