openshift
diff --git a/‎openapi/generated_openapi/zz_generated.openapi.go‎
Lines changed: 25 additions & 3 deletions b/‎openapi/generated_openapi/zz_generated.openapi.go‎
Lines changed: 25 additions & 3 deletions
diff --git a/‎openapi/openapi.json‎
Lines changed: 21 additions & 3 deletions b/‎openapi/openapi.json‎
Lines changed: 21 additions & 3 deletions
diff --git a/‎payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml‎
Lines changed: 39 additions & 5 deletions b/‎payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml‎
Lines changed: 39 additions & 5 deletions
diff --git a/‎security/v1/types.go‎
Lines changed: 15 additions & 4 deletions b/‎security/v1/types.go‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml‎
Lines changed: 39 additions & 5 deletions b/‎security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml‎
Lines changed: 39 additions & 5 deletions
diff --git a/‎security/v1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions b/‎security/v1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions
@@ -37962,9 +37962,27 @@
     "com.github.openshift.api.security.v1.RunAsGroupStrategyOptions": {
       "description": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.",
       "type": "object",
+      "required": [
+        "type"
+      ],
       "properties": {
+        "gid": {
+          "description": "gid is the group id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated gids.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "gidRangeMax": {
+          "description": "gidRangeMax defines the max value for a strategy that allocates by range.",
+          "type": "integer",
+          "format": "int64"
+        },
+        "gidRangeMin": {
+          "description": "gidRangeMin defines the min value for a strategy that allocates by range.",
+          "type": "integer",
+          "format": "int64"
+        },
         "ranges": {
-          "description": "ranges are the allowed ranges of gids.  If you would like to force a single gid then supply a single range with the same start and end.",
+          "description": "ranges are the allowed ranges of gids.  If you would like to force a single gid then supply a single range with the same start and end. When omitted, any gid is allowed (equivalent to RunAsAny strategy).",
           "type": "array",
           "items": {
             "default": {},
@@ -37973,7 +37991,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "type": {
-          "description": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.",
+          "description": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext. Valid values are \"MustRunAs\", \"MustRunAsRange\", and \"RunAsAny\".",
           "type": "string"
         }
       }
@@ -38140,7 +38158,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "runAsGroup": {
-          "description": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.",
+          "description": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext. When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.",
           "default": {},
           "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupStrategyOptions"
         },
 
@@ -205,6 +205,9 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
@@ -261,14 +264,31 @@ spec:
             type: array
             x-kubernetes-list-type: atomic
           runAsGroup:
-            description: runAsGroup is the strategy that will dictate what RunAsGroup
-              is used in the SecurityContext.
-            nullable: true
+            description: |-
+              runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+              When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.
             properties:
+              gid:
+                description: |-
+                  gid is the group id that containers must run as. Required for the MustRunAs strategy if not using
+                  namespace/service account allocated gids.
+                format: int64
+                type: integer
+              gidRangeMax:
+                description: gidRangeMax defines the max value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
+              gidRangeMin:
+                description: gidRangeMin defines the min value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
               ranges:
                 description: |-
                   ranges are the allowed ranges of gids.  If you would like to force a single
                   gid then supply a single range with the same start and end.
+                  When omitted, any gid is allowed (equivalent to RunAsAny strategy).
                 items:
                   description: IDRange provides a min/max of an allowed range of IDs.
                   properties:
@@ -280,13 +300,24 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
+                maxItems: 256
                 type: array
                 x-kubernetes-list-type: atomic
               type:
-                description: type is the strategy that will dictate what RunAsGroup
-                  is used in the SecurityContext.
+                description: |-
+                  type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+                  Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny".
+                enum:
+                - MustRunAs
+                - MustRunAsRange
+                - RunAsAny
                 type: string
+            required:
+            - type
             type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
@@ -376,6 +407,9 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
 
