Security Contexts

May 20, 2026

Scope

Level	Path	Precedence
Pod	`spec.securityContext`	Applies to all containers
Container	`spec.containers[].securityContext`	Overrides pod-level for that container

Not a separate resource: fields on Pod/Deployment template

Key fields

Field	Scope	Effect
`runAsNonRoot: true`	Pod & Container	Fail if image runs as root (0)
`runAsUser: 1001`	Pod & Container	Run as specific UID
`runAsGroup`	Pod & Container	Group for process
`fsGroup`	Pod	volume ownership
`allowPrivilegeEscalation: false`	Container	Block privilege escalation
`privileged: false`	Container	No host-level privileges
`readOnlyRootFilesystem: true`	Container	Root FS read-only (Notice smallcase for system)
`capabilities.add` / `capabilities.drop`	Container	Linux capabilities (e.g. `drop: [ALL]`), Can only be configured at container level

# Pod Configuration
spec:
  securityContext:
    runAsNonRoot: true
    fsGroup: 2000
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      readOnlyRootFilesystem: true

Restricted Pod pattern

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    runAsGroup: 3001
    fsGroup: 2001
  containers:
  - name: app
    image: nginx:1.25
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      readOnlyRootFilesystem: true
    volumeMounts:
    - name: tmp
      mountPath: /tmp
  volumes:
  - name: tmp
    emptyDir: {}

Docker equivalents

Docker --user → runAsUser
--cap-drop → capabilities.drop
--privileged → privileged: true (avoid in production)

Exam tips

runAsNonRoot: true + nginx image → CreateContainerConfigError (runs as root)
Use non-root images (e.g. bitnami/nginx) or set runAsUser
Container-level wins over pod-level for same attribute
readOnlyRootFilesystem: true often needs writable emptyDir mounts for /tmp, cache, or runtime dirs