openshift · ropatil010 · Nov 11, 2025 · Nov 13, 2025
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/openapi/openapi.json b/openapi/openapi.json
@@ -38166,6 +38166,11 @@
             "default": ""
           },
           "x-kubernetes-list-type": "atomic"
+        },
+        "runAsGroup": {
+          "description": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.",
+          "default": {},
+          "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupStrategyOptions"
         }
       }
     },
@@ -49833,6 +49838,63 @@
       "description": "IntOrString is a type that can hold an int32 or a string.  When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type.  This allows you to have, for example, a JSON field that can accept a name or number.",
       "type": "string",
       "format": "int-or-string"
+    },
+    "com.github.openshift.api.security.v1.RunAsGroupIDRange": {
+      "description": "RunAsGroupIDRange provides a min/max of an allowed range of group IDs for RunAsGroup strategy.",
+      "type": "object",
+      "required": [
+        "min",
+        "max"
+      ],
+      "properties": {
+        "max": {
+          "description": "max is the end of the range, inclusive.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "min": {
+          "description": "min is the start of the range, inclusive.",
+          "type": "integer",
+          "format": "int64"
+        }
+      }
+    },
+    "com.github.openshift.api.security.v1.RunAsGroupStrategyOptions": {
+      "description": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.",
+      "type": "object",
+      "required": [
+        "type"
+      ],
+      "properties": {
+        "gid": {
+          "description": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "gidRangeMax": {
+          "description": "gidRangeMax defines the max value for a strategy that allocates by range.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "gidRangeMin": {
+          "description": "gidRangeMin defines the min value for a strategy that allocates by range.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "ranges": {
+          "description": "ranges are the allowed ranges of gids.  If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).",
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupIDRange"
+          },
+          "x-kubernetes-list-type": "atomic"
+        },
+        "type": {
+          "description": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".",
+          "type": "string"
+        }
+      }
     }
   }
 }
diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
@@ -38,6 +38,10 @@ spec:
       jsonPath: .fsGroup.type
       name: FSGroup
       type: string
+    - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext
+      jsonPath: .runAsGroup.type
+      name: RunAsGroup
+      type: string
     - description: Strategy that will dictate what supplemental groups are used by
         the SecurityContext
       jsonPath: .supplementalGroups.type
@@ -256,6 +260,63 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          runAsGroup:
+            description: |-
+              runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+              When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.
+            properties:
+              gid:
+                description: |-
+                  gid is the group id that containers must run as. Required for the MustRunAs strategy if not using
+                  namespace/service account allocated gids.
+                format: int64
+                type: integer
+              gidRangeMax:
+                description: gidRangeMax defines the max value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
+              gidRangeMin:
+                description: gidRangeMin defines the min value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
+              ranges:
+                description: |-
+                  ranges are the allowed ranges of gids.  If you would like to force a single
+                  gid then supply a single range with the same start and end.
+                  When omitted, any gid is allowed (equivalent to RunAsAny strategy).
+                items:
+                  description: RunAsGroupIDRange provides a min/max of an allowed
+                    range of group IDs for RunAsGroup strategy.
+                  properties:
+                    max:
+                      description: max is the end of the range, inclusive.
+                      format: int64
+                      type: integer
+                    min:
+                      description: min is the start of the range, inclusive.
+                      format: int64
+                      type: integer
+                  required:
+                  - max
+                  - min
+                  type: object
+                maxItems: 256
+                type: array
+                x-kubernetes-list-type: atomic
+              type:
+                description: |-
+                  type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+                  Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny".
+                enum:
+                - MustRunAs
+                - MustRunAsRange
+                - RunAsAny
+                type: string
+            required:
+            - type
+            type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
               is used in the SecurityContext.