diff --git a/templates/janitor/1/docker-compose.yml b/templates/janitor/1/docker-compose.yml
index 628de7b..f1efed9 100644
--- a/templates/janitor/1/docker-compose.yml
+++ b/templates/janitor/1/docker-compose.yml
@@ -8,7 +8,7 @@ cleanup:
   labels:
      io.rancher.scheduler.global: "true"
      io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}"
-  privileged: true
+  net: none
   tty: false
   stdin_open: false
   volumes:
diff --git a/templates/janitor/2/docker-compose.yml b/templates/janitor/2/docker-compose.yml
index c74c927..ecb8268 100644
--- a/templates/janitor/2/docker-compose.yml
+++ b/templates/janitor/2/docker-compose.yml
@@ -10,7 +10,8 @@ cleanup:
   labels:
      io.rancher.scheduler.global: "true"
      io.rancher.scheduler.affinity:host_label_ne: "${EXCLUDE_LABEL}"
-  privileged: true
+  net: none
+  privileged: ${PRIVILEGED_MODE}
   tty: false
   stdin_open: false
   volumes:
diff --git a/templates/janitor/2/rancher-compose.yml b/templates/janitor/2/rancher-compose.yml
index 81b347d..ad7a06e 100644
--- a/templates/janitor/2/rancher-compose.yml
+++ b/templates/janitor/2/rancher-compose.yml
@@ -28,4 +28,9 @@
       default: "*:*"
       required: false
       type: "string"
-
+    - variable: "PRIVILEGED_MODE"
+      label: "Run janitor in privileged mode"
+      description: "In hardened environments containers must be privileged to access the bind-mounted unix:///var/run/docker.sock. This is not the default case."
+      default: false
+      required: true
+      type: "boolean"