diff --git a/src/app/backend/deploy.go b/src/app/backend/deploy.go
index 7c4434768cab24c900160455f7c8dd5614c50850..8a9d3d37e5303d2d1a66fcd01a55adc87bd06289 100644
--- a/src/app/backend/deploy.go
+++ b/src/app/backend/deploy.go
@@ -57,6 +57,9 @@ type AppDeploymentSpec struct {
 
 	// Labels that will be defined on Pods/RCs/Services
 	Labels []Label `json:"labels"`
+
+	// Whether to run the container as privileged user (essentially equivalent to root on the host).
+	RunAsPrivileged bool `json:"runAsPrivileged"`
 }
 
 // Port mapping for an application deployment.
@@ -99,6 +102,9 @@ func DeployApp(spec *AppDeploymentSpec, client client.Interface) error {
 	containerSpec := api.Container{
 		Name:  spec.Name,
 		Image: spec.ContainerImage,
+		SecurityContext: &api.SecurityContext{
+			Privileged: &spec.RunAsPrivileged,
+		},
 	}
 
 	if spec.ContainerCommand != nil {
diff --git a/src/app/externs/backendapi.js b/src/app/externs/backendapi.js
index 2494a78db04e2cffcce1b0da5617ecbb54d0a1c0..fcda7f486b36c10b9c5a4c4449a92e307c28ea72 100644
--- a/src/app/externs/backendapi.js
+++ b/src/app/externs/backendapi.js
@@ -52,7 +52,8 @@ backendApi.Label;
  *   portMappings: !Array<!backendApi.PortMapping>,
  *   labels: !Array<!backendApi.Label>,
  *   replicas: number,
- *   namespace: string
+ *   namespace: string,
+ *   runAsPrivileged: boolean,
  * }}
  */
 backendApi.AppDeploymentSpec;
diff --git a/src/app/frontend/deploy/deployfromsettings.html b/src/app/frontend/deploy/deployfromsettings.html
index 9f6199c1a855ba495342ba4678f4eef4d25c7201..3d5ed7429a0471b3d6a18cb74ab567de476be771 100644
--- a/src/app/frontend/deploy/deployfromsettings.html
+++ b/src/app/frontend/deploy/deployfromsettings.html
@@ -129,11 +129,20 @@ limitations under the License.
       </md-input-container>
     </div>
     <kd-user-help>
-      By default, your containers run the selected image's default entrypoint command. You can use the
-      command options to override the default.
+      By default, your containers run the selected image's default entrypoint command. You can
+      use the command options to override the default.
       <a href="">Learn more</a>
     </kd-user-help>
   </kd-help-section>
+  
+  <kd-help-section>
+    <md-switch ng-model="ctrl.runAsPrivileged" class="md-primary">
+      Run as privileged
+    </md-switch>
+    <kd-user-help>
+      Processes in privileged containers are equivalent to be running as root on the host.
+    </kd-user-help>
+  </kd-help-section>
 </div>
 
 <md-button class="md-primary kd-deploy-moreoptions-button" type="button"
diff --git a/src/app/frontend/deploy/deployfromsettings_controller.js b/src/app/frontend/deploy/deployfromsettings_controller.js
index f92120e9b4049c99e4019f7f9cef94ddb3de8064..7d97ef354d379a72b3446997ba0f5ad50d887cd2 100644
--- a/src/app/frontend/deploy/deployfromsettings_controller.js
+++ b/src/app/frontend/deploy/deployfromsettings_controller.js
@@ -94,6 +94,12 @@ export default class DeployFromSettingsController {
      */
     this.name;
 
+    /**
+     * Whether to run the container as privileged user.
+     * @export {boolean}
+     */
+    this.runAsPrivileged = false;
+
     /**
      * Currently chosen namespace.
      * @export {string}
@@ -136,6 +142,7 @@ export default class DeployFromSettingsController {
       replicas: this.replicas,
       namespace: this.namespace,
       labels: this.toBackendApiLabels_(this.labels),
+      runAsPrivileged: this.runAsPrivileged,
     };
 
     let defer = this.q_.defer();
diff --git a/src/test/backend/deploy_test.go b/src/test/backend/deploy_test.go
index ef64d5b83ff7a11c8cd6650cfb04332d0355a2ed..cdd320221df491a6b98cba52c00960c1af01402b 100644
--- a/src/test/backend/deploy_test.go
+++ b/src/test/backend/deploy_test.go
@@ -24,8 +24,9 @@ import (
 func TestDeployApp(t *testing.T) {
 	namespace := "foo-namespace"
 	spec := &AppDeploymentSpec{
-		Namespace: namespace,
-		Name:      "foo-name",
+		Namespace:       namespace,
+		Name:            "foo-name",
+		RunAsPrivileged: true,
 	}
 	expectedRc := &api.ReplicationController{
 		ObjectMeta: api.ObjectMeta{
@@ -43,6 +44,9 @@ func TestDeployApp(t *testing.T) {
 				Spec: api.PodSpec{
 					Containers: []api.Container{{
 						Name: "foo-name",
+						SecurityContext: &api.SecurityContext{
+							Privileged: &spec.RunAsPrivileged,
+						},
 					}},
 				},
 			},