openshift
diff --git a/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaulting_scc_test.go‎
Lines changed: 3 additions & 0 deletions b/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaulting_scc_test.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaults.go‎
Lines changed: 4 additions & 1 deletion b/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/defaults.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/validation/validation.go‎
Lines changed: 17 additions & 0 deletions b/‎openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints/validation/validation.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎vendor/github.com/openshift/api/security/v1/types.go‎
Lines changed: 25 additions & 0 deletions b/‎vendor/github.com/openshift/api/security/v1/types.go‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go‎
Lines changed: 50 additions & 0 deletions b/‎vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go‎
Lines changed: 50 additions & 0 deletions
@@ -81,6 +81,9 @@ func TestDefaultingHappens(t *testing.T) {
 	"priority": null,
 	"readOnlyRootFilesystem": false,
 	"requiredDropCapabilities": null,
+	"runAsGroup": {
+		"type": "RunAsAny"
+	},
 	"runAsUser": {
 		"type": "RunAsAny"
 	},
 
@@ -7,7 +7,7 @@ import (
 	sccutil "github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/util"
 )
 
-// Default SCCs for new fields.  FSGroup and SupplementalGroups are
+// Default SCCs for new fields.  FSGroup, SupplementalGroups, and RunAsGroup are
 // set to the RunAsAny strategy if they are unset on the scc.
 func SetDefaults_SCC(scc *securityv1.SecurityContextConstraints) {
 	if len(scc.FSGroup.Type) == 0 {
@@ -16,6 +16,9 @@ func SetDefaults_SCC(scc *securityv1.SecurityContextConstraints) {
 	if len(scc.SupplementalGroups.Type) == 0 {
 		scc.SupplementalGroups.Type = securityv1.SupplementalGroupsStrategyRunAsAny
 	}
+	if len(scc.RunAsGroup.Type) == 0 {
+		scc.RunAsGroup.Type = securityv1.RunAsGroupStrategyRunAsAny
+	}
 
 	if scc.Users == nil {
 		scc.Users = []string{}
 
@@ -70,6 +70,23 @@ func ValidateSecurityContextConstraints(scc *securityv1.SecurityContextConstrain
 	}
 	allErrs = append(allErrs, validateIDRanges(scc.SupplementalGroups.Ranges, field.NewPath("supplementalGroups"))...)
 
+	// ensure the runAsGroup strategy has a valid type
+	if len(scc.RunAsGroup.Type) > 0 {
+		if scc.RunAsGroup.Type != securityv1.RunAsGroupStrategyMustRunAs &&
+			scc.RunAsGroup.Type != securityv1.RunAsGroupStrategyRunAsAny {
+			allErrs = append(allErrs, field.NotSupported(field.NewPath("runAsGroup", "type"), scc.RunAsGroup.Type,
+				[]string{string(securityv1.RunAsGroupStrategyMustRunAs), string(securityv1.RunAsGroupStrategyRunAsAny)}))
+		}
+		allErrs = append(allErrs, validateIDRanges(scc.RunAsGroup.Ranges, field.NewPath("runAsGroup"))...)
+
+		// if specified, gid cannot be negative
+		if scc.RunAsGroup.GID != nil {
+			if *scc.RunAsGroup.GID < 0 {
+				allErrs = append(allErrs, field.Invalid(field.NewPath("runAsGroup").Child("gid"), *scc.RunAsGroup.GID, "gid cannot be negative"))
+			}
+		}
+	}
+
 	// validate capabilities
 	allErrs = append(allErrs, validateSCCCapsAgainstDrops(scc.RequiredDropCapabilities, scc.DefaultAddCapabilities, field.NewPath("defaultAddCapabilities"))...)
 	allErrs = append(allErrs, validateSCCCapsAgainstDrops(scc.RequiredDropCapabilities, scc.AllowedCapabilities, field.NewPath("allowedCapabilities"))...)