Use of runAsUser and fsGroup

Hello a question … in which cases should I apply the properties of:
runAsUser & fsGroup in the PODs ?, I have come across them, it was applied but I DO NOT know in which scenarios it should be done.

Thank you.

It’s a kind of security context applied at the pod level and at the container level.

runAsUser: the file’s ownership ID
fsGroup: the group ID for all containers in the pod

Hello, thank you for answering, that if I knew about it, my question is more about in which cases I should apply each one in reality.

Thank you.

Hello @maktup,

The most direct way to apply security-relevant configurations in Kubernetes is the security context.
Under the respective “securityContext”, there are multiple container configurations to choose from, and there are more options.
From a security perspective, you can check and use the following options in the securityContext for each container in Kubernetes:

  • Allow only unprivileged users to execute the container,
  • Use a read-only file system,
  • Prevent privilege escalation,
  • Restrict capabilities

Here’s an example:

apiVersion: v1
kind: Pod
# ...
metadata:
  name: <pod-name>
spec:
  containers:
  - name: restricted
    securityContext:
      runAsNonRoot: true
      runAsUser: 100000
      runAsGroup: 100000
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
           - ALL