diff --git a/common/docs/containers.conf.5.md b/common/docs/containers.conf.5.md
index 308376bbec..5a54bac384 100644
--- a/common/docs/containers.conf.5.md
+++ b/common/docs/containers.conf.5.md
@@ -202,6 +202,9 @@ the system uses `65536k`.
     `tz="local"`
     `tz="America/New_York"`
 
+**umask**="0022"
+  Sets umask inside the container.
+
 **utsns**="private"
   Default way to to create a UTS namespace for the container.
   Options are:
diff --git a/common/pkg/config/config.go b/common/pkg/config/config.go
index c652a66f2f..a8b5163836 100644
--- a/common/pkg/config/config.go
+++ b/common/pkg/config/config.go
@@ -168,6 +168,9 @@ type ContainersConfig struct {
 	//TZ sets the timezone inside the container
 	TZ string `toml:"tz,omitempty"`
 
+	// Umask is the umask inside the container.
+	Umask string `toml:"umask,omitempty"`
+
 	// UTSNS indicates how to create a UTS namespace for the container
 	UTSNS string `toml:"utsns,omitempty"`
 
@@ -582,6 +585,10 @@ func (c *ContainersConfig) Validate() error {
 		return err
 	}
 
+	if err := c.validateUmask(); err != nil {
+		return err
+	}
+
 	if c.LogSizeMax >= 0 && c.LogSizeMax < OCIBufSize {
 		return fmt.Errorf("log size max should be negative or >= %d", OCIBufSize)
 	}
diff --git a/common/pkg/config/config_local.go b/common/pkg/config/config_local.go
index a6ab33c507..282eb80b7a 100644
--- a/common/pkg/config/config_local.go
+++ b/common/pkg/config/config_local.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"regexp"
 	"syscall"
 
 	units "github.com/docker/go-units"
@@ -88,6 +89,14 @@ func (c *ContainersConfig) validateTZ() error {
 	return nil
 }
 
+func (c *ContainersConfig) validateUmask() error {
+	validUmask := regexp.MustCompile(`^[0-7]{1,4}$`)
+	if !validUmask.MatchString(c.Umask) {
+		return fmt.Errorf("Not a valid Umask %s", c.Umask)
+	}
+	return nil
+}
+
 func isRemote() bool {
 	return false
 }
diff --git a/common/pkg/config/config_local_test.go b/common/pkg/config/config_local_test.go
index ef6ad6d8d6..56c4b7507e 100644
--- a/common/pkg/config/config_local_test.go
+++ b/common/pkg/config/config_local_test.go
@@ -277,4 +277,30 @@ var _ = Describe("Config Local", func() {
 		gomega.Expect(err).To(gomega.BeNil())
 		defer os.Remove(tmpfile)
 	})
+	It("Default Umask", func() {
+		// Given
+		// When
+		config, err := NewConfig("")
+		// Then
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config.Containers.Umask).To(gomega.Equal("0022"))
+	})
+	It("Set Umask", func() {
+		// Given
+		// When
+		config, err := NewConfig("testdata/containers_default.conf")
+		// Then
+		gomega.Expect(err).To(gomega.BeNil())
+		gomega.Expect(config.Containers.Umask).To(gomega.Equal("0002"))
+	})
+	It("Should fail on bad Umask", func() {
+		// Given
+		sut.Containers.Umask = "88888"
+
+		// When
+		err := sut.Containers.Validate()
+
+		// Then
+		gomega.Expect(err).NotTo(gomega.BeNil())
+	})
 })
diff --git a/common/pkg/config/config_remote.go b/common/pkg/config/config_remote.go
index 61dd159ad1..7fd9202bbf 100644
--- a/common/pkg/config/config_remote.go
+++ b/common/pkg/config/config_remote.go
@@ -27,3 +27,7 @@ func (c *ContainersConfig) validateUlimits() error {
 func (c *ContainersConfig) validateTZ() error {
 	return nil
 }
+
+func (c *ContainersConfig) validateUmask() error {
+	return nil
+}
diff --git a/common/pkg/config/containers.conf b/common/pkg/config/containers.conf
index 80afbb9bc4..c7d5642c15 100644
--- a/common/pkg/config/containers.conf
+++ b/common/pkg/config/containers.conf
@@ -210,6 +210,10 @@
 #
 # tz = ""
 
+# Set umask inside the container
+#
+# umask="0022"
+
 # Default way to to create a UTS namespace for the container
 # Options are:
 # `private`        Create private UTS Namespace for the container.
diff --git a/common/pkg/config/default.go b/common/pkg/config/default.go
index e7a1836bdb..12cf1b4211 100644
--- a/common/pkg/config/default.go
+++ b/common/pkg/config/default.go
@@ -191,6 +191,7 @@ func DefaultConfig() (*Config, error) {
 			SeccompProfile: SeccompDefaultPath,
 			ShmSize:        DefaultShmSize,
 			TZ:             "",
+			Umask:          "0022",
 			UTSNS:          "private",
 			UserNS:         "host",
 			UserNSSize:     DefaultUserNSSize,
@@ -504,3 +505,7 @@ func (c *Config) DetachKeys() string {
 func (c *Config) TZ() string {
 	return c.Containers.TZ
 }
+
+func (c *Config) Umask() string {
+	return c.Containers.Umask
+}
diff --git a/common/pkg/config/testdata/containers_default.conf b/common/pkg/config/testdata/containers_default.conf
index a72ee0b0f5..3079e5d6e0 100644
--- a/common/pkg/config/testdata/containers_default.conf
+++ b/common/pkg/config/testdata/containers_default.conf
@@ -88,6 +88,9 @@ pids_limit = 2048
 # Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If the unit is omitted, the system uses bytes.
 shm_size = "65536k"
 
+#Umask inside the container
+umask="0002"
+
 # The network table containers settings pertaining to the management of
 # CNI plugins.
 [network]