Use dedicated Unix User and Group ID types

2017-04-20 12:57:07 +02:00 · 2017-04-20 12:57:07 +02:00 · 9440a68744
commit 9440a68744
parent ee39d359dd
120 changed files with 4881 additions and 4396 deletions
--- a/api/swagger-spec/apps_v1beta1.json
+++ b/api/swagger-spec/apps_v1beta1.json
@ -4057,8 +4057,7 @@
      "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsNonRoot": {
@ -4117,6 +4116,10 @@
     }
    }
   },
   "types.UnixUserID": {
    "id": "types.UnixUserID",
    "properties": {}
   },
   "v1.PodSecurityContext": {
    "id": "v1.PodSecurityContext",
    "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -4126,8 +4129,7 @@
      "description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsNonRoot": {
@ -4137,17 +4139,20 @@
     "supplementalGroups": {
      "type": "array",
      "items": {
-       "type": "integer"
+       "$ref": "types.UnixGroupID"
      },
      "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container."
     },
     "fsGroup": {
-      "type": "integer",
+      "$ref": "types.UnixGroupID",
      "format": "int64",
      "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
     }
    }
   },
   "types.UnixGroupID": {
    "id": "types.UnixGroupID",
    "properties": {}
   },
   "v1.Affinity": {
    "id": "v1.Affinity",
    "description": "Affinity is a group of affinity scheduling rules.",
--- a/api/swagger-spec/batch_v1.json
+++ b/api/swagger-spec/batch_v1.json
@ -2840,8 +2840,7 @@
      "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsNonRoot": {
@ -2900,6 +2899,10 @@
     }
    }
   },
   "types.UnixUserID": {
    "id": "types.UnixUserID",
    "properties": {}
   },
   "v1.PodSecurityContext": {
    "id": "v1.PodSecurityContext",
    "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -2909,8 +2912,7 @@
      "description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsNonRoot": {
@ -2920,17 +2922,20 @@
     "supplementalGroups": {
      "type": "array",
      "items": {
-       "type": "integer"
+       "$ref": "types.UnixGroupID"
      },
      "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container."
     },
     "fsGroup": {
-      "type": "integer",
+      "$ref": "types.UnixGroupID",
      "format": "int64",
      "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
     }
    }
   },
   "types.UnixGroupID": {
    "id": "types.UnixGroupID",
    "properties": {}
   },
   "v1.Affinity": {
    "id": "v1.Affinity",
    "description": "Affinity is a group of affinity scheduling rules.",
--- a/api/swagger-spec/batch_v2alpha1.json
+++ b/api/swagger-spec/batch_v2alpha1.json
@ -3873,8 +3873,7 @@
      "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsNonRoot": {
@ -3933,6 +3932,10 @@
     }
    }
   },
   "types.UnixUserID": {
    "id": "types.UnixUserID",
    "properties": {}
   },
   "v1.PodSecurityContext": {
    "id": "v1.PodSecurityContext",
    "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -3942,8 +3945,7 @@
      "description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsNonRoot": {
@ -3953,17 +3955,20 @@
     "supplementalGroups": {
      "type": "array",
      "items": {
-       "type": "integer"
+       "$ref": "types.UnixGroupID"
      },
      "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container."
     },
     "fsGroup": {
-      "type": "integer",
+      "$ref": "types.UnixGroupID",
      "format": "int64",
      "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
     }
    }
   },
   "types.UnixGroupID": {
    "id": "types.UnixGroupID",
    "properties": {}
   },
   "v1.Affinity": {
    "id": "v1.Affinity",
    "description": "Affinity is a group of affinity scheduling rules.",
--- a/api/swagger-spec/extensions_v1beta1.json
+++ b/api/swagger-spec/extensions_v1beta1.json
@ -8304,8 +8304,7 @@
      "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsNonRoot": {
@ -8364,6 +8363,10 @@
     }
    }
   },
   "types.UnixUserID": {
    "id": "types.UnixUserID",
    "properties": {}
   },
   "v1.PodSecurityContext": {
    "id": "v1.PodSecurityContext",
    "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -8373,8 +8376,7 @@
      "description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsNonRoot": {
@ -8384,17 +8386,20 @@
     "supplementalGroups": {
      "type": "array",
      "items": {
-       "type": "integer"
+       "$ref": "types.UnixGroupID"
      },
      "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container."
     },
     "fsGroup": {
-      "type": "integer",
+      "$ref": "types.UnixGroupID",
      "format": "int64",
      "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
     }
    }
   },
   "types.UnixGroupID": {
    "id": "types.UnixGroupID",
    "properties": {}
   },
   "v1.Affinity": {
    "id": "v1.Affinity",
    "description": "Affinity is a group of affinity scheduling rules.",
--- a/api/swagger-spec/v1.json
+++ b/api/swagger-spec/v1.json
@ -19891,8 +19891,7 @@
      "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence."
     },
     "runAsNonRoot": {
@ -19951,6 +19950,10 @@
     }
    }
   },
   "types.UnixUserID": {
    "id": "types.UnixUserID",
    "properties": {}
   },
   "v1.PodSecurityContext": {
    "id": "v1.PodSecurityContext",
    "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
@ -19960,8 +19963,7 @@
      "description": "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsUser": {
-      "type": "integer",
+      "$ref": "types.UnixUserID",
      "format": "int64",
      "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container."
     },
     "runAsNonRoot": {
@ -19971,17 +19973,20 @@
     "supplementalGroups": {
      "type": "array",
      "items": {
-       "type": "integer"
+       "$ref": "types.UnixGroupID"
      },
      "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container."
     },
     "fsGroup": {
-      "type": "integer",
+      "$ref": "types.UnixGroupID",
      "format": "int64",
      "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw "
     }
    }
   },
   "types.UnixGroupID": {
    "id": "types.UnixGroupID",
    "properties": {}
   },
   "v1.Affinity": {
    "id": "v1.Affinity",
    "description": "Affinity is a group of affinity scheduling rules.",
--- a/docs/api-reference/apps/v1beta1/definitions.html
+++ b/docs/api-reference/apps/v1beta1/definitions.html
@ -1755,6 +1755,10 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_uid">types.UID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
@ -1803,10 +1807,6 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_uid">types.UID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_iscsivolumesource">v1.ISCSIVolumeSource</h3>
@ -4218,6 +4218,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixuserid">types.UnixUserID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_scaleiovolumesource">v1.ScaleIOVolumeSource</h3>
@ -4590,6 +4594,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixgroupid">types.UnixGroupID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@ -5242,7 +5250,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -5256,7 +5264,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID.  If unspecified, no groups will be added to any container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -5265,7 +5273,7 @@ Examples:<br>
 <br>
 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
@ -5639,7 +5647,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -6339,7 +6347,7 @@ Examples:<br>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-05-02 14:37:22 UTC
+Last updated 2017-05-04 11:35:33 UTC
 </div>
 </div>
 </body>
--- a/docs/api-reference/batch/v1/definitions.html
+++ b/docs/api-reference/batch/v1/definitions.html
@ -535,6 +535,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixuserid">types.UnixUserID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@ -1167,6 +1171,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixgroupid">types.UnixGroupID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@ -2088,7 +2096,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -2102,7 +2110,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 <td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID.  If unspecified, no groups will be added to any container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -2111,7 +2119,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
 <br>
 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
@ -3013,7 +3021,7 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -5581,7 +5589,7 @@ Examples:<br>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-05-02 14:37:51 UTC
+Last updated 2017-04-26 21:11:54 UTC
 </div>
 </div>
 </body>
--- a/docs/api-reference/batch/v2alpha1/definitions.html
+++ b/docs/api-reference/batch/v2alpha1/definitions.html
--- a/docs/api-reference/extensions/v1beta1/definitions.html
+++ b/docs/api-reference/extensions/v1beta1/definitions.html
@ -2196,68 +2196,6 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_daemonsetspec">v1beta1.DaemonSetSpec</h3>
 <div class="paragraph">
 <p>DaemonSetSpec is the specification of a daemon set.</p>
 </div>
 <table class="tableblock frame-all grid-all" style="width:100%; ">
 <colgroup>
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;"> 
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">Name</th>
 <th class="tableblock halign-left valign-top">Description</th>
 <th class="tableblock halign-left valign-top">Required</th>
 <th class="tableblock halign-left valign-top">Schema</th>
 <th class="tableblock halign-left valign-top">Default</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">selector</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: <a href="http://kubernetes.io/docs/user-guide/labels#label-selectors">http://kubernetes.io/docs/user-guide/labels#label-selectors</a></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">template</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template&#8217;s node selector (or on every node if no node selector is specified). More info: <a href="http://kubernetes.io/docs/user-guide/replication-controller#pod-template">http://kubernetes.io/docs/user-guide/replication-controller#pod-template</a></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_podtemplatespec">v1.PodTemplateSpec</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">updateStrategy</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">An update strategy to replace existing DaemonSet pods with new pods.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_daemonsetupdatestrategy">v1beta1.DaemonSetUpdateStrategy</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">minReadySeconds</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32)</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">templateGeneration</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A sequence number representing a specific generation of the template. Populated by the system. It can be set only during the creation.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_deployment">v1beta1.Deployment</h3>
@ -2320,6 +2258,68 @@ Populated by the system when a graceful deletion is requested. Read-only. More i
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_daemonsetspec">v1beta1.DaemonSetSpec</h3>
 <div class="paragraph">
 <p>DaemonSetSpec is the specification of a daemon set.</p>
 </div>
 <table class="tableblock frame-all grid-all" style="width:100%; ">
 <colgroup>
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;">
 <col style="width:20%;"> 
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">Name</th>
 <th class="tableblock halign-left valign-top">Description</th>
 <th class="tableblock halign-left valign-top">Required</th>
 <th class="tableblock halign-left valign-top">Schema</th>
 <th class="tableblock halign-left valign-top">Default</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">selector</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: <a href="http://kubernetes.io/docs/user-guide/labels#label-selectors">http://kubernetes.io/docs/user-guide/labels#label-selectors</a></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_labelselector">v1.LabelSelector</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">template</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template&#8217;s node selector (or on every node if no node selector is specified). More info: <a href="http://kubernetes.io/docs/user-guide/replication-controller#pod-template">http://kubernetes.io/docs/user-guide/replication-controller#pod-template</a></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1_podtemplatespec">v1.PodTemplateSpec</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">updateStrategy</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">An update strategy to replace existing DaemonSet pods with new pods.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_daemonsetupdatestrategy">v1beta1.DaemonSetUpdateStrategy</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">minReadySeconds</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32)</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">templateGeneration</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A sequence number representing a specific generation of the template. Populated by the system. It can be set only during the creation.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_v1_azurefilevolumesource">v1.AzureFileVolumeSource</h3>
@ -4995,6 +4995,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixuserid">types.UnixUserID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_scaleiovolumesource">v1.ScaleIOVolumeSource</h3>
@ -5461,6 +5465,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixgroupid">types.UnixGroupID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1beta1_deploymentrollback">v1beta1.DeploymentRollback</h3>
@ -6252,7 +6260,7 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -6266,7 +6274,7 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID.  If unspecified, no groups will be added to any container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -6275,7 +6283,7 @@ Both these may change in the future. Incoming requests are matched against the h
 <br>
 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
@ -6883,7 +6891,7 @@ Both these may change in the future. Incoming requests are matched against the h
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -7986,7 +7994,7 @@ Both these may change in the future. Incoming requests are matched against the h
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-05-02 14:38:05 UTC
+Last updated 2017-04-26 21:12:08 UTC
 </div>
 </div>
 </body>
--- a/docs/api-reference/v1/definitions.html
+++ b/docs/api-reference/v1/definitions.html
@ -6039,6 +6039,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixuserid">types.UnixUserID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_photonpersistentdiskvolumesource">v1.PhotonPersistentDiskVolumeSource</h3>
@ -6397,6 +6401,10 @@ Examples:<br>
 </tbody>
 </table>
 </div>
 <div class="sect2">
 <h3 id="_types_unixgroupid">types.UnixGroupID</h3>
 </div>
 <div class="sect2">
 <h3 id="_v1_httpheader">v1.HTTPHeader</h3>
@ -7042,7 +7050,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -7056,7 +7064,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">supplementalGroups</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">A list of groups applied to the first process run in each container, in addition to the container&#8217;s primary GID.  If unspecified, no groups will be added to any container.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32) array</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a> array</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -7065,7 +7073,7 @@ Examples:<br>
 <br>
 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR&#8217;d with rw-rw</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixgroupid">types.UnixGroupID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 </tbody>
@ -8092,7 +8100,7 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">runAsUser</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int64)</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_types_unixuserid">types.UnixUserID</a></p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
 <tr>
@ -9919,7 +9927,7 @@ Examples:<br>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-05-02 14:37:16 UTC
+Last updated 2017-04-26 21:11:18 UTC
 </div>
 </div>
 </body>
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@ -2153,7 +2153,7 @@ type PodSecurityContext struct {
 	// PodSecurityContext, the value specified in SecurityContext takes precedence
 	// for that container.
