diff --git a/pkg/api/errors/validation.go b/pkg/api/errors/validation.go
index cda5ae1b0f9..a7658907e3f 100644
--- a/pkg/api/errors/validation.go
+++ b/pkg/api/errors/validation.go
@@ -46,6 +46,10 @@ const (
 	// ValidationErrorTypeNotSupported is used to report valid (as per formatting rules)
 	// values that can not be handled (e.g. an enumerated string).
 	ValidationErrorTypeNotSupported ValidationErrorType = "FieldValueNotSupported"
+	// ValidationErrorTypeForbidden is used to report valid (as per formatting rules)
+	// values which would be accepted by some api instances, but which would invoke behavior
+	// not permitted by this api instance (such as due to stricter security policy).
+	ValidationErrorTypeForbidden ValidationErrorType = "FieldValueForbidden"
 )
 
 func ValueOf(t ValidationErrorType) string {
@@ -60,6 +64,8 @@ func ValueOf(t ValidationErrorType) string {
 		return "invalid value"
 	case ValidationErrorTypeNotSupported:
 		return "unsupported value"
+	case ValidationErrorTypeForbidden:
+		return "forbidden"
 	default:
 		glog.Errorf("unrecognized validation type: %#v", t)
 		return ""
@@ -92,6 +98,11 @@ func NewFieldNotSupported(field string, value interface{}) ValidationError {
 	return ValidationError{ValidationErrorTypeNotSupported, field, value}
 }
 
+// NewFieldForbidden returns a ValidationError indicating "forbidden"
+func NewFieldForbidden(field string, value interface{}) ValidationError {
+	return ValidationError{ValidationErrorTypeForbidden, field, value}
+}
+
 // NewFieldDuplicate returns a ValidationError indicating "duplicate value"
 func NewFieldDuplicate(field string, value interface{}) ValidationError {
 	return ValidationError{ValidationErrorTypeDuplicate, field, value}
diff --git a/pkg/api/validation/validation.go b/pkg/api/validation/validation.go
index 613e188e722..5b476f257ec 100644
--- a/pkg/api/validation/validation.go
+++ b/pkg/api/validation/validation.go
@@ -257,7 +257,7 @@ func validateContainers(containers []api.Container, volumes util.StringSet) errs
 		} else if allNames.Has(ctr.Name) {
 			cErrs = append(cErrs, errs.NewFieldDuplicate("name", ctr.Name))
 		} else if ctr.Privileged && !capabilities.AllowPrivileged {
-			cErrs = append(cErrs, errs.NewFieldInvalid("privileged", ctr.Privileged))
+			cErrs = append(cErrs, errs.NewFieldForbidden("privileged", ctr.Privileged))
 		} else {
 			allNames.Insert(ctr.Name)
 		}