Kubelet CRI LinuxContainer SecurityContext (Highlevel) Container Runtime OCI Runtime Spec process.user (Lowlevel) Container Runtime # CRI (protobuf) security_context { run_as_user: 1000 run_as_group: 1000 supplemental_groups: [60000] } # runtime spec (json) "user": { "uid": 1000, "gid": 1000, "additionalGids": [ 50000, 60000 ] } # Dockerfile USER 1000:1000 --- # PodSpec spec: securityContext: runAsUser:1000 # alice runAsGroup:1000 # alice supplementalGroups:[60000]