Edith Puclla:
Hello 
In this question, how I could know if I should create the SecurityContext for Pod or for a Container?
Update pod app-sec-kff3345 to run as Root user and with the SYS_TIME capability.
Tanumoy Ghosh:
I believe capabilities property in securityContext can only be added at container level just like fsGroup feature can only be applied at pod level
Edith Puclla:
@Tanumoy Ghosh look this example on the Kubernetes documentation , both have runAsUser
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: <http://gcr.io/google-samples/node-hello:1.0|gcr.io/google-samples/node-hello:1.0>
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
Tanumoy Ghosh:
runAsUser & runAsGroup can be applied both in container and pod level, but if it is defined in container level then that will always override the one defined in pod level
In the above scenario, the container sec-ctx-demo-2 will run with user 2000 as per above logic
Now as per your initial post, since you have to use capabilities feature, you will always prefer to use both runAsUser & capabilities feature to define in the container itself
Edith Puclla:
I see @Tanumoy Ghosh, thank you
chris resnik:
the question said “Update pod… “, not “update container”