 	// +optional
-	RunAsUser *int64
+	RunAsUser *types.UnixUserID
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
@ -2166,7 +2166,7 @@ type PodSecurityContext struct {
 	// to the container's primary GID.  If unspecified, no groups will be added to
 	// any container.
 	// +optional
-	SupplementalGroups []int64
+	SupplementalGroups []types.UnixGroupID
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
@ -2177,7 +2177,7 @@ type PodSecurityContext struct {
 	//
 	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
 	// +optional
-	FSGroup *int64
+	FSGroup *types.UnixGroupID
 }
 // PodQOSClass defines the supported qos classes of Pods.
@ -3780,7 +3780,7 @@ type SecurityContext struct {
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
-	RunAsUser *int64
+	RunAsUser *types.UnixUserID
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
--- a/pkg/api/v1/generated.pb.go
+++ b/pkg/api/v1/generated.pb.go
--- a/pkg/api/v1/types.generated.go
+++ b/pkg/api/v1/types.generated.go
@ -35864,6 +35864,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym8 := z.EncBinary()
 						_ = yym8
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy7) {
 						} else {
 							r.EncodeInt(int64(yy7))
 						}
@ -35883,6 +35884,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym10 := z.EncBinary()
 						_ = yym10
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy9) {
 						} else {
 							r.EncodeInt(int64(yy9))
 						}
@ -35934,7 +35936,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						_ = yym17
 						if false {
 						} else {
-							z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
+							h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
 						}
 					}
 				} else {
@ -35952,7 +35954,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						_ = yym18
 						if false {
 						} else {
-							z.F.EncSliceInt64V(x.SupplementalGroups, false, e)
+							h.encSlicetypes_UnixGroupID(([]pkg1_types.UnixGroupID)(x.SupplementalGroups), e)
 						}
 					}
 				}
@ -35967,6 +35969,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym21 := z.EncBinary()
 						_ = yym21
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy20) {
 						} else {
 							r.EncodeInt(int64(yy20))
 						}
@ -35986,6 +35989,7 @@ func (x *PodSecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym23 := z.EncBinary()
 						_ = yym23
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy22) {
 						} else {
 							r.EncodeInt(int64(yy22))
 						}
@ -36071,11 +36075,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
 				}
 			} else {
 				if x.RunAsUser == nil {
-					x.RunAsUser = new(int64)
+					x.RunAsUser = new(pkg1_types.UnixUserID)
 				}
 				yym6 := z.DecBinary()
 				_ = yym6
 				if false {
 				} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
 				} else {
 					*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
 				}
@ -36105,7 +36110,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
 				_ = yym10
 				if false {
 				} else {
-					z.F.DecSliceInt64X(yyv9, false, d)
+					h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv9), d)
 				}
 			}
 		case "fsGroup":
@ -36115,11 +36120,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder)
 				}
 			} else {
 				if x.FSGroup == nil {
-					x.FSGroup = new(int64)
+					x.FSGroup = new(pkg1_types.UnixGroupID)
 				}
 				yym12 := z.DecBinary()
 				_ = yym12
 				if false {
 				} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
 				} else {
 					*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
 				}
@ -36176,11 +36182,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
 		}
 	} else {
 		if x.RunAsUser == nil {
-			x.RunAsUser = new(int64)
+			x.RunAsUser = new(pkg1_types.UnixUserID)
 		}
 		yym16 := z.DecBinary()
 		_ = yym16
 		if false {
 		} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
 		} else {
 			*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
 		}
@ -36230,7 +36237,7 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
 		_ = yym20
 		if false {
 		} else {
-			z.F.DecSliceInt64X(yyv19, false, d)
+			h.decSlicetypes_UnixGroupID((*[]pkg1_types.UnixGroupID)(yyv19), d)
 		}
 	}
 	yyj13++
@ -36250,11 +36257,12 @@ func (x *PodSecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decode
 		}
 	} else {
 		if x.FSGroup == nil {
-			x.FSGroup = new(int64)
+			x.FSGroup = new(pkg1_types.UnixGroupID)
 		}
 		yym22 := z.DecBinary()
 		_ = yym22
 		if false {
 		} else if z.HasExtensions() && z.DecExt(x.FSGroup) {
 		} else {
 			*((*int64)(x.FSGroup)) = int64(r.DecodeInt(64))
 		}
@ -66020,6 +66028,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym16 := z.EncBinary()
 						_ = yym16
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy15) {
 						} else {
 							r.EncodeInt(int64(yy15))
 						}
@ -66039,6 +66048,7 @@ func (x *SecurityContext) CodecEncodeSelf(e *codec1978.Encoder) {
 						yym18 := z.EncBinary()
 						_ = yym18
 						if false {
 						} else if z.HasExtensions() && z.EncExt(yy17) {
 						} else {
 							r.EncodeInt(int64(yy17))
 						}
@ -66221,11 +66231,12 @@ func (x *SecurityContext) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
 				}
 			} else {
 				if x.RunAsUser == nil {
-					x.RunAsUser = new(int64)
+					x.RunAsUser = new(pkg1_types.UnixUserID)
 				}
 				yym9 := z.DecBinary()
 				_ = yym9
 				if false {
 				} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
 				} else {
 					*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
 				}
@ -66361,11 +66372,12 @@ func (x *SecurityContext) codecDecodeSelfFromArray(l int, d *codec1978.Decoder)
 		}
 	} else {
 		if x.RunAsUser == nil {
-			x.RunAsUser = new(int64)
+			x.RunAsUser = new(pkg1_types.UnixUserID)
 		}
 		yym20 := z.DecBinary()
 		_ = yym20
 		if false {
 		} else if z.HasExtensions() && z.DecExt(x.RunAsUser) {
 		} else {
 			*((*int64)(x.RunAsUser)) = int64(r.DecodeInt(64))
 		}
@ -70239,6 +70251,143 @@ func (x codecSelfer1234) decSliceHostAlias(v *[]HostAlias, d *codec1978.Decoder)
 	}
 }
 func (x codecSelfer1234) encSlicetypes_UnixGroupID(v []pkg1_types.UnixGroupID, e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
 	_, _, _ = h, z, r
 	r.EncodeArrayStart(len(v))
 	for _, yyv1 := range v {
 		z.EncSendContainerState(codecSelfer_containerArrayElem1234)
 		yym2 := z.EncBinary()
 		_ = yym2
 		if false {
 		} else if z.HasExtensions() && z.EncExt(yyv1) {
 		} else {
 			r.EncodeInt(int64(yyv1))
 		}
 	}
 	z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 }
 func (x codecSelfer1234) decSlicetypes_UnixGroupID(v *[]pkg1_types.UnixGroupID, d *codec1978.Decoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
 	yyv1 := *v
 	yyh1, yyl1 := z.DecSliceHelperStart()
 	var yyc1 bool
 	_ = yyc1
 	if yyl1 == 0 {
 		if yyv1 == nil {
 			yyv1 = []pkg1_types.UnixGroupID{}
 			yyc1 = true
 		} else if len(yyv1) != 0 {
 			yyv1 = yyv1[:0]
 			yyc1 = true
 		}
 	} else if yyl1 > 0 {
 		var yyrr1, yyrl1 int
 		var yyrt1 bool
 		_, _ = yyrl1, yyrt1
 		yyrr1 = yyl1 // len(yyv1)
 		if yyl1 > cap(yyv1) {
 			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 8)
 			if yyrt1 {
 				if yyrl1 <= cap(yyv1) {
 					yyv1 = yyv1[:yyrl1]
 				} else {
 					yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
 				}
 			} else {
 				yyv1 = make([]pkg1_types.UnixGroupID, yyrl1)
 			}
 			yyc1 = true
 			yyrr1 = len(yyv1)
 		} else if yyl1 != len(yyv1) {
 			yyv1 = yyv1[:yyl1]
 			yyc1 = true
 		}
 		yyj1 := 0
 		for ; yyj1 < yyrr1; yyj1++ {
 			yyh1.ElemContainerState(yyj1)
 			if r.TryDecodeAsNil() {
 				yyv1[yyj1] = 0
 			} else {
 				yyv2 := &yyv1[yyj1]
 				yym3 := z.DecBinary()
 				_ = yym3
 				if false {
 				} else if z.HasExtensions() && z.DecExt(yyv2) {
 				} else {
 					*((*int64)(yyv2)) = int64(r.DecodeInt(64))
 				}
 			}
 		}
 		if yyrt1 {
 			for ; yyj1 < yyl1; yyj1++ {
 				yyv1 = append(yyv1, 0)
 				yyh1.ElemContainerState(yyj1)
 				if r.TryDecodeAsNil() {
 					yyv1[yyj1] = 0
 				} else {
 					yyv4 := &yyv1[yyj1]
 					yym5 := z.DecBinary()
 					_ = yym5
 					if false {
 					} else if z.HasExtensions() && z.DecExt(yyv4) {
 					} else {
 						*((*int64)(yyv4)) = int64(r.DecodeInt(64))
 					}
 				}
 			}
 		}
 	} else {
 		yyj1 := 0
 		for ; !r.CheckBreak(); yyj1++ {
 			if yyj1 >= len(yyv1) {
 				yyv1 = append(yyv1, 0) // var yyz1 pkg1_types.UnixGroupID
 				yyc1 = true
 			}
 			yyh1.ElemContainerState(yyj1)
 			if yyj1 < len(yyv1) {
 				if r.TryDecodeAsNil() {
 					yyv1[yyj1] = 0
 				} else {
 					yyv6 := &yyv1[yyj1]
 					yym7 := z.DecBinary()
 					_ = yym7
 					if false {
 					} else if z.HasExtensions() && z.DecExt(yyv6) {
 					} else {
 						*((*int64)(yyv6)) = int64(r.DecodeInt(64))
 					}
 				}
 			} else {
 				z.DecSwallow()
 			}
 		}
 		if yyj1 < len(yyv1) {
 			yyv1 = yyv1[:yyj1]
 			yyc1 = true
 		} else if yyj1 == 0 && yyv1 == nil {
 			yyv1 = []pkg1_types.UnixGroupID{}
 			yyc1 = true
 		}
 	}
 	yyh1.End()
 	if yyc1 {
 		*v = yyv1
 	}
 }
 func (x codecSelfer1234) encSlicePodCondition(v []PodCondition, e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
--- a/pkg/api/v1/types.go
+++ b/pkg/api/v1/types.go
@ -2440,7 +2440,7 @@ type PodSecurityContext struct {
 	// PodSecurityContext, the value specified in SecurityContext takes precedence
 	// for that container.
