diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go
index ee2e9a7c84f..32f888fa813 100644
--- a/pkg/secrets/secrets.go
+++ b/pkg/secrets/secrets.go
@@ -38,7 +38,7 @@ type secretData struct {
 // saveTo saves secret data to given directory
 func (s secretData) saveTo(dir string) error {
 	path := filepath.Join(dir, s.name)
-	if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil && !os.IsExist(err) {
+	if err := os.MkdirAll(filepath.Dir(path), s.dirMode); err != nil {
 		return err
 	}
 	return ioutil.WriteFile(path, s.data, s.mode)
diff --git a/run_linux.go b/run_linux.go
index 0f96077481a..8252dbd3931 100644
--- a/run_linux.go
+++ b/run_linux.go
@@ -165,9 +165,28 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	spec := g.Config
 	g = nil
 
-	logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
-	if err = os.MkdirAll(filepath.Join(mountPoint, spec.Process.Cwd), 0755); err != nil && !os.IsExist(err) {
-		return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
+	wd := filepath.Join(mountPoint, spec.Process.Cwd)
+	logrus.Debugf("ensuring working directory %q exists", wd)
+	if err = os.MkdirAll(wd, 0755); err != nil {
+		ensureErr := errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
+		// Ignore the error in case wd exists and it is an absolute symlink
+		// to a directory that exists inside a container.
+		if !os.IsExist(err) {
+			return ensureErr
+		}
+		link, err := os.Readlink(wd)
+		if err != nil { // not a symlink
+			return ensureErr
+		}
+		if !strings.HasPrefix(link, "/") {
+			// relative symlink should have been resolved by MkdirAll
+			return ensureErr
+		}
+		st, err := os.Stat(filepath.Join(mountPoint, link))
+		if err != nil || !st.IsDir() {
+			return ensureErr
+		}
+		// ignore the error since wd is resolvable under container root.
 	}
 
 	// Set the seccomp configuration using the specified profile name.  Some syscalls are
@@ -213,7 +232,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	if _, ok := bindFiles["/run/.containerenv"]; !ok {
 		// Empty string for now, but we may consider populating this later
 		containerenvPath := filepath.Join(path, "/run/.containerenv")
-		if err = os.MkdirAll(filepath.Dir(containerenvPath), 0755); err != nil && !os.IsExist(err) {
+		if err = os.MkdirAll(filepath.Dir(containerenvPath), 0755); err != nil {
 			return err
 		}
 		emptyFile, err := os.Create(containerenvPath)