diff --git a/apps/authentik/authentik.yaml b/apps/authentik/authentik.yaml
index 0915a53..ce95942 100644
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -227,6 +227,11 @@ spec:
       labels:
         app: authentik-server
     spec:
+      securityContext:
+        # Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
+        # root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
+        # non-root container can mkdir /media/public during the tenant_files migration.
+        fsGroup: 1000
       containers:
         - name: server
           image: ghcr.io/goauthentik/server:2024.12.3
@@ -330,6 +335,9 @@ spec:
       labels:
         app: authentik-worker
     spec:
+      securityContext:
+        # Same as server pod — non-root uid 1000 needs PVC group write.
+        fsGroup: 1000
       containers:
         - name: worker
           image: ghcr.io/goauthentik/server:2024.12.3