diff --git a/zddc/internal/convert/runner.go b/zddc/internal/convert/runner.go
index 4f38949..4465993 100644
--- a/zddc/internal/convert/runner.go
+++ b/zddc/internal/convert/runner.go
@@ -203,6 +203,20 @@ func (cr *containerRunner) Run(ctx context.Context, image string, stdin []byte,
 		"--rm",
 		"--pull=missing",
 		"-i",
+		// --userns=host: reuse the calling process's user namespace
+		// instead of creating a new one. Required for the nested-
+		// podman case (zddc-server runs inside a Kubernetes pod and
+		// invokes podman from there): the kernel won't let the inner
+		// podman set up its own userns via newuidmap when /etc/subuid
+		// mappings don't resolve through the pod's namespace, even
+		// with CAP_SETUID via privileged: true. The chart already
+		// runs the pod privileged, so reusing its userns adds no new
+		// privilege escalation. On a bare-metal host invocation the
+		// outer userns is the host's, so --userns=host means "no
+		// userns remapping" — also fine; --cap-drop=ALL +
+		// --network=none + --read-only continue to isolate the
+		// inner container's process.
+		"--userns=host",
 		"--network=none",
 		"--read-only",
 		"--tmpfs=/tmp:size=128m,exec",