diff --git a/Dockerfile b/Dockerfile
index 4c23e84c53..9aab22552a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,8 +7,13 @@ RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe
 FROM registry.svc.ci.openshift.org/ocp/4.7:base
 COPY --from=builder /go/src/github.com/openshift/cloud-credential-operator/cloud-credential-operator /usr/bin/
 COPY manifests /manifests
-# Update perms so we can copy updated CA if needed
-RUN chmod -R g+w /etc/pki/ca-trust/extracted/pem/
+
+# Since /etc/pki/ca-trust is now volume mounted at runtime, we cannot use RUN
+# command to make its content world writable as it won't be included in the
+# final image. To workaround this we ADD archived contents of /etc/pki/ca-trust
+# as writable empty files and then run 'update-ca-trust extract' in the
+# container to populate these files
+ADD hack/writable-extracted.tar.gz /etc/pki/ca-trust/extracted
 LABEL io.openshift.release.operator=true
 # TODO make path explicit here to remove need for ENTRYPOINT
 # https://github.com/openshift/installer/blob/a8ddf6619794416c4600a827c2d9284724d382d8/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L347
diff --git a/hack/writable-extracted.tar.gz b/hack/writable-extracted.tar.gz
new file mode 100644
index 0000000000..ed0d12c74c
Binary files /dev/null and b/hack/writable-extracted.tar.gz differ
diff --git a/manifests/03-deployment.yaml b/manifests/03-deployment.yaml
index c0f627a700..481eb4e5bd 100644
--- a/manifests/03-deployment.yaml
+++ b/manifests/03-deployment.yaml
@@ -47,6 +47,7 @@ spec:
           name: cloud-credential-operator-serving-cert
       - args:
         - |
+          update-ca-trust extract;
           if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
               echo "Copying system trust bundle"
               cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem