diff --git a/content/en/docs/reference/glossary/security-context.md b/content/en/docs/reference/glossary/security-context.md index b993c1af05695..8fe90217edd4f 100755 --- a/content/en/docs/reference/glossary/security-context.md +++ b/content/en/docs/reference/glossary/security-context.md @@ -14,5 +14,5 @@ tags: -The securityContext field in a {{< glossary_tooltip term_id="pod" >}} (applying to all containers) or container is used to set the user (runAsUser, primary group(runAsGroup) and group (fsGroup), capabilities, privilege settings, and security policies (SELinux/AppArmor/Seccomp) that container processes use. +The securityContext field in a {{< glossary_tooltip term_id="pod" >}} (applying to all containers) or container is used to set the user (runAsUser), primary group(runAsGroup) and group (fsGroup), capabilities, privilege settings, and security policies (SELinux/AppArmor/Seccomp) that container processes use. diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md index 6b6df88eebd5d..e141412470543 100644 --- a/content/en/docs/tasks/configure-pod-container/security-context.md +++ b/content/en/docs/tasks/configure-pod-container/security-context.md @@ -55,8 +55,8 @@ In the configuration file, the `runAsUser` field specifies that for any Containe the Pod, all processes runs with user ID 1000. The `runAsGroup` field specifies the primary group ID of 3000 for all processes within any containers of the Pod. If this field is ommitted, the primary group ID of the containers will be root(0). Any files created will also be owned by user 1000 and group 3000 when `runAsGroup` is specified. -If `fsGroup` field is specified, all processes of the container are also part of the supplementary group ID 2000. -Group ID 2000 is also associated with the volume mounted at `/data/demo` and with any files created in that volume. +Since `fsGroup` field is specified, all processes of the container are also part of the supplementary group ID 2000. +The owner for volume `/data/demo` and any files created in that volume will be Group ID 2000. Create the Pod: @@ -131,7 +131,8 @@ $ id uid=1000 gid=3000 groups=2000 ``` You will see that gid is 3000 which is same as `runAsGroup` field. If the `runAsGroup` was ommitted the gid would -remain as 0(root) and the process would continue to run with some root privileges. +remain as 0(root) and the process will be able to interact with files that are owned by root(0) group and has the +required group permissions for root(0) group. Exit your shell: