diff --git a/pkg/drivers/kic/oci/volumes.go b/pkg/drivers/kic/oci/volumes.go
index 8dd3887c589c..d93eea21254c 100644
--- a/pkg/drivers/kic/oci/volumes.go
+++ b/pkg/drivers/kic/oci/volumes.go
@@ -21,6 +21,7 @@ import (
 	"bytes"
 	"fmt"
 	"os/exec"
+	"runtime"
 	"strings"
 
 	"github.com/golang/glog"
@@ -80,7 +81,13 @@ func allVolumesByLabel(ociBin string, label string) ([]string, error) {
 // ExtractTarballToVolume runs a docker image imageName which extracts the tarball at tarballPath
 // to the volume named volumeName
 func ExtractTarballToVolume(ociBin string, tarballPath, volumeName, imageName string) error {
-	cmd := exec.Command(ociBin, "run", "--rm", "--entrypoint", "/usr/bin/tar", "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmdArgs := []string{"run", "--rm", "--entrypoint"}
+	// if not running in privileged mode, /preloaded.tar will have no permissions (-?????????)
+	if ociBin == Podman && runtime.GOOS == "linux" {
+		cmdArgs = append(cmdArgs, "--privileged")
+	}
+	cmdArgs = append(cmdArgs, "/usr/bin/tar", "-v", fmt.Sprintf("%s:/preloaded.tar:ro", tarballPath), "-v", fmt.Sprintf("%s:/extractDir", volumeName), imageName, "-I", "lz4", "-xvf", "/preloaded.tar", "-C", "/extractDir")
+	cmd := exec.Command(ociBin, cmdArgs...)
 	if _, err := runCmd(cmd); err != nil {
 		return err
 	}