diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index b79c0fc2cd..60be21d275 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -19,3 +19,4 @@
 | Prevent mounting of default service account    | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml)                                                                      |
 | Require a default network policy               | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml)                                                                      |
 | Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |
+| Allocating an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
diff --git a/examples/best_practices/policy_validate_fsgroup.yaml b/examples/best_practices/policy_validate_fsgroup.yaml
new file mode 100644
index 0000000000..13387c366d
--- /dev/null
+++ b/examples/best_practices/policy_validate_fsgroup.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-fsgroup
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: validate-fsgroup
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "directory should have group ID 2000"
+      pattern:
+        spec:
+          securityContext:
+            fsGroup: 2000
\ No newline at end of file
diff --git a/examples/best_practices/resources/resource_validate_fsgroup.yaml b/examples/best_practices/resources/resource_validate_fsgroup.yaml
new file mode 100644
index 0000000000..6da892ed0a
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_fsgroup.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fsgroup-demo
+spec:
+  securityContext:
+    fsGroup: 2000                           # directory will have group ID 2000
+  volumes:
+  - name: fsgroup-demo-vol
+    emptyDir: {}
+  containers:
+  - name: fsgroup-demo
+    image: busybox
+    command: [ "sh", "-c", "sleep 1h" ]
+    volumeMounts:
+    - name: fsgroup-demo-vol
+      mountPath: /data/demo
\ No newline at end of file
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 71491a0faa..745c89beb7 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -111,3 +111,7 @@ func Test_validate_disallow_node_port(t *testing.T) {
 func Test_validate_disallow_default_serviceaccount(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_disallow_default_serviceaccount.yaml")
 }
+
+func Test_validate_fsgroup(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_fsgroup.yaml b/test/scenarios/test/scenario_validate_fsgroup.yaml
new file mode 100644
index 0000000000..036d713fdd
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_fsgroup.yaml
@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_fsgroup.yaml
+  resource: examples/best_practices/resources/resource_validate_fsgroup.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-fsgroup
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: fsgroup-demo
+      rules:
+        - name: validate-fsgroup
+          type: Validation
+          message: "Validation rule 'validate-fsgroup' failed at '/spec/securityContext/fsGroup/' for resource Pod//fsgroup-demo. directory should have group ID 2000"
+          success: false
\ No newline at end of file