diff --git a/templates/_deployment.yaml b/templates/_deployment.yaml
index 79eda9e..8961b42 100644
--- a/templates/_deployment.yaml
+++ b/templates/_deployment.yaml
@@ -25,7 +25,7 @@ spec:
         is_ioc: "True"
     spec:
       {{ if .Values.serviceAccountName }}
-      serviceAccountName: {{ .Values.serviceAccount | default "epics-iocs-priv" | quote }}
+      serviceAccountName: {{ .Values.serviceAccountName | quote }}
       {{- end }}
       hostNetwork: {{ .Values.hostNetwork }}
       terminationGracePeriodSeconds: 15 # nice to have quick restarts on IOCs
diff --git a/templates/_ioc-volume.yaml b/templates/_ioc-volume.yaml
index 38e19c1..777b797 100644
--- a/templates/_ioc-volume.yaml
+++ b/templates/_ioc-volume.yaml
@@ -11,7 +11,7 @@ metadata:
     beamline: {{ .Values.beamline }}
 spec:
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
   resources:
     requests:
       storage: 10Mi
diff --git a/values.yaml b/values.yaml
index b8ad0bf..040d541 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,6 +5,10 @@ exports:
   defaults:
     beamline: no-beamline! (always override this)
 
+    # set this to your enforce namespace service account
+    # leave blank for default service account
+    # serviceAccountName: epics-iocs-priv
+
     # to support channel access and other protocols we need to run in host's network
     hostNetwork: true
 
@@ -21,10 +25,6 @@ exports:
       # A path on the host machine to write data into, ignored if dataVolume.pvc is true
       hostPath: ""
 
-    # set this to your enforce namespace service account
-    # leave blank for default service account
-    # serviceAccount: epics-iocs-priv
-
     # provide some reasonable defaults here but allow override
     securityContext:
       allowPrivilegeEscalation: false