Hello 😊 In this question, how I could know if I should create the Security . . .

Edith Puclla:
Hello :blush:
In this question, how I could know if I should create the SecurityContext for Pod or for a Container?

Update pod app-sec-kff3345 to run as Root user and with the SYS_TIME capability.

Tanumoy Ghosh:
I believe capabilities property in securityContext can only be added at container level just like fsGroup feature can only be applied at pod level

Edith Puclla:
@Tanumoy Ghosh look this example on the Kubernetes documentation , both have runAsUser

apiVersion: v1
kind: Pod
  name: security-context-demo-2
    runAsUser: 1000
  - name: sec-ctx-demo-2
    image: <http://gcr.io/google-samples/node-hello:1.0|gcr.io/google-samples/node-hello:1.0>
      runAsUser: 2000
      allowPrivilegeEscalation: false

Tanumoy Ghosh:
runAsUser & runAsGroup can be applied both in container and pod level, but if it is defined in container level then that will always override the one defined in pod level

In the above scenario, the container sec-ctx-demo-2 will run with user 2000 as per above logic

Now as per your initial post, since you have to use capabilities feature, you will always prefer to use both runAsUser & capabilities feature to define in the container itself

Edith Puclla:
I see @Tanumoy Ghosh, thank you

chris resnik:
the question said “Update pod… “, not “update container”