Tutorial: Learn how to set fsGroup and runAsUser Kubernetes SecurityContext properties now! 👍

In this tutorial, we’ll dive into a mock Kubernetes practice exam scenario that requires you to create two pods within a specific namespace in Kubernetes (k8s) and which has the fsGroup and runAsUser identifiers set to specific values.

The following is the third Mock exam question and is taken from the Practice Exam for Certified Kubernetes Application Developer (CKAD) Certification on Matthew Palmer’s website and reads as follows:

All operations in this question should be performed in the ggckad-s2 namespace.

Create a pod that has two containers.

Both containers should run the kubegoldenguide/alpine-spin:1.0.0 image.

The first container should run as user ID 1000, and the second container with user ID 2000.

Both containers should use file system group ID 3000.

Configuring SecurityContext settings like fsGroup and runAsUser is essential for securing Kubernetes Microservices in this CKAD practice scenario.

We’ll review the instructions for setting the fsGroup and runAsUser security context properties in the next section.

This article was last updated on May 27, 2025.

Instructions regarding how to set the securityContext Kubernetes properties

We can create a new pod in a specific namespace in Kubernetes with the fsGroup and runAsUser security context properties set in Kubernetes in four steps, which we’ll cover below.

The fourth step is optional and is included for testing purposes.

Article Prerequisites

Refer to the article prerequisites for details about technology and setup instructions required to answer this question.

Step One: Create the namespace.

We need to first create the namespace as per the instructions:

				
					k create namespace ggckad-s2

We can see what a successful kubectl namespace creation command execution should look like below.

The result of executing 'kubectl create namespace ggckad-s2' shows that the namespace/ggckad-s2 namespace has been created in minikube.
Question Three, Step One: Create the ggckad-s2 namespace in Kubernetes.

Step Two: Configure the Kubernetes pod configuration file containing the securityContext settings.

The k8s pod configuration file for the question-three-pod appears below and contains the securityContext settings on lines #13, 16, and 24.

Note the namespace declaration: this allows us to apply the pod configuration file without needing to include the namespace as a command line (CLI) parameter.

Also pay particular attention to the Kubernetes fsGroup and runAsUser securityContext key/value pairs (see: question-three-pod.yaml):

				
					apiVersion: v1
kind: Pod
metadata:
  name: alpine-spin
  # Note the namespace here does not appear in previous examples so
  # for example one and two we'll need to manually assign it on the
  # CLI.
  namespace: ggckad-s2
  labels:
    role: myrole
spec:
  securityContext:
    fsGroup: 3000
  containers:
    - name: alpine-spin-a
      securityContext:
        runAsUser: 1000
      image: kubegoldenguide/alpine-spin:1.0.0
      ports:
        - name: web
          containerPort: 80
          protocol: TCP
    - name: alpine-spin-b
      securityContext:
        runAsUser: 2000    
      image: kubegoldenguide/alpine-spin:1.0.0
      ports:
        - name: web
          containerPort: 80
          protocol: TCP

I’ve included a copy of the file used in this example below.

The contents of the question-three-pod.yaml file which contains several securityContext settings for the runAsUser and fsGroup settings.
Question Three, Step Two: Apply the pod configuration file which contains the k8s securityContext settings.

Step Three: Apply the pod configuration.

We can apply this configuration as follows:

				
					k apply -f ./question-three-pod.yaml

We can see an example of this command being executed successfully below.

Command line example where the user has executed the "k apply -f ./question-three-pod.yaml" command and the result returned indicates that the operation completed successfully.
Question Three, Step Three: Apply the pod configuration file which contains the k8s securityContext settings.

Finally, we need to verify our work.

Step Four: Verify the fsGroup and runAsUser k8s securityContext settings are correct using the id command.

We need to obtain command line access to our container so that we can then verify that the securityContext Kubernetes settings are correct — the following command can be used to do exactly that:

				
					k exec -it question-three-pod -c alpine-spin-[a or b] --namespace ggckad-s2 -- /bin/sh

Once we have access we can check that the fsGroup and runAsUser key/value pairs have been set correctly — we’ll get this information by using the id command.

Terminal shell output verification for Kubernetes (k8s) minikube that the uid and groups have been set properly under the securityContext for alpine-spin A and B.
Terminal shell output verification for Kubernetes securityContext values have been set correctly for alpine-spin A and B.

And that’s it for this question — the article conclusion follows.

Tutorial Conclusion

I hope this guide has been helpful in understanding how to set the Kubernetes securityContext properties in, in particular the file system group and runAsUser key/value pairs, which we covered in this example.

See Also

Other tutorials focusing on aspects of k8s can be found below.

  1. Learn how to use kubectl to get the cluster name in this guide.
  2. Tutorial: Learn how to quickly install the Metrics Server in minikube in five easy steps!
  3. Learn how to mount a local directory in minikube by exploring three possible solutions.
  4. Example One: Learn how to create a kubernetes pod in a namespace.
  5. Example Two: Learn how to create a ConfigMap in Kubernetes with two environment variables.
  6. Example Four: Learn how to configure k8s health check probes.
  7. Example Five: Learn How To Create A Deployment With Kubernetes Replicas Now!

Frequently Asked Questions (FAQ)

What is fsGroup in Kubernetes​?

In Kubernetes (k8s), the fsGroup is a security setting that defines the group ID for all files created by containers in a pod.

When a pod uses a persistent volume (PV) the fsGroup ensures that the files in the PV have the correct permissions, allowing multiple containers or users to read and write to shared storage.

What is the Kubernetes securityContext?

The k8s securityContext is a set of security-related configurations for a pod or container.

The k8s securityContext defines settings such as user IDs, group IDs, file system permissions, privilege levels, and capabilities thereby helping to control the security aspects of how a pod or container runs.

What is runAsUser in Kubernetes?

In Kubernetes runAsUser is a setting in the securityContext that specifies the user ID (UID) under which a container runs.

By setting the k8s runAsUser property, the Kubernetes administrator can control the permissions and privileges the container has within the cluster — this improves security by avoiding running containers as root.

The Kubernetes runAsUser setting is also important for container security as well as for ensuring proper access controls.

author avatar
ThosPFuller
I am a software engineer based in Northern Virginia (USA) and this website focuses on content engineering, web development, Technical SEO, Search Engine Optimization (SEO).
See Full Bio
social network icon

Leave a Reply