 	// +optional
-	RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
+	RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
@ -2453,7 +2453,7 @@ type PodSecurityContext struct {
 	// to the container's primary GID.  If unspecified, no groups will be added to
 	// any container.
 	// +optional
-	SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
+	SupplementalGroups []types.UnixGroupID `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
@ -2464,7 +2464,7 @@ type PodSecurityContext struct {
 	//
 	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
 	// +optional
-	FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
+	FSGroup *types.UnixGroupID `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup,casttype=k8s.io/apimachinery/pkg/types.UnixGroupID"`
 }
 // PodQOSClass defines the supported qos classes of Pods.
@ -4369,7 +4369,7 @@ type SecurityContext struct {
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
-	RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
+	RunAsUser *types.UnixUserID `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser,casttype=k8s.io/apimachinery/pkg/types.UnixUserID"`
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
--- a/pkg/api/v1/zz_generated.conversion.go
+++ b/pkg/api/v1/zz_generated.conversion.go
@ -3412,10 +3412,10 @@ func Convert_api_PodProxyOptions_To_v1_PodProxyOptions(in *api.PodProxyOptions,
 func autoConvert_v1_PodSecurityContext_To_api_PodSecurityContext(in *PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error {
 	out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
-	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
+	out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
-	out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
+	out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
-	out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
+	out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
 	return nil
 }
@ -3424,10 +3424,10 @@ func autoConvert_api_PodSecurityContext_To_v1_PodSecurityContext(in *api.PodSecu
 	// INFO: in.HostPID opted out of conversion generation
 	// INFO: in.HostIPC opted out of conversion generation
 	out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
-	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
+	out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
-	out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
+	out.SupplementalGroups = *(*[]types.UnixGroupID)(unsafe.Pointer(&in.SupplementalGroups))
-	out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
+	out.FSGroup = (*types.UnixGroupID)(unsafe.Pointer(in.FSGroup))
 	return nil
 }
@ -4487,7 +4487,7 @@ func autoConvert_v1_SecurityContext_To_api_SecurityContext(in *SecurityContext,
 	out.Capabilities = (*api.Capabilities)(unsafe.Pointer(in.Capabilities))
 	out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
 	out.SELinuxOptions = (*api.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
-	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
+	out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
 	out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
 	return nil
@ -4502,7 +4502,7 @@ func autoConvert_api_SecurityContext_To_v1_SecurityContext(in *api.SecurityConte
 	out.Capabilities = (*Capabilities)(unsafe.Pointer(in.Capabilities))
 	out.Privileged = (*bool)(unsafe.Pointer(in.Privileged))
 	out.SELinuxOptions = (*SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
-	out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
+	out.RunAsUser = (*types.UnixUserID)(unsafe.Pointer(in.RunAsUser))
 	out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
 	out.ReadOnlyRootFilesystem = (*bool)(unsafe.Pointer(in.ReadOnlyRootFilesystem))
 	return nil
--- a/pkg/api/v1/zz_generated.deepcopy.go
+++ b/pkg/api/v1/zz_generated.deepcopy.go
@ -2317,7 +2317,7 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
 		}
 		if in.RunAsUser != nil {
 			in, out := &in.RunAsUser, &out.RunAsUser
-			*out = new(int64)
+			*out = new(types.UnixUserID)
 			**out = **in
 		}
 		if in.RunAsNonRoot != nil {
@ -2327,12 +2327,12 @@ func DeepCopy_v1_PodSecurityContext(in interface{}, out interface{}, c *conversi
 		}
 		if in.SupplementalGroups != nil {
 			in, out := &in.SupplementalGroups, &out.SupplementalGroups
-			*out = make([]int64, len(*in))
+			*out = make([]types.UnixGroupID, len(*in))
 			copy(*out, *in)
 		}
 		if in.FSGroup != nil {
 			in, out := &in.FSGroup, &out.FSGroup
-			*out = new(int64)
+			*out = new(types.UnixGroupID)
 			**out = **in
 		}
 		return nil
@ -3076,7 +3076,7 @@ func DeepCopy_v1_SecurityContext(in interface{}, out interface{}, c *conversion.
 		}
 		if in.RunAsUser != nil {
 			in, out := &in.RunAsUser, &out.RunAsUser
-			*out = new(int64)
+			*out = new(types.UnixUserID)
 			**out = **in
 		}
 		if in.RunAsNonRoot != nil {
--- a/pkg/api/validation/BUILD
+++ b/pkg/api/validation/BUILD
@ -82,6 +82,7 @@ go_test(
        "//vendor/k8s.io/apimachinery/pkg/api/testing:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
--- a/pkg/api/validation/schema.go
+++ b/pkg/api/validation/schema.go
@ -359,7 +359,7 @@ func (s *SwaggerSchema) isGenericArray(p swagger.ModelProperty) bool {
 }
 // This matches type name in the swagger spec, such as "v1.Binding".
-var versionRegexp = regexp.MustCompile(`^(v.+|unversioned)\..*`)
+var versionRegexp = regexp.MustCompile(`^(v.+|unversioned|types)\..*`)
 func (s *SwaggerSchema) validateField(value interface{}, fieldName, fieldType string, fieldDetails *swagger.ModelProperty) []error {
 	allErrs := []error{}
--- a/pkg/api/validation/validation.go
+++ b/pkg/api/validation/validation.go
@ -2430,17 +2430,17 @@ func ValidatePodSecurityContext(securityContext *api.PodSecurityContext, spec *a
 		allErrs = append(allErrs, validateHostNetwork(securityContext.HostNetwork, spec.Containers, specPath.Child("containers"))...)
 		allErrs = append(allErrs, validateHostNetworkNoHostAliases(securityContext.HostNetwork, spec.HostAliases, specPath)...)
 		if securityContext.FSGroup != nil {
-			for _, msg := range validation.IsValidGroupId(*securityContext.FSGroup) {
+			for _, msg := range validation.IsValidGroupID(*securityContext.FSGroup) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("fsGroup"), *(securityContext.FSGroup), msg))
 			}
 		}
 		if securityContext.RunAsUser != nil {
-			for _, msg := range validation.IsValidUserId(*securityContext.RunAsUser) {
+			for _, msg := range validation.IsValidUserID(*securityContext.RunAsUser) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("runAsUser"), *(securityContext.RunAsUser), msg))
 			}
 		}
 		for g, gid := range securityContext.SupplementalGroups {
-			for _, msg := range validation.IsValidGroupId(gid) {
+			for _, msg := range validation.IsValidGroupID(gid) {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("supplementalGroups").Index(g), gid, msg))
 			}
 		}
--- a/pkg/api/validation/validation_test.go
+++ b/pkg/api/validation/validation_test.go
@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@ -3121,8 +3122,12 @@ func TestValidateDNSPolicy(t *testing.T) {
 func TestValidatePodSpec(t *testing.T) {
 	activeDeadlineSeconds := int64(30)
-	minID := int64(0)
+
-	maxID := int64(2147483647)
+	minUserID := types.UnixUserID(0)
 	maxUserID := types.UnixUserID(2147483647)
 	minGroupID := types.UnixGroupID(0)
 	maxGroupID := types.UnixGroupID(2147483647)
 	successCases := []api.PodSpec{
 		{ // Populate basic fields, leave defaults for most.
 			Volumes:       []api.Volume{{Name: "vol", VolumeSource: api.VolumeSource{EmptyDir: &api.EmptyDirVolumeSource{}}}},
@ -3161,9 +3166,9 @@ func TestValidatePodSpec(t *testing.T) {
 		{ // Populate RunAsUser SupplementalGroups FSGroup with minID 0
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
-				SupplementalGroups: []int64{minID},
+				SupplementalGroups: []types.UnixGroupID{minGroupID},
-				RunAsUser:          &minID,
+				RunAsUser:          &minUserID,
-				FSGroup:            &minID,
+				FSGroup:            &minGroupID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3171,9 +3176,9 @@ func TestValidatePodSpec(t *testing.T) {
 		{ // Populate RunAsUser SupplementalGroups FSGroup with maxID 2147483647
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
-				SupplementalGroups: []int64{maxID},
+				SupplementalGroups: []types.UnixGroupID{maxGroupID},
-				RunAsUser:          &maxID,
+				RunAsUser:          &maxUserID,
-				FSGroup:            &maxID,
+				FSGroup:            &maxGroupID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3217,8 +3222,12 @@ func TestValidatePodSpec(t *testing.T) {
 	}
 	activeDeadlineSeconds = int64(0)
-	minID = int64(-1)
+
-	maxID = int64(2147483648)
+	minUserID = types.UnixUserID(-1)
 	maxUserID = types.UnixUserID(2147483648)
 	minGroupID = types.UnixGroupID(-1)
 	maxGroupID = types.UnixGroupID(2147483648)
 	failureCases := map[string]api.PodSpec{
 		"bad volume": {
 			Volumes:       []api.Volume{{}},
@ -3291,7 +3300,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork:        false,
-				SupplementalGroups: []int64{maxID, 1234},
+				SupplementalGroups: []types.UnixGroupID{maxGroupID, 1234},
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3300,7 +3309,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork:        false,
-				SupplementalGroups: []int64{minID, 1234},
+				SupplementalGroups: []types.UnixGroupID{minGroupID, 1234},
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3309,7 +3318,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork: false,
-				RunAsUser:   &maxID,
+				RunAsUser:   &maxUserID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3318,7 +3327,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork: false,
-				RunAsUser:   &minID,
+				RunAsUser:   &minUserID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3327,7 +3336,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork: false,
-				FSGroup:     &maxID,
+				FSGroup:     &maxGroupID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -3336,7 +3345,7 @@ func TestValidatePodSpec(t *testing.T) {
 			Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
 			SecurityContext: &api.PodSecurityContext{
 				HostNetwork: false,
-				FSGroup:     &minID,
+				FSGroup:     &minGroupID,
 			},
 			RestartPolicy: api.RestartPolicyAlways,
 			DNSPolicy:     api.DNSClusterFirst,
@ -8721,7 +8730,7 @@ func TestValidateTLSSecret(t *testing.T) {
 func TestValidateSecurityContext(t *testing.T) {
 	priv := false
-	var runAsUser int64 = 1
+	runAsUser := types.UnixUserID(1)
 	fullValidSC := func() *api.SecurityContext {
 		return &api.SecurityContext{
 			Privileged: &priv,
@ -8773,7 +8782,7 @@ func TestValidateSecurityContext(t *testing.T) {
 	privRequestWithGlobalDeny.Privileged = &requestPrivileged
 	negativeRunAsUser := fullValidSC()
-	var negativeUser int64 = -1
+	negativeUser := types.UnixUserID(-1)
 	negativeRunAsUser.RunAsUser = &negativeUser
 	errorCases := map[string]struct {
--- a/pkg/api/zz_generated.deepcopy.go
+++ b/pkg/api/zz_generated.deepcopy.go
@ -2335,7 +2335,7 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
 		}
 		if in.RunAsUser != nil {
 			in, out := &in.RunAsUser, &out.RunAsUser
-			*out = new(int64)
+			*out = new(types.UnixUserID)
 			**out = **in
 		}
 		if in.RunAsNonRoot != nil {
@ -2345,12 +2345,12 @@ func DeepCopy_api_PodSecurityContext(in interface{}, out interface{}, c *convers
 		}
 		if in.SupplementalGroups != nil {
 			in, out := &in.SupplementalGroups, &out.SupplementalGroups
-			*out = make([]int64, len(*in))
+			*out = make([]types.UnixGroupID, len(*in))
 			copy(*out, *in)
 		}
 		if in.FSGroup != nil {
 			in, out := &in.FSGroup, &out.FSGroup
-			*out = new(int64)
+			*out = new(types.UnixGroupID)
 			**out = **in
 		}
 		return nil
@ -3082,7 +3082,7 @@ func DeepCopy_api_SecurityContext(in interface{}, out interface{}, c *conversion
 		}
 		if in.RunAsUser != nil {
 			in, out := &in.RunAsUser, &out.RunAsUser
-			*out = new(int64)
+			*out = new(types.UnixUserID)
 			**out = **in
 		}
 		if in.RunAsNonRoot != nil {
--- a/pkg/apis/extensions/BUILD
+++ b/pkg/apis/extensions/BUILD
@ -32,6 +32,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
    ],
 )
--- a/pkg/apis/extensions/types.go
+++ b/pkg/apis/extensions/types.go
@ -31,6 +31,7 @@ package extensions
 import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/kubernetes/pkg/api"
 )
@ -948,15 +949,23 @@ type RunAsUserStrategyOptions struct {
 	Rule RunAsUserStrategy
 	// Ranges are the allowed ranges of uids that may be used.
