diff --git a/pkg/install/daemonset.go b/pkg/install/daemonset.go
index 289cd7324..0f547c759 100644
--- a/pkg/install/daemonset.go
+++ b/pkg/install/daemonset.go
@@ -40,6 +40,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 
 	}
 
+	userID := int64(0)
+	mountPropagationMode := corev1.MountPropagationHostToContainer
+
 	daemonSet := &appsv1.DaemonSet{
 		ObjectMeta: objectMeta(namespace, "restic"),
 		TypeMeta: metav1.TypeMeta{
@@ -60,6 +63,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "velero",
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsUser: &userID,
+					},
 					Volumes: []corev1.Volume{
 						{
 							Name: "host-pods",
@@ -69,6 +75,12 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 								},
 							},
 						},
+						{
+							Name: "scratch",
+							VolumeSource: corev1.VolumeSource{
+								EmptyDir: new(corev1.EmptyDirVolumeSource),
+							},
+						},
 					},
 					Containers: []corev1.Container{
 						{
@@ -77,8 +89,13 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 							ImagePullPolicy: pullPolicy,
 							VolumeMounts: []corev1.VolumeMount{
 								{
-									Name:      "host-pods",
-									MountPath: "/host_pods",
+									Name:             "host-pods",
+									MountPath:        "/host_pods",
+									MountPropagation: &mountPropagationMode,
+								},
+								{
+									Name:      "scratch",
+									MountPath: "/scratch",
 								},
 							},
 							Env: []corev1.EnvVar{
@@ -98,6 +115,14 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 										},
 									},
 								},
+								{
+									Name:  "VELERO_SCRATCH_DIR",
+									Value: "/scratch",
+								},
+								{
+									Name:  "AZURE_CREDENTIALS_FILE",
+									Value: "/credentials/cloud",
+								},
 								{
 									Name:  "GOOGLE_APPLICATION_CREDENTIALS",
 									Value: "/credentials/cloud",
@@ -126,6 +151,14 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1.DaemonSet {
 				},
 			},
 		)
+
+		daemonSet.Spec.Template.Spec.Containers[0].VolumeMounts = append(
+			daemonSet.Spec.Template.Spec.Containers[0].VolumeMounts,
+			corev1.VolumeMount{
+				Name:      "cloud-credentials",
+				MountPath: "/credentials",
+			},
+		)
 	}
 
 	daemonSet.Spec.Template.Spec.Containers[0].Env = append(daemonSet.Spec.Template.Spec.Containers[0].Env, c.envVars...)
diff --git a/pkg/install/daemonset_test.go b/pkg/install/daemonset_test.go
index 11c447813..efb3ae04a 100644
--- a/pkg/install/daemonset_test.go
+++ b/pkg/install/daemonset_test.go
@@ -30,7 +30,7 @@ func TestDaemonSet(t *testing.T) {
 	assert.Equal(t, "velero", ds.ObjectMeta.Namespace)
 
 	ds = DaemonSet("velero", WithoutCredentialsVolume())
-	assert.Equal(t, 1, len(ds.Spec.Template.Spec.Volumes))
+	assert.Equal(t, 2, len(ds.Spec.Template.Spec.Volumes))
 
 	ds = DaemonSet("velero", WithImage("gcr.io/heptio-images/velero:v0.11"))
 	assert.Equal(t, "gcr.io/heptio-images/velero:v0.11", ds.Spec.Template.Spec.Containers[0].Image)
diff --git a/pkg/install/deployment.go b/pkg/install/deployment.go
index f4442055d..04d320f19 100644
--- a/pkg/install/deployment.go
+++ b/pkg/install/deployment.go
@@ -116,8 +116,16 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1beta1.Deploy
 									Name:      "plugins",
 									MountPath: "/plugins",
 								},
+								{
+									Name:      "scratch",
+									MountPath: "/scratch",
+								},
 							},
 							Env: []corev1.EnvVar{
+								{
+									Name:  "VELERO_SCRATCH_DIR",
+									Value: "/scratch",
+								},
 								{
 									Name:  "GOOGLE_APPLICATION_CREDENTIALS",
 									Value: "/credentials/cloud",
@@ -136,6 +144,12 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1beta1.Deploy
 								EmptyDir: &corev1.EmptyDirVolumeSource{},
 							},
 						},
+						{
+							Name: "scratch",
+							VolumeSource: corev1.VolumeSource{
+								EmptyDir: new(corev1.EmptyDirVolumeSource),
+							},
+						},
 					},
 				},
 			},
diff --git a/pkg/install/deployment_test.go b/pkg/install/deployment_test.go
index 67b2aaceb..70d26bad2 100644
--- a/pkg/install/deployment_test.go
+++ b/pkg/install/deployment_test.go
@@ -32,13 +32,13 @@ func TestDeployment(t *testing.T) {
 	assert.Equal(t, "--restore-only", deploy.Spec.Template.Spec.Containers[0].Args[1])
 
 	deploy = Deployment("velero", WithEnvFromSecretKey("my-var", "my-secret", "my-key"))
-	envSecret := deploy.Spec.Template.Spec.Containers[0].Env[2]
+	envSecret := deploy.Spec.Template.Spec.Containers[0].Env[3]
 	assert.Equal(t, "my-var", envSecret.Name)
 	assert.Equal(t, "my-secret", envSecret.ValueFrom.SecretKeyRef.LocalObjectReference.Name)
 	assert.Equal(t, "my-key", envSecret.ValueFrom.SecretKeyRef.Key)
 
 	deploy = Deployment("velero", WithoutCredentialsVolume())
-	assert.Equal(t, 1, len(deploy.Spec.Template.Spec.Volumes))
+	assert.Equal(t, 2, len(deploy.Spec.Template.Spec.Volumes))
 
 	deploy = Deployment("velero", WithImage("gcr.io/heptio-images/velero:v0.11"))
 	assert.Equal(t, "gcr.io/heptio-images/velero:v0.11", deploy.Spec.Template.Spec.Containers[0].Image)