chroot bind mount breaks containerised Omnibus deployment

I run Omnibus on K8s/GKE through the old legacy Helm charts. In testing 10.7 (with an upgrade to Pages 0.8.1), I found Pages no longer starts:

INFO[0000] GitLab Pages Daemon                           revision=5405831 version=dev
INFO[0000] URL: https://gitlab.com/gitlab-org/gitlab-pages 
INFO[0000] running the daemon as unprivileged user       gid=998 uid=998
INFO[0000] chroot failed                                 error="Failed to bind mount /gitlab-data/shared/pages on /tmp/gitlab-pages-1524311552549745939/pages. operation not permitted"
FATA[0000]                                               error="Failed to bind mount /gitlab-data/shared/pages on /tmp/gitlab-pages-1524311552549745939/pages. operation not permitted"

I assume this is due to the resolv.conf changes, which also included bind-mounting rather than copying page content into a chroot. Perhaps the bind-mounting needs more flags added, e.g. nosuid, to be able to run inside a Docker container as it is on K8s deployments?

This should be reproducible by taking the charts/charts.gitlab.io repo, bumping it to 10.7.0+rc7.ce.0 CE image, and deploying the Omnibus to GKE.