 	// +optional
-	Ranges []IDRange
+	Ranges []UserIDRange
 }
-// IDRange provides a min/max of an allowed range of IDs.
+// UserIDRange provides a min/max of an allowed range of UserIDs.
-type IDRange struct {
+type UserIDRange struct {
 	// Min is the start of the range, inclusive.
-	Min int64
+	Min types.UnixUserID
 	// Max is the end of the range, inclusive.
-	Max int64
+	Max types.UnixUserID
 }
 // GroupIDRange provides a min/max of an allowed range of GroupIDs.
 type GroupIDRange struct {
 	// Min is the start of the range, inclusive.
 	Min types.UnixGroupID
 	// Max is the end of the range, inclusive.
 	Max types.UnixGroupID
 }
 // RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
@ -980,7 +989,7 @@ type FSGroupStrategyOptions struct {
 	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
 	// fs group then supply a single range with the same start and end.
 	// +optional
-	Ranges []IDRange
+	Ranges []GroupIDRange
 }
 // FSGroupStrategyType denotes strategy types for generating FSGroup values for a
@ -1002,7 +1011,7 @@ type SupplementalGroupsStrategyOptions struct {
 	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
 	// supplemental group then supply a single range with the same start and end.
 	// +optional
-	Ranges []IDRange
+	Ranges []GroupIDRange
 }
 // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
--- a/pkg/apis/extensions/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/extensions/v1beta1/zz_generated.conversion.go
@ -81,8 +81,6 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_extensions_HTTPIngressRuleValue_To_v1beta1_HTTPIngressRuleValue,
 		Convert_v1beta1_HostPortRange_To_extensions_HostPortRange,
 		Convert_extensions_HostPortRange_To_v1beta1_HostPortRange,
 		Convert_v1beta1_IDRange_To_extensions_IDRange,
 		Convert_extensions_IDRange_To_v1beta1_IDRange,
 		Convert_v1beta1_Ingress_To_extensions_Ingress,
 		Convert_extensions_Ingress_To_v1beta1_Ingress,
 		Convert_v1beta1_IngressBackend_To_extensions_IngressBackend,
@ -684,7 +682,7 @@ func autoConvert_extensions_DeploymentStrategy_To_v1beta1_DeploymentStrategy(in
 func autoConvert_v1beta1_FSGroupStrategyOptions_To_extensions_FSGroupStrategyOptions(in *FSGroupStrategyOptions, out *extensions.FSGroupStrategyOptions, s conversion.Scope) error {
 	out.Rule = extensions.FSGroupStrategyType(in.Rule)
-	out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
+	out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
 	return nil
 }
@ -776,28 +774,6 @@ func Convert_extensions_HostPortRange_To_v1beta1_HostPortRange(in *extensions.Ho
 	return autoConvert_extensions_HostPortRange_To_v1beta1_HostPortRange(in, out, s)
 }
 func autoConvert_v1beta1_IDRange_To_extensions_IDRange(in *IDRange, out *extensions.IDRange, s conversion.Scope) error {
 	out.Min = in.Min
 	out.Max = in.Max
 	return nil
 }
 // Convert_v1beta1_IDRange_To_extensions_IDRange is an autogenerated conversion function.
 func Convert_v1beta1_IDRange_To_extensions_IDRange(in *IDRange, out *extensions.IDRange, s conversion.Scope) error {
 	return autoConvert_v1beta1_IDRange_To_extensions_IDRange(in, out, s)
 }
 func autoConvert_extensions_IDRange_To_v1beta1_IDRange(in *extensions.IDRange, out *IDRange, s conversion.Scope) error {
 	out.Min = in.Min
 	out.Max = in.Max
 	return nil
 }
 // Convert_extensions_IDRange_To_v1beta1_IDRange is an autogenerated conversion function.
 func Convert_extensions_IDRange_To_v1beta1_IDRange(in *extensions.IDRange, out *IDRange, s conversion.Scope) error {
 	return autoConvert_extensions_IDRange_To_v1beta1_IDRange(in, out, s)
 }
 func autoConvert_v1beta1_Ingress_To_extensions_Ingress(in *Ingress, out *extensions.Ingress, s conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
 	if err := Convert_v1beta1_IngressSpec_To_extensions_IngressSpec(&in.Spec, &out.Spec, s); err != nil {
@ -1504,7 +1480,7 @@ func autoConvert_extensions_RollingUpdateDeployment_To_v1beta1_RollingUpdateDepl
 func autoConvert_v1beta1_RunAsUserStrategyOptions_To_extensions_RunAsUserStrategyOptions(in *RunAsUserStrategyOptions, out *extensions.RunAsUserStrategyOptions, s conversion.Scope) error {
 	out.Rule = extensions.RunAsUserStrategy(in.Rule)
-	out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
+	out.Ranges = *(*[]extensions.UserIDRange)(unsafe.Pointer(&in.Ranges))
 	return nil
 }
@ -1613,7 +1589,7 @@ func autoConvert_extensions_ScaleStatus_To_v1beta1_ScaleStatus(in *extensions.Sc
 func autoConvert_v1beta1_SupplementalGroupsStrategyOptions_To_extensions_SupplementalGroupsStrategyOptions(in *SupplementalGroupsStrategyOptions, out *extensions.SupplementalGroupsStrategyOptions, s conversion.Scope) error {
 	out.Rule = extensions.SupplementalGroupsStrategyType(in.Rule)
-	out.Ranges = *(*[]extensions.IDRange)(unsafe.Pointer(&in.Ranges))
+	out.Ranges = *(*[]extensions.GroupIDRange)(unsafe.Pointer(&in.Ranges))
 	return nil
 }
--- a/pkg/apis/extensions/validation/validation.go
+++ b/pkg/apis/extensions/validation/validation.go
@ -750,7 +750,7 @@ func validatePSPRunAsUser(fldPath *field.Path, runAsUser *extensions.RunAsUserSt
 	// validate range settings
 	for idx, rng := range runAsUser.Ranges {
-		allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
+		allErrs = append(allErrs, validateUserIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}
 	return allErrs
@ -769,7 +769,7 @@ func validatePSPFSGroup(fldPath *field.Path, groupOptions *extensions.FSGroupStr
 	}
 	for idx, rng := range groupOptions.Ranges {
-		allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
+		allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}
 	return allErrs
 }
@ -787,7 +787,7 @@ func validatePSPSupplementalGroup(fldPath *field.Path, groupOptions *extensions.
 	}
 	for idx, rng := range groupOptions.Ranges {
-		allErrs = append(allErrs, validateIDRanges(fldPath.Child("ranges").Index(idx), rng)...)
+		allErrs = append(allErrs, validateGroupIDRange(fldPath.Child("ranges").Index(idx), rng)...)
 	}
 	return allErrs
 }
@ -837,20 +837,28 @@ func validatePodSecurityPolicySysctls(fldPath *field.Path, sysctls []string) fie
 	return allErrs
 }
 func validateUserIDRange(fldPath *field.Path, rng extensions.UserIDRange) field.ErrorList {
 	return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
 }
 func validateGroupIDRange(fldPath *field.Path, rng extensions.GroupIDRange) field.ErrorList {
 	return validateIDRanges(fldPath, int64(rng.Min), int64(rng.Max))
 }
 // validateIDRanges ensures the range is valid.
-func validateIDRanges(fldPath *field.Path, rng extensions.IDRange) field.ErrorList {
+func validateIDRanges(fldPath *field.Path, min, max int64) field.ErrorList {
 	allErrs := field.ErrorList{}
 	// if 0 <= Min <= Max then we do not need to validate max.  It is always greater than or
 	// equal to 0 and Min.