@@ -276,18 +276,27 @@ type SupplementalGroupsStrategyOptions struct {
 // RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.
 type RunAsGroupStrategyOptions struct {
 	// type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
-	// Valid values are "MustRunAs" and "RunAsAny".
+	// Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny".
 	// +required
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=32
+	// +kubebuilder:validation:Enum=MustRunAs;MustRunAsRange;RunAsAny
 	Type RunAsGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsGroupStrategyType"`
+	// gid is the group id that containers must run as. Required for the MustRunAs strategy if not using
+	// namespace/service account allocated gids.
+	// +optional
+	GID *int64 `json:"gid,omitempty" protobuf:"varint,2,opt,name=gid"`
+	// gidRangeMin defines the min value for a strategy that allocates by range.
+	// +optional
+	GIDRangeMin *int64 `json:"gidRangeMin,omitempty" protobuf:"varint,3,opt,name=gidRangeMin"`
+	// gidRangeMax defines the max value for a strategy that allocates by range.
+	// +optional
+	GIDRangeMax *int64 `json:"gidRangeMax,omitempty" protobuf:"varint,4,opt,name=gidRangeMax"`
 	// ranges are the allowed ranges of gids.  If you would like to force a single
 	// gid then supply a single range with the same start and end.
 	// When omitted, any gid is allowed (equivalent to RunAsAny strategy).
 	// +optional
 	// +listType=atomic
 	// +kubebuilder:validation:MaxItems=256
-	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,5,rep,name=ranges"`
 }
 
 // IDRange provides a min/max of an allowed range of IDs.
@@ -351,6 +360,8 @@ const (
 
 	// container must have RunAsGroup of X applied.
 	RunAsGroupStrategyMustRunAs RunAsGroupStrategyType = "MustRunAs"
+	// container must run with a gid in a range.
+	RunAsGroupStrategyMustRunAsRange RunAsGroupStrategyType = "MustRunAsRange"
 	// container may make requests for any RunAsGroup.
 	RunAsGroupStrategyRunAsAny RunAsGroupStrategyType = "RunAsAny"
 
 
@@ -205,6 +205,9 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
@@ -261,14 +264,31 @@ spec:
             type: array
             x-kubernetes-list-type: atomic
           runAsGroup:
-            description: runAsGroup is the strategy that will dictate what RunAsGroup
-              is used in the SecurityContext.
-            nullable: true
+            description: |-
+              runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+              When omitted, the RunAsGroup strategy will not be enforced and containers may run with any group ID.
             properties:
+              gid:
+                description: |-
+                  gid is the group id that containers must run as. Required for the MustRunAs strategy if not using
+                  namespace/service account allocated gids.
+                format: int64
+                type: integer
+              gidRangeMax:
+                description: gidRangeMax defines the max value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
+              gidRangeMin:
+                description: gidRangeMin defines the min value for a strategy that
+                  allocates by range.
+                format: int64
+                type: integer
               ranges:
                 description: |-
                   ranges are the allowed ranges of gids.  If you would like to force a single
                   gid then supply a single range with the same start and end.
+                  When omitted, any gid is allowed (equivalent to RunAsAny strategy).
                 items:
                   description: IDRange provides a min/max of an allowed range of IDs.
                   properties:
@@ -280,13 +300,24 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
+                maxItems: 256
                 type: array
                 x-kubernetes-list-type: atomic
               type:
-                description: type is the strategy that will dictate what RunAsGroup
-                  is used in the SecurityContext.
+                description: |-
+                  type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+                  Valid values are "MustRunAs", "MustRunAsRange", and "RunAsAny".
+                enum:
+                - MustRunAs
+                - MustRunAsRange
+                - RunAsAny
                 type: string
+            required:
+            - type
             type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
@@ -376,6 +407,9 @@ spec:
                       description: min is the start of the range, inclusive.
                       format: int64
                       type: integer
+                  required:
+                  - max
+                  - min
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic