From ceee75ba87195ee6f0147a4dfa38cd0db479bd81 Mon Sep 17 00:00:00 2001
From: Mayank Kumar <mayank.kumar@salesforce.com>
Date: Fri, 24 Aug 2018 01:36:25 -0700
Subject: [PATCH] add runAsGroup

---
 .../en/docs/concepts/policy/pod-security-policy.md  | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/policy/pod-security-policy.md b/content/en/docs/concepts/policy/pod-security-policy.md
index 432d7c1662723..d915b45677415 100644
--- a/content/en/docs/concepts/policy/pod-security-policy.md
+++ b/content/en/docs/concepts/policy/pod-security-policy.md
@@ -38,7 +38,7 @@ administrator to control the following:
 | White list of Flexvolume drivers                    | [`allowedFlexVolumes`](#flexvolume-drivers) |
 | Allocating an FSGroup that owns the pod's volumes   | [`fsGroup`](#volumes-and-file-systems)      |
 | Requiring the use of a read only root file system   | [`readOnlyRootFilesystem`](#volumes-and-file-systems) |
-| The user and group IDs of the container             | [`runAsUser`, `supplementalGroups`](#users-and-groups) |
+| The user and group IDs of the container             | [`runAsUser`, `runAsGroup`,`supplementalGroups`](#users-and-groups) |
 | Restricting escalation to root privileges           | [`allowPrivilegeEscalation`, `defaultAllowPrivilegeEscalation`](#privilege-escalation) |
 | Linux capabilities                                  | [`defaultAddCapabilities`, `requiredDropCapabilities`, `allowedCapabilities`](#capabilities) |
 | The SELinux context of the container                | [`seLinux`](#selinux)                       |
@@ -487,6 +487,17 @@ image. No default provided. Setting `allowPrivilegeEscalation=false` is strongly
 recommended with this strategy.
 - *RunAsAny* - No default provided. Allows any `runAsUser` to be specified.
 
+**RunAsGroup** - Controls the what primary group ID containers run as.
+
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
+minimum value of the first range as the default. Validates against all ranges.
+- *MustRunAsNonRoot* - Requires that the pod be submitted with a non-zero
+`runAsGroup` or have the `USER` directive defined (using a numeric GID) in the
+image. No default provided. Setting `allowPrivilegeEscalation=false` is strongly
+recommended with this strategy.
+- *RunAsAny* - No default provided. Allows any `runAsGroup` to be specified.
+
+
 **SupplementalGroups** - Controls which group IDs containers add.
 
 - *MustRunAs* - Requires at least one `range` to be specified. Uses the