-	if rng.Min < 0 {
+	if min < 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), rng.Min, "min cannot be negative"))
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be negative"))
 	}
-	if rng.Max < 0 {
+	if max < 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), rng.Max, "max cannot be negative"))
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("max"), max, "max cannot be negative"))
 	}
-	if rng.Min > rng.Max {
+	if min > max {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), rng.Min, "min cannot be greater than max"))
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("min"), min, "min cannot be greater than max"))
 	}
 	return allErrs
--- a/pkg/apis/extensions/validation/validation_test.go
+++ b/pkg/apis/extensions/validation/validation_test.go
@ -2346,9 +2346,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 	invalidUIDPSP := validPSP()
 	invalidUIDPSP.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
-	invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.IDRange{
+	invalidUIDPSP.Spec.RunAsUser.Ranges = []extensions.UserIDRange{{Min: -1, Max: 1}}
 		{Min: -1, Max: 1},
 	}
 	missingObjectMetaName := validPSP()
 	missingObjectMetaName.ObjectMeta.Name = ""
@ -2366,17 +2364,17 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 	invalidSupGroupStratType.Spec.SupplementalGroups.Rule = "invalid"
 	invalidRangeMinGreaterThanMax := validPSP()
-	invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.IDRange{
+	invalidRangeMinGreaterThanMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
 		{Min: 2, Max: 1},
 	}
 	invalidRangeNegativeMin := validPSP()
-	invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.IDRange{
+	invalidRangeNegativeMin.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
 		{Min: -1, Max: 10},
 	}
 	invalidRangeNegativeMax := validPSP()
-	invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.IDRange{
+	invalidRangeNegativeMax.Spec.FSGroup.Ranges = []extensions.GroupIDRange{
 		{Min: 1, Max: -10},
 	}
@ -2558,7 +2556,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
 	mustRunAs.Spec.FSGroup.Rule = extensions.FSGroupStrategyMustRunAs
 	mustRunAs.Spec.SupplementalGroups.Rule = extensions.SupplementalGroupsStrategyMustRunAs
 	mustRunAs.Spec.RunAsUser.Rule = extensions.RunAsUserStrategyMustRunAs
-	mustRunAs.Spec.RunAsUser.Ranges = []extensions.IDRange{
+	mustRunAs.Spec.RunAsUser.Ranges = []extensions.UserIDRange{
 		{Min: 1, Max: 1},
 	}
 	mustRunAs.Spec.SELinux.Rule = extensions.SELinuxStrategyMustRunAs
--- a/pkg/apis/extensions/zz_generated.deepcopy.go
+++ b/pkg/apis/extensions/zz_generated.deepcopy.go
@ -55,10 +55,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_DeploymentStatus, InType: reflect.TypeOf(&DeploymentStatus{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_DeploymentStrategy, InType: reflect.TypeOf(&DeploymentStrategy{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_FSGroupStrategyOptions, InType: reflect.TypeOf(&FSGroupStrategyOptions{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_GroupIDRange, InType: reflect.TypeOf(&GroupIDRange{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HTTPIngressPath, InType: reflect.TypeOf(&HTTPIngressPath{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HTTPIngressRuleValue, InType: reflect.TypeOf(&HTTPIngressRuleValue{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_HostPortRange, InType: reflect.TypeOf(&HostPortRange{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IDRange, InType: reflect.TypeOf(&IDRange{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_Ingress, InType: reflect.TypeOf(&Ingress{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IngressBackend, InType: reflect.TypeOf(&IngressBackend{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_IngressList, InType: reflect.TypeOf(&IngressList{})},
@ -95,6 +95,7 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceData, InType: reflect.TypeOf(&ThirdPartyResourceData{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceDataList, InType: reflect.TypeOf(&ThirdPartyResourceDataList{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_ThirdPartyResourceList, InType: reflect.TypeOf(&ThirdPartyResourceList{})},
 		conversion.GeneratedDeepCopyFunc{Fn: DeepCopy_extensions_UserIDRange, InType: reflect.TypeOf(&UserIDRange{})},
 	)
 }
@ -386,13 +387,22 @@ func DeepCopy_extensions_FSGroupStrategyOptions(in interface{}, out interface{},
 		*out = *in
 		if in.Ranges != nil {
 			in, out := &in.Ranges, &out.Ranges
-			*out = make([]IDRange, len(*in))
+			*out = make([]GroupIDRange, len(*in))
 			copy(*out, *in)
 		}
 		return nil
 	}
 }
 func DeepCopy_extensions_GroupIDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
 	{
 		in := in.(*GroupIDRange)
 		out := out.(*GroupIDRange)
 		*out = *in
 		return nil
 	}
 }
 func DeepCopy_extensions_HTTPIngressPath(in interface{}, out interface{}, c *conversion.Cloner) error {
 	{
 		in := in.(*HTTPIngressPath)
@ -425,15 +435,6 @@ func DeepCopy_extensions_HostPortRange(in interface{}, out interface{}, c *conve
 	}
 }
 func DeepCopy_extensions_IDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
 	{
 		in := in.(*IDRange)
 		out := out.(*IDRange)
 		*out = *in
 		return nil
 	}
 }
 func DeepCopy_extensions_Ingress(in interface{}, out interface{}, c *conversion.Cloner) error {
 	{
 		in := in.(*Ingress)
@ -906,7 +907,7 @@ func DeepCopy_extensions_RunAsUserStrategyOptions(in interface{}, out interface{
 		*out = *in
 		if in.Ranges != nil {
 			in, out := &in.Ranges, &out.Ranges
-			*out = make([]IDRange, len(*in))
+			*out = make([]UserIDRange, len(*in))
 			copy(*out, *in)
 		}
 		return nil
@ -977,7 +978,7 @@ func DeepCopy_extensions_SupplementalGroupsStrategyOptions(in interface{}, out i
 		*out = *in
 		if in.Ranges != nil {
 			in, out := &in.Ranges, &out.Ranges
-			*out = make([]IDRange, len(*in))
+			*out = make([]GroupIDRange, len(*in))
 			copy(*out, *in)
 		}
 		return nil
@ -1057,3 +1058,12 @@ func DeepCopy_extensions_ThirdPartyResourceList(in interface{}, out interface{},
 		return nil
 	}
 }
 func DeepCopy_extensions_UserIDRange(in interface{}, out interface{}, c *conversion.Cloner) error {
 	{
 		in := in.(*UserIDRange)
 		out := out.(*UserIDRange)
 		*out = *in
 		return nil
 	}
 }
--- a/pkg/kubelet/dockershim/securitycontext/BUILD
+++ b/pkg/kubelet/dockershim/securitycontext/BUILD
@ -36,6 +36,7 @@ go_test(
        "//pkg/api/testing:go_default_library",
        "//pkg/api/v1:go_default_library",
        "//vendor/github.com/docker/engine-api/types/container:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
--- a/pkg/kubelet/dockershim/securitycontext/provider_test.go
+++ b/pkg/kubelet/dockershim/securitycontext/provider_test.go
@ -23,13 +23,14 @@ import (
 	"testing"
 	dockercontainer "github.com/docker/engine-api/types/container"
 	"k8s.io/apimachinery/pkg/types"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	"k8s.io/kubernetes/pkg/api/v1"
 )
 func TestModifyContainerConfig(t *testing.T) {
-	var uid int64 = 123
+	userID := types.UnixUserID(123)
-	var overrideUid int64 = 321
+	overrideUserID := types.UnixUserID(321)
 	cases := []struct {
 		name     string
@ -40,10 +41,10 @@ func TestModifyContainerConfig(t *testing.T) {
 		{
 			name: "container.SecurityContext.RunAsUser set",
 			sc: &v1.SecurityContext{
-				RunAsUser: &uid,
+				RunAsUser: &userID,
 			},
 			expected: &dockercontainer.Config{
-				User: strconv.FormatInt(uid, 10),
+				User: strconv.FormatInt(int64(userID), 10),
 			},
 		},
 		{
@ -54,22 +55,22 @@ func TestModifyContainerConfig(t *testing.T) {
 		{
 			name: "pod.Spec.SecurityContext.RunAsUser set",
 			podSc: &v1.PodSecurityContext{
-				RunAsUser: &uid,
+				RunAsUser: &userID,
 			},
 			expected: &dockercontainer.Config{
-				User: strconv.FormatInt(uid, 10),
+				User: strconv.FormatInt(int64(userID), 10),
 			},
 		},
 		{
 			name: "container.SecurityContext.RunAsUser overrides pod.Spec.SecurityContext.RunAsUser",
 			podSc: &v1.PodSecurityContext{
-				RunAsUser: &uid,
+				RunAsUser: &userID,
 			},
 			sc: &v1.SecurityContext{
-				RunAsUser: &overrideUid,
+				RunAsUser: &overrideUserID,
 			},
 			expected: &dockercontainer.Config{
-				User: strconv.FormatInt(overrideUid, 10),
+				User: strconv.FormatInt(int64(overrideUserID), 10),
 			},
 		},
 	}
@ -176,7 +177,7 @@ func TestModifyHostConfig(t *testing.T) {
 func TestModifyHostConfigPodSecurityContext(t *testing.T) {
 	supplementalGroupsSC := &v1.PodSecurityContext{}
-	supplementalGroupsSC.SupplementalGroups = []int64{2222}
+	supplementalGroupsSC.SupplementalGroups = []types.UnixGroupID{2222}
 	supplementalGroupHC := fullValidHostConfig()
 	supplementalGroupHC.GroupAdd = []string{"2222"}
 	fsGroupHC := fullValidHostConfig()
@ -185,7 +186,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
 	extraSupplementalGroupHC.GroupAdd = []string{"1234"}
 	bothHC := fullValidHostConfig()
 	bothHC.GroupAdd = []string{"2222", "1234"}
-	fsGroup := int64(1234)
+	fsGroup := types.UnixGroupID(1234)
 	extraSupplementalGroup := []int64{1234}
 	testCases := map[string]struct {
@ -210,7 +211,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
 		},
 		"FSGroup + SupplementalGroups": {
 			securityContext: &v1.PodSecurityContext{
-				SupplementalGroups: []int64{2222},
+				SupplementalGroups: []types.UnixGroupID{2222},
 				FSGroup:            &fsGroup,
 			},
 			expected:                bothHC,
--- a/pkg/kubelet/kubelet_volumes_test.go
+++ b/pkg/kubelet/kubelet_volumes_test.go
@ -452,10 +452,10 @@ func (f *stubVolume) CanMount() error {
 	return nil
 }
-func (f *stubVolume) SetUp(fsGroup *int64) error {
+func (f *stubVolume) SetUp(fsGroup *types.UnixGroupID) error {
 	return nil
 }
-func (f *stubVolume) SetUpAt(dir string, fsGroup *int64) error {
+func (f *stubVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	return nil
 }
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -138,7 +138,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
 	if pod.Spec.SecurityContext != nil {
 		sc := pod.Spec.SecurityContext
 		if sc.RunAsUser != nil {
-			lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: *sc.RunAsUser}
+			lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: int64(*sc.RunAsUser)}
 		}
 		lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{
 			HostNetwork: pod.Spec.HostNetwork,
@ -147,13 +147,15 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
 		}
 		if sc.FSGroup != nil {
-			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, *sc.FSGroup)
+			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(*sc.FSGroup))
 		}
 		if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
 			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, groups...)
 		}
 		if sc.SupplementalGroups != nil {
-			lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, sc.SupplementalGroups...)
+			for _, sg := range sc.SupplementalGroups {
 				lc.SecurityContext.SupplementalGroups = append(lc.SecurityContext.SupplementalGroups, int64(sg))
 			}
 		}
 		if sc.SELinuxOptions != nil {
 			lc.SecurityContext.SelinuxOptions = &runtimeapi.SELinuxOption{
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@ -53,11 +53,13 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 	podSc := pod.Spec.SecurityContext
 	if podSc != nil {
 		if podSc.FSGroup != nil {
-			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, *podSc.FSGroup)
+			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(*podSc.FSGroup))
 		}
 		if podSc.SupplementalGroups != nil {
-			synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, podSc.SupplementalGroups...)
+			for _, sg := range podSc.SupplementalGroups {
 				synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, int64(sg))
 			}
 		}
 	}
 	if groups := m.runtimeHelper.GetExtraSupplementalGroupsForPod(pod); len(groups) > 0 {
@ -99,7 +101,7 @@ func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runti
 		SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions),
 	}
 	if securityContext.RunAsUser != nil {
-		sc.RunAsUser = &runtimeapi.Int64Value{Value: *securityContext.RunAsUser}
+		sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)}
 	}
 	if securityContext.Privileged != nil {
 		sc.Privileged = *securityContext.Privileged
--- a/pkg/kubelet/rkt/rkt_test.go
+++ b/pkg/kubelet/rkt/rkt_test.go
@ -972,10 +972,10 @@ func TestSetApp(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpDir)
-	rootUser := int64(0)
+	rootUser := kubetypes.UnixUserID(0)
-	nonRootUser := int64(42)
+	nonRootUser := kubetypes.UnixUserID(42)
 	runAsNonRootTrue := true
-	fsgid := int64(3)
+	fsgid := kubetypes.UnixGroupID(3)
 	tests := []struct {
 		container        *v1.Container
@ -1081,8 +1081,11 @@ func TestSetApp(t *testing.T) {
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			podCtx: &v1.PodSecurityContext{
-				SupplementalGroups: []int64{1, 2},
+				SupplementalGroups: []kubetypes.UnixGroupID{
-				FSGroup:            &fsgid,
+					kubetypes.UnixGroupID(1),
 					kubetypes.UnixGroupID(2),
 				},
 				FSGroup: &fsgid,
 			},
 			supplementalGids: []int64{4},
 			expect: &appctypes.App{
@ -1143,8 +1146,11 @@ func TestSetApp(t *testing.T) {
 				RunAsNonRoot: &runAsNonRootTrue,
 			},
 			podCtx: &v1.PodSecurityContext{
-				SupplementalGroups: []int64{1, 2},
+				SupplementalGroups: []kubetypes.UnixGroupID{
-				FSGroup:            &fsgid,
+					kubetypes.UnixGroupID(1),
 					kubetypes.UnixGroupID(2),
 				},
 				FSGroup: &fsgid,
 			},
 			supplementalGids: []int64{4},
 			expect: &appctypes.App{
--- a/pkg/kubelet/volumemanager/BUILD
+++ b/pkg/kubelet/volumemanager/BUILD
@ -59,6 +59,7 @@ go_test(
        "//pkg/volume/util/types:go_default_library",
        "//pkg/volume/util/volumehelper:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//vendor/k8s.io/client-go/tools/record:go_default_library",
        "//vendor/k8s.io/client-go/util/testing:go_default_library",
--- a/pkg/kubelet/volumemanager/volume_manager.go
+++ b/pkg/kubelet/volumemanager/volume_manager.go
@ -434,7 +434,7 @@ func getExtraSupplementalGid(volumeGidValue string, pod *v1.Pod) (int64, bool) {
 	if pod.Spec.SecurityContext != nil {
 		for _, existingGid := range pod.Spec.SecurityContext.SupplementalGroups {
-			if gid == existingGid {
+			if gid == int64(existingGid) {
 				return 0, false
 			}
 		}
--- a/pkg/kubelet/volumemanager/volume_manager_test.go
+++ b/pkg/kubelet/volumemanager/volume_manager_test.go
@ -24,6 +24,7 @@ import (
 	"time"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubetypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
 	utiltesting "k8s.io/client-go/util/testing"
@ -115,7 +116,7 @@ func TestGetExtraSupplementalGroupsForPod(t *testing.T) {
 			expected:      []int64{777},
 		},
 		{
-			gidAnnotation: strconv.FormatInt(existingGid, 10),
+			gidAnnotation: strconv.FormatInt(int64(existingGid), 10),
 			expected:      []int64{},
 		},
 		{
@ -240,7 +241,7 @@ func createObjects() (*v1.Node, *v1.Pod, *v1.PersistentVolume, *v1.PersistentVol
 				},
 			},
 			SecurityContext: &v1.PodSecurityContext{
-				SupplementalGroups: []int64{555},
+				SupplementalGroups: []kubetypes.UnixGroupID{555},
 			},
 		},
 	}
--- a/pkg/security/podsecuritypolicy/BUILD
+++ b/pkg/security/podsecuritypolicy/BUILD
@ -29,6 +29,7 @@ go_library(
        "//pkg/security/podsecuritypolicy/user:go_default_library",
        "//pkg/security/podsecuritypolicy/util:go_default_library",
        "//pkg/util/maps:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
@ -48,6 +49,7 @@ go_test(
        "//pkg/security/podsecuritypolicy/util:go_default_library",
        "//vendor/github.com/davecgh/go-spew/spew:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
--- a/pkg/security/podsecuritypolicy/group/BUILD
+++ b/pkg/security/podsecuritypolicy/group/BUILD
@ -21,6 +21,7 @@ go_library(
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//pkg/security/podsecuritypolicy/util:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
 )
@ -36,6 +37,7 @@ go_test(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
--- a/pkg/security/podsecuritypolicy/group/mustrunas.go
+++ b/pkg/security/podsecuritypolicy/group/mustrunas.go
@ -19,6 +19,7 @@ package group
 import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -27,14 +28,14 @@ import (
 // mustRunAs implements the GroupStrategy interface
 type mustRunAs struct {
-	ranges []extensions.IDRange
+	ranges []extensions.GroupIDRange
 	field  string
 }
 var _ GroupStrategy = &mustRunAs{}
 // NewMustRunAs provides a new MustRunAs strategy based on ranges.
