SecurityContexts: runAsUser, fsGroup, Capabilities

Your Prometheus StatefulSet just CrashLooped. The data directory at /prometheus is owned by root, but the process runs as UID 1000. Or CoreDNS keeps failing to bind port 53 because a non-root process doesn't have the privilege to bind ports below 1024. Both problems trace back to SecurityContext, and both have precise, well-understood fixes.

SecurityContext is Kubernetes's interface to Linux security primitives: user and group identity, Linux capabilities, seccomp profiles, filesystem restrictions. The API surface is straightforward, but the two-level hierarchy trips up even experienced practitioners. Get the split wrong and you end up with volumes that refuse writes, pods that escalate to root despite runAsNonRoot: true, or capabilities that silently don't apply to the right container.