-func NewMustRunAs(ranges []extensions.IDRange, field string) (GroupStrategy, error) {
+func NewMustRunAs(ranges []extensions.GroupIDRange, field string) (GroupStrategy, error) {
 	if len(ranges) == 0 {
 		return nil, fmt.Errorf("ranges must be supplied for MustRunAs")
 	}
@ -46,14 +47,14 @@ func NewMustRunAs(ranges []extensions.IDRange, field string) (GroupStrategy, err
 // Generate creates the group based on policy rules.  By default this returns the first group of the
 // first range (min val).
-func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) {
+func (s *mustRunAs) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
-	return []int64{s.ranges[0].Min}, nil
+	return []types.UnixGroupID{s.ranges[0].Min}, nil
 }
 // Generate a single value to be applied.  This is used for FSGroup.  This strategy will return
 // the first group of the first range (min val).
-func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
+func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
-	single := new(int64)
+	single := new(types.UnixGroupID)
 	*single = s.ranges[0].Min
 	return single, nil
 }
@ -61,7 +62,7 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
 // Validate ensures that the specified values fall within the range of the strategy.
 // Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
 // supplemental groups).
-func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
+func (s *mustRunAs) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if pod.Spec.SecurityContext == nil {
@ -83,9 +84,9 @@ func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
 	return allErrs
 }
-func (s *mustRunAs) isGroupValid(group int64) bool {
+func (s *mustRunAs) isGroupValid(group types.UnixGroupID) bool {
 	for _, rng := range s.ranges {
-		if psputil.FallsInRange(group, rng) {
+		if psputil.GroupFallsInRange(group, rng) {
 			return true
 		}
 	}
--- a/pkg/security/podsecuritypolicy/group/mustrunas_test.go
+++ b/pkg/security/podsecuritypolicy/group/mustrunas_test.go
@ -19,20 +19,21 @@ package group
 import (
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 )
 func TestMustRunAsOptions(t *testing.T) {
 	tests := map[string]struct {
-		ranges []extensions.IDRange
+		ranges []extensions.GroupIDRange
 		pass   bool
 	}{
 		"empty": {
-			ranges: []extensions.IDRange{},
+			ranges: []extensions.GroupIDRange{},
 		},
 		"ranges": {
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 1},
 			},
 			pass: true,
@ -52,27 +53,27 @@ func TestMustRunAsOptions(t *testing.T) {
 func TestGenerate(t *testing.T) {
 	tests := map[string]struct {
-		ranges   []extensions.IDRange
+		ranges   []extensions.GroupIDRange
-		expected []int64
+		expected []types.UnixGroupID
 	}{
 		"multi value": {
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 2},
 			},
-			expected: []int64{1},
+			expected: []types.UnixGroupID{1},
 		},
 		"single value": {
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 1},
 			},
-			expected: []int64{1},
+			expected: []types.UnixGroupID{1},
 		},
 		"multi range": {
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 1},
 				{Min: 2, Max: 500},
 			},
-			expected: []int64{1},
+			expected: []types.UnixGroupID{1},
 		},
 	}
@ -118,59 +119,59 @@ func TestValidate(t *testing.T) {
 	}
 	tests := map[string]struct {
-		ranges []extensions.IDRange
+		ranges []extensions.GroupIDRange
 		pod    *api.Pod
-		groups []int64
+		groups []types.UnixGroupID
 		pass   bool
 	}{
 		"nil security context": {
 			pod: &api.Pod{},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 			},
 		},
 		"empty groups": {
 			pod: validPod(),
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 			},
 		},
 		"not in range": {
 			pod:    validPod(),
-			groups: []int64{5},
+			groups: []types.UnixGroupID{5},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 				{Min: 4, Max: 4},
 			},
 		},
 		"in range 1": {
 			pod:    validPod(),
-			groups: []int64{2},
+			groups: []types.UnixGroupID{2},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"in range boundry min": {
 			pod:    validPod(),
-			groups: []int64{1},
+			groups: []types.UnixGroupID{1},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"in range boundry max": {
 			pod:    validPod(),
-			groups: []int64{3},
+			groups: []types.UnixGroupID{3},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"singular range": {
 			pod:    validPod(),
-			groups: []int64{4},
+			groups: []types.UnixGroupID{4},
-			ranges: []extensions.IDRange{
+			ranges: []extensions.GroupIDRange{
 				{Min: 4, Max: 4},
 			},
 			pass: true,
--- a/pkg/security/podsecuritypolicy/group/runasany.go
+++ b/pkg/security/podsecuritypolicy/group/runasany.go
@ -17,6 +17,7 @@ limitations under the License.
 package group
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 )
@ -33,17 +34,17 @@ func NewRunAsAny() (GroupStrategy, error) {
 }
 // Generate creates the group based on policy rules.  This strategy returns an empty slice.
-func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
+func (s *runAsAny) Generate(pod *api.Pod) ([]types.UnixGroupID, error) {
-	return []int64{}, nil
+	return []types.UnixGroupID{}, nil
 }
 // Generate a single value to be applied.  This is used for FSGroup.  This strategy returns nil.
-func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) {
+func (s *runAsAny) GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error) {
 	return nil, nil
 }
 // Validate ensures that the specified values fall within the range of the strategy.
-func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList {
+func (s *runAsAny) Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList {
 	return field.ErrorList{}
 }
--- a/pkg/security/podsecuritypolicy/group/types.go
+++ b/pkg/security/podsecuritypolicy/group/types.go
@ -17,6 +17,7 @@ limitations under the License.
 package group
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 )
@ -26,10 +27,10 @@ type GroupStrategy interface {
 	// Generate creates the group based on policy rules.  The underlying implementation can
 	// decide whether it will return a full range of values or a subset of values from the
 	// configured ranges.
-	Generate(pod *api.Pod) ([]int64, error)
+	Generate(pod *api.Pod) ([]types.UnixGroupID, error)
 	// Generate a single value to be applied.  The underlying implementation decides which
 	// value to return if configured with multiple ranges.  This is used for FSGroup.
-	GenerateSingle(pod *api.Pod) (*int64, error)
+	GenerateSingle(pod *api.Pod) (*types.UnixGroupID, error)
 	// Validate ensures that the specified values fall within the range of the strategy.
-	Validate(pod *api.Pod, groups []int64) field.ErrorList
+	Validate(pod *api.Pod, groups []types.UnixGroupID) field.ErrorList
 }
--- a/pkg/security/podsecuritypolicy/provider.go
+++ b/pkg/security/podsecuritypolicy/provider.go
@ -19,6 +19,7 @@ package podsecuritypolicy
 import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -194,7 +195,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 		return allErrs
 	}
-	fsGroups := []int64{}
+	fsGroups := []types.UnixGroupID{}
 	if pod.Spec.SecurityContext.FSGroup != nil {
 		fsGroups = append(fsGroups, *pod.Spec.SecurityContext.FSGroup)
 	}
--- a/pkg/security/podsecuritypolicy/provider_test.go
+++ b/pkg/security/podsecuritypolicy/provider_test.go
@ -25,6 +25,7 @@ import (
 	"github.com/davecgh/go-spew/spew"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
@ -69,13 +70,13 @@ func TestCreatePodSecurityContextNonmutating(t *testing.T) {
 				// these are pod mutating strategies that are tested above
 				FSGroup: extensions.FSGroupStrategyOptions{
 					Rule: extensions.FSGroupStrategyMustRunAs,
-					Ranges: []extensions.IDRange{
+					Ranges: []extensions.GroupIDRange{
 						{Min: 1, Max: 1},
 					},
 				},
 				SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
 					Rule: extensions.SupplementalGroupsStrategyMustRunAs,
-					Ranges: []extensions.IDRange{
+					Ranges: []extensions.GroupIDRange{
 						{Min: 1, Max: 1},
 					},
 				},
@ -124,7 +125,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
 	// Create a PSP with strategies that will populate a blank security context
 	createPSP := func() *extensions.PodSecurityPolicy {
-		var uid int64 = 1
+		uid := types.UnixUserID(1)
 		return &extensions.PodSecurityPolicy{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "psp-sa",
@ -138,7 +139,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {
 				RequiredDropCapabilities: []api.Capability{"bar"},
 				RunAsUser: extensions.RunAsUserStrategyOptions{
 					Rule:   extensions.RunAsUserStrategyMustRunAs,
-					Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
+					Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
 				},
 				SELinux: extensions.SELinuxStrategyOptions{
 					Rule:           extensions.SELinuxStrategyMustRunAs,
@ -195,22 +196,22 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 	failHostIPCPod.Spec.SecurityContext.HostIPC = true
 	failSupplementalGroupPod := defaultPod()
-	failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{999}
+	failSupplementalGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{999}
 	failSupplementalGroupPSP := defaultPSP()
 	failSupplementalGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
 		Rule: extensions.SupplementalGroupsStrategyMustRunAs,
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.GroupIDRange{
 			{Min: 1, Max: 1},
 		},
 	}
 	failFSGroupPod := defaultPod()
-	fsGroup := int64(999)
+	fsGroup := types.UnixGroupID(999)
 	failFSGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
 	failFSGroupPSP := defaultPSP()
 	failFSGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
 		Rule: extensions.FSGroupStrategyMustRunAs,
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.GroupIDRange{
 			{Min: 1, Max: 1},
 		},
 	}
@ -352,11 +353,11 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
 func TestValidateContainerSecurityContextFailures(t *testing.T) {
 	// fail user strat
 	failUserPSP := defaultPSP()
-	var uid int64 = 999
+	uid := types.UnixUserID(999)
-	var badUID int64 = 1
+	badUID := types.UnixUserID(1)
 	failUserPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
 		Rule:   extensions.RunAsUserStrategyMustRunAs,
-		Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
+		Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
 	}
 	failUserPod := defaultPod()
 	failUserPod.Spec.Containers[0].SecurityContext.RunAsUser = &badUID
@ -511,22 +512,22 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
 	supGroupPSP := defaultPSP()
 	supGroupPSP.Spec.SupplementalGroups = extensions.SupplementalGroupsStrategyOptions{
 		Rule: extensions.SupplementalGroupsStrategyMustRunAs,
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.GroupIDRange{
 			{Min: 1, Max: 5},
 		},
 	}
 	supGroupPod := defaultPod()
-	supGroupPod.Spec.SecurityContext.SupplementalGroups = []int64{3}
+	supGroupPod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{3}
 	fsGroupPSP := defaultPSP()
 	fsGroupPSP.Spec.FSGroup = extensions.FSGroupStrategyOptions{
 		Rule: extensions.FSGroupStrategyMustRunAs,
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.GroupIDRange{
 			{Min: 1, Max: 5},
 		},
 	}
 	fsGroupPod := defaultPod()
-	fsGroup := int64(3)
+	fsGroup := types.UnixGroupID(3)
 	fsGroupPod.Spec.SecurityContext.FSGroup = &fsGroup
 	seLinuxPod := defaultPod()
@ -649,10 +650,10 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {
 	// success user strat
 	userPSP := defaultPSP()
-	var uid int64 = 999
+	uid := types.UnixUserID(999)
 	userPSP.Spec.RunAsUser = extensions.RunAsUserStrategyOptions{
 		Rule:   extensions.RunAsUserStrategyMustRunAs,
-		Ranges: []extensions.IDRange{{Min: uid, Max: uid}},
+		Ranges: []extensions.UserIDRange{{Min: uid, Max: uid}},
 	}
 	userPod := defaultPod()
 	userPod.Spec.Containers[0].SecurityContext.RunAsUser = &uid
--- a/pkg/security/podsecuritypolicy/user/BUILD
+++ b/pkg/security/podsecuritypolicy/user/BUILD
@ -22,6 +22,7 @@ go_library(
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//pkg/security/podsecuritypolicy/util:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
 )
@ -38,6 +39,7 @@ go_test(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
--- a/pkg/security/podsecuritypolicy/user/mustrunas.go
+++ b/pkg/security/podsecuritypolicy/user/mustrunas.go
@ -19,6 +19,7 @@ package user
 import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -44,7 +45,7 @@ func NewMustRunAs(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrate
 }
 // Generate creates the uid based on policy rules.  MustRunAs returns the first range's Min.
-func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *mustRunAs) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return &s.opts.Ranges[0].Min, nil
 }
@ -74,9 +75,9 @@ func (s *mustRunAs) Validate(pod *api.Pod, container *api.Container) field.Error
 	return allErrs
 }
-func (s *mustRunAs) isValidUID(id int64) bool {
+func (s *mustRunAs) isValidUID(id types.UnixUserID) bool {
 	for _, rng := range s.opts.Ranges {
-		if psputil.FallsInRange(id, rng) {
+		if psputil.UserFallsInRange(id, rng) {
 			return true
 		}
 	}
--- a/pkg/security/podsecuritypolicy/user/mustrunas_test.go
+++ b/pkg/security/podsecuritypolicy/user/mustrunas_test.go
@ -20,6 +20,7 @@ import (
 	"strings"
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 )
@ -39,7 +40,7 @@ func TestNewMustRunAs(t *testing.T) {
 		},
 		"valid opts": {
 			opts: &extensions.RunAsUserStrategyOptions{
-				Ranges: []extensions.IDRange{
+				Ranges: []extensions.UserIDRange{
 					{Min: 1, Max: 1},
 				},
 			},
@ -59,7 +60,7 @@ func TestNewMustRunAs(t *testing.T) {
 func TestGenerate(t *testing.T) {
 	opts := &extensions.RunAsUserStrategyOptions{
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.UserIDRange{
 			{Min: 1, Max: 1},
 		},
 	}
@ -78,12 +79,15 @@ func TestGenerate(t *testing.T) {
 func TestValidate(t *testing.T) {
 	opts := &extensions.RunAsUserStrategyOptions{
-		Ranges: []extensions.IDRange{
+		Ranges: []extensions.UserIDRange{
 			{Min: 1, Max: 1},
 			{Min: 10, Max: 20},
 		},
 	}
 	validID := types.UnixUserID(15)
 	invalidID := types.UnixUserID(21)
 	tests := map[string]struct {
 		container   *api.Container
 		expectedMsg string
@ -91,7 +95,7 @@ func TestValidate(t *testing.T) {
 		"good container": {
 			container: &api.Container{
 				SecurityContext: &api.SecurityContext{
-					RunAsUser: int64Ptr(15),
+					RunAsUser: &validID,
 				},
 			},
 		},
@ -112,7 +116,7 @@ func TestValidate(t *testing.T) {
 		"invalid id": {
 			container: &api.Container{
 				SecurityContext: &api.SecurityContext{
-					RunAsUser: int64Ptr(21),
+					RunAsUser: &invalidID,
 				},
 			},
 			expectedMsg: "does not match required range",
@ -146,7 +150,3 @@ func TestValidate(t *testing.T) {
 		}
 	}
 }
 func int64Ptr(i int64) *int64 {
 	return &i
 }
--- a/pkg/security/podsecuritypolicy/user/nonroot.go
+++ b/pkg/security/podsecuritypolicy/user/nonroot.go
@ -19,6 +19,7 @@ package user
 import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -34,7 +35,7 @@ func NewRunAsNonRoot(options *extensions.RunAsUserStrategyOptions) (RunAsUserStr
 // Generate creates the uid based on policy rules.  This strategy does return a UID.  It assumes
 // that the user will specify a UID or the container image specifies a UID.
-func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *nonRoot) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return nil, nil
 }
--- a/pkg/security/podsecuritypolicy/user/nonroot_test.go
+++ b/pkg/security/podsecuritypolicy/user/nonroot_test.go
@ -19,6 +19,7 @@ package user
 import (
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 )
@ -49,8 +50,8 @@ func TestNonRootGenerate(t *testing.T) {
 }
 func TestNonRootValidate(t *testing.T) {
-	var uid int64 = 1
+	goodUID := types.UnixUserID(1)
-	var badUID int64 = 0
+	badUID := types.UnixUserID(0)
 	s, err := NewRunAsNonRoot(&extensions.RunAsUserStrategyOptions{})
 	if err != nil {
 		t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
@ -66,7 +67,7 @@ func TestNonRootValidate(t *testing.T) {
 		t.Errorf("expected errors from root uid but got none")
 	}
-	container.SecurityContext.RunAsUser = &uid
+	container.SecurityContext.RunAsUser = &goodUID
 	errs = s.Validate(nil, container)
 	if len(errs) != 0 {
 		t.Errorf("expected no errors from non-root uid but got %v", errs)
--- a/pkg/security/podsecuritypolicy/user/runasany.go
+++ b/pkg/security/podsecuritypolicy/user/runasany.go
@ -17,6 +17,7 @@ limitations under the License.
 package user
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -33,7 +34,7 @@ func NewRunAsAny(options *extensions.RunAsUserStrategyOptions) (RunAsUserStrateg
 }
 // Generate creates the uid based on policy rules.
-func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*int64, error) {
+func (s *runAsAny) Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error) {
 	return nil, nil
 }
--- a/pkg/security/podsecuritypolicy/user/types.go
+++ b/pkg/security/podsecuritypolicy/user/types.go
@ -17,6 +17,7 @@ limitations under the License.
 package user
 import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
 )
@ -24,7 +25,7 @@ import (
 // RunAsUserStrategy defines the interface for all uid constraint strategies.
 type RunAsUserStrategy interface {
 	// Generate creates the uid based on policy rules.
-	Generate(pod *api.Pod, container *api.Container) (*int64, error)
+	Generate(pod *api.Pod, container *api.Container) (*types.UnixUserID, error)
 	// Validate ensures that the specified values fall within the range of the strategy.
 	Validate(pod *api.Pod, container *api.Container) field.ErrorList
 }
--- a/pkg/security/podsecuritypolicy/util/BUILD
+++ b/pkg/security/podsecuritypolicy/util/BUILD
@ -18,6 +18,7 @@ go_library(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/apis/extensions:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
    ],
 )
--- a/pkg/security/podsecuritypolicy/util/util.go
+++ b/pkg/security/podsecuritypolicy/util/util.go
@ -19,6 +19,7 @@ package util
 import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -158,7 +159,12 @@ func PSPAllowsFSType(psp *extensions.PodSecurityPolicy, fsType extensions.FSType
 	return false
 }
-// FallsInRange is a utility to determine it the id falls in the valid range.
+// UserFallsInRange is a utility to determine it the id falls in the valid range.
-func FallsInRange(id int64, rng extensions.IDRange) bool {
+func UserFallsInRange(id types.UnixUserID, rng extensions.UserIDRange) bool {
 	return id >= rng.Min && id <= rng.Max
 }
 // GroupFallsInRange is a utility to determine it the id falls in the valid range.
 func GroupFallsInRange(id types.UnixGroupID, rng extensions.GroupIDRange) bool {
 	return id >= rng.Min && id <= rng.Max
 }
--- a/pkg/securitycontext/BUILD
+++ b/pkg/securitycontext/BUILD
@ -19,6 +19,7 @@ go_library(
    deps = [
        "//pkg/api:go_default_library",
        "//pkg/api/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
@ -27,7 +28,10 @@ go_test(
    srcs = ["util_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
-    deps = ["//pkg/api/v1:go_default_library"],
+    deps = [
        "//pkg/api/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
    ],
 )
 filegroup(
--- a/pkg/securitycontext/util.go
+++ b/pkg/securitycontext/util.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"strings"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/v1"
 )
@ -119,7 +120,7 @@ func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1
 	}
 	if containerSc.RunAsUser != nil {
-		effectiveSc.RunAsUser = new(int64)
+		effectiveSc.RunAsUser = new(types.UnixUserID)
 		*effectiveSc.RunAsUser = *containerSc.RunAsUser
 	}
@ -148,7 +149,7 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext {
 		*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
 	}
 	if pod.Spec.SecurityContext.RunAsUser != nil {
-		synthesized.RunAsUser = new(int64)
+		synthesized.RunAsUser = new(types.UnixUserID)
 		*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
 	}
@ -191,7 +192,7 @@ func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Cont
 	}
 	if containerSc.RunAsUser != nil {
-		effectiveSc.RunAsUser = new(int64)
+		effectiveSc.RunAsUser = new(types.UnixUserID)
 		*effectiveSc.RunAsUser = *containerSc.RunAsUser
 	}
@ -220,7 +221,7 @@ func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityCo
 		*synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions
 	}
 	if pod.Spec.SecurityContext.RunAsUser != nil {
-		synthesized.RunAsUser = new(int64)
+		synthesized.RunAsUser = new(types.UnixUserID)
 		*synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser
 	}
--- a/pkg/securitycontext/util_test.go
+++ b/pkg/securitycontext/util_test.go
@ -19,6 +19,7 @@ package securitycontext
 import (
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 )
@ -84,13 +85,13 @@ func compareContexts(name string, ex, ac *v1.SELinuxOptions, t *testing.T) {
 	}
 }
-func containerWithUser(ptr *int64) *v1.Container {
+func containerWithUser(ptr *types.UnixUserID) *v1.Container {
 	return &v1.Container{SecurityContext: &v1.SecurityContext{RunAsUser: ptr}}
 }
 func TestHaRootUID(t *testing.T) {
-	var nonRoot int64 = 1
+	nonRoot := types.UnixUserID(1)
-	var root int64 = 0
+	root := types.UnixUserID(0)
 	tests := map[string]struct {
 		container *v1.Container
@ -120,7 +121,7 @@ func TestHaRootUID(t *testing.T) {
 }
 func TestHasRunAsUser(t *testing.T) {
-	var runAsUser int64 = 0
+	runAsUser := types.UnixUserID(0)
 	tests := map[string]struct {
 		container *v1.Container
@ -147,8 +148,8 @@ func TestHasRunAsUser(t *testing.T) {
 }
 func TestHasRootRunAsUser(t *testing.T) {
-	var nonRoot int64 = 1
+	nonRoot := types.UnixUserID(1)
-	var root int64 = 0
+	root := types.UnixUserID(0)
 	tests := map[string]struct {
 		container *v1.Container
--- a/pkg/volume/aws_ebs/aws_ebs.go
+++ b/pkg/volume/aws_ebs/aws_ebs.go
@ -293,12 +293,12 @@ func (b *awsElasticBlockStoreMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *int64) error {
+func (b *awsElasticBlockStoreMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUpAt attaches the disk and bind mounts to the volume path.
-func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *awsElasticBlockStoreMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// TODO: handle failed mounts here.
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("PersistentDisk set up: %s %v %v", dir, !notMnt, err)
--- a/pkg/volume/azure_dd/azure_dd.go
+++ b/pkg/volume/azure_dd/azure_dd.go
@ -234,12 +234,12 @@ func (b *azureDiskMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *azureDiskMounter) SetUp(fsGroup *int64) error {
+func (b *azureDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUpAt attaches the disk and bind mounts to the volume path.
-func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *azureDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	b.plugin.volumeLocks.LockKey(b.diskName)
 	defer b.plugin.volumeLocks.UnlockKey(b.diskName)
--- a/pkg/volume/azure_file/azure_file.go
+++ b/pkg/volume/azure_file/azure_file.go
@ -189,11 +189,11 @@ func (b *azureFileMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *azureFileMounter) SetUp(fsGroup *int64) error {
+func (b *azureFileMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *azureFileMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *azureFileMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("AzureFile mount set up: %s %v %v", dir, !notMnt, err)
 	if err != nil && !os.IsNotExist(err) {
--- a/pkg/volume/cephfs/cephfs.go
+++ b/pkg/volume/cephfs/cephfs.go
@ -217,12 +217,12 @@ func (cephfsMounter *cephfsMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (cephfsVolume *cephfsMounter) SetUp(fsGroup *int64) error {
+func (cephfsVolume *cephfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return cephfsVolume.SetUpAt(cephfsVolume.GetPath(), fsGroup)
 }
 // SetUpAt attaches the disk and bind mounts to the volume path.
-func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (cephfsVolume *cephfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := cephfsVolume.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("CephFS mount set up: %s %v %v", dir, !notMnt, err)
 	if err != nil && !os.IsNotExist(err) {
--- a/pkg/volume/cinder/cinder.go
+++ b/pkg/volume/cinder/cinder.go
@ -298,12 +298,12 @@ func (b *cinderVolumeMounter) CanMount() error {
 	return nil
 }
-func (b *cinderVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *cinderVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUp bind mounts to the volume path.
-func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *cinderVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(5).Infof("Cinder SetUp %s to %s", b.pdName, dir)
 	b.plugin.volumeLocks.LockKey(b.pdName)
--- a/pkg/volume/configmap/configmap.go
+++ b/pkg/volume/configmap/configmap.go
@ -158,11 +158,11 @@ func (b *configMapVolumeMounter) CanMount() error {
 	return nil
 }
-func (b *configMapVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *configMapVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *configMapVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
 	// Wrap EmptyDir, let it do the setup.
--- a/pkg/volume/configmap/configmap_test.go
+++ b/pkg/volume/configmap/configmap_test.go
@ -333,7 +333,7 @@ func TestPlugin(t *testing.T) {
 		t.Errorf("Got unexpected path: %s", volumePath)
 	}
-	fsGroup := int64(1001)
+	fsGroup := types.UnixGroupID(1001)
 	err = mounter.SetUp(&fsGroup)
 	if err != nil {
 		t.Errorf("Failed to setup volume: %v", err)
@ -391,7 +391,7 @@ func TestPluginReboot(t *testing.T) {
 		t.Errorf("Got unexpected path: %s", volumePath)
 	}
-	fsGroup := int64(1001)
+	fsGroup := types.UnixGroupID(1001)
 	err = mounter.SetUp(&fsGroup)
 	if err != nil {
 		t.Errorf("Failed to setup volume: %v", err)
@ -453,7 +453,7 @@ func TestPluginOptional(t *testing.T) {
 		t.Errorf("Got unexpected path: %s", volumePath)
 	}
-	fsGroup := int64(1001)
+	fsGroup := types.UnixGroupID(1001)
 	err = mounter.SetUp(&fsGroup)
 	if err != nil {
 		t.Errorf("Failed to setup volume: %v", err)
@ -528,7 +528,7 @@ func TestPluginKeysOptional(t *testing.T) {
 		t.Errorf("Got unexpected path: %s", volumePath)
 	}
-	fsGroup := int64(1001)
+	fsGroup := types.UnixGroupID(1001)
 	err = mounter.SetUp(&fsGroup)
 	if err != nil {
 		t.Errorf("Failed to setup volume: %v", err)
--- a/pkg/volume/downwardapi/downwardapi.go
+++ b/pkg/volume/downwardapi/downwardapi.go
@ -168,11 +168,11 @@ func (b *downwardAPIVolumeMounter) CanMount() error {
 // This function is not idempotent by design. We want the data to be refreshed periodically.
 // The internal sync interval of kubelet will drive the refresh of data.
 // TODO: Add volume specific ticker and refresh loop
-func (b *downwardAPIVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *downwardAPIVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *downwardAPIVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(3).Infof("Setting up a downwardAPI volume %v for pod %v/%v at %v", b.volName, b.pod.Namespace, b.pod.Name, dir)
 	// Wrap EmptyDir. Here we rely on the idempotency of the wrapped plugin to avoid repeatedly mounting
 	wrapped, err := b.plugin.host.NewWrapperMounter(b.volName, wrappedVolumeSpec(), b.pod, *b.opts)
--- a/pkg/volume/empty_dir/empty_dir.go
+++ b/pkg/volume/empty_dir/empty_dir.go
@ -191,12 +191,12 @@ func (b *emptyDir) CanMount() error {
 }
 // SetUp creates new directory.
-func (ed *emptyDir) SetUp(fsGroup *int64) error {
+func (ed *emptyDir) SetUp(fsGroup *types.UnixGroupID) error {
 	return ed.SetUpAt(ed.GetPath(), fsGroup)
 }
 // SetUpAt creates new directory.
-func (ed *emptyDir) SetUpAt(dir string, fsGroup *int64) error {
+func (ed *emptyDir) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := ed.mounter.IsLikelyNotMountPoint(dir)
 	// Getting an os.IsNotExist err from is a contingency; the directory
 	// may not exist yet, in which case, setup should run.
--- a/pkg/volume/fc/disk_manager.go
+++ b/pkg/volume/fc/disk_manager.go
@ -20,6 +20,7 @@ import (
 	"os"
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/volume"
 )
@ -34,7 +35,7 @@ type diskManager interface {
 }
 // utility to mount a disk based filesystem
-func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
+func diskSetUp(manager diskManager, b fcDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
 	globalPDPath := manager.MakeGlobalPDName(*b.fcDisk)
 	// TODO: handle failed mounts here.
 	noMnt, err := mounter.IsLikelyNotMountPoint(volPath)
--- a/pkg/volume/fc/fc.go
+++ b/pkg/volume/fc/fc.go
@ -204,11 +204,11 @@ func (b *fcDiskMounter) CanMount() error {
 	return nil
 }
-func (b *fcDiskMounter) SetUp(fsGroup *int64) error {
+func (b *fcDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *fcDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// diskSetUp checks mountpoints and prevent repeated calls
 	err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
 	if err != nil {
--- a/pkg/volume/flexvolume/mounter-defaults.go
+++ b/pkg/volume/flexvolume/mounter-defaults.go
@ -18,8 +18,10 @@ package flexvolume
 import (
 	"fmt"
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/volume"
 )
@ -27,7 +29,7 @@ type mounterDefaults flexVolumeMounter
 // SetUpAt is part of the volume.Mounter interface.
 // This implementation relies on the attacher's device mount path and does a bind mount to dir.
-func (f *mounterDefaults) SetUpAt(dir string, fsGroup *int64) error {
+func (f *mounterDefaults) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.Warning(logPrefix(f.plugin), "using default SetUpAt to ", dir)
 	a, err := f.plugin.NewAttacher()
--- a/pkg/volume/flexvolume/mounter.go
+++ b/pkg/volume/flexvolume/mounter.go
@ -19,6 +19,7 @@ package flexvolume
 import (
 	"strconv"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/util/exec"
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/volume"
@ -43,12 +44,12 @@ var _ volume.Mounter = &flexVolumeMounter{}
 // Mounter interface
 // SetUp creates new directory.
-func (f *flexVolumeMounter) SetUp(fsGroup *int64) error {
+func (f *flexVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return f.SetUpAt(f.GetPath(), fsGroup)
 }
 // SetUpAt creates new directory.
-func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// Mount only once.
 	alreadyMounted, err := prepareForMount(f.mounter, dir)
 	if err != nil {
@ -72,7 +73,7 @@ func (f *flexVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
 	// Implicit parameters
 	if fsGroup != nil {
-		extraOptions[optionFSGroup] = strconv.FormatInt(*fsGroup, 10)
+		extraOptions[optionFSGroup] = strconv.FormatInt(int64(*fsGroup), 10)
 	}
 	call.AppendSpec(f.spec, f.plugin.host, extraOptions)
--- a/pkg/volume/flexvolume/mounter_test.go
+++ b/pkg/volume/flexvolume/mounter_test.go
@ -19,6 +19,7 @@ package flexvolume
 import (
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/util/mount"
 )
@ -47,6 +48,6 @@ func TestSetUpAt(t *testing.T) {
 	m, _ := plugin.newMounterInternal(spec, pod, mounter, plugin.runner)
 	m.SetUpAt(rootDir+"/mount-dir", nil)
-	fsGroup := int64(42)
+	fsGroup := types.UnixGroupID(42)
 	m.SetUpAt(rootDir+"/mount-dir", &fsGroup)
 }
--- a/pkg/volume/flocker/flocker.go
+++ b/pkg/volume/flocker/flocker.go
@ -232,7 +232,7 @@ func (b *flockerVolumeMounter) GetPath() string {
 }
 // SetUp bind mounts the disk global mount to the volume path.
-func (b *flockerVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *flockerVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
@ -274,7 +274,7 @@ control service:
   need to update the Primary UUID for this volume.
 5. Wait until the Primary UUID was updated or timeout.
 */
-func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *flockerVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	var err error
 	if b.flockerClient == nil {
 		b.flockerClient, err = b.newFlockerClient()
--- a/pkg/volume/gce_pd/gce_pd.go
+++ b/pkg/volume/gce_pd/gce_pd.go
@ -256,12 +256,12 @@ func (b *gcePersistentDiskMounter) CanMount() error {
 }
 // SetUp bind mounts the disk global mount to the volume path.
-func (b *gcePersistentDiskMounter) SetUp(fsGroup *int64) error {
+func (b *gcePersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUp bind mounts the disk global mount to the give volume path.
-func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *gcePersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// TODO: handle failed mounts here.
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("GCE PersistentDisk set up: Dir (%s) PD name (%q) Mounted (%t) Error (%v), ReadOnly (%t)", dir, b.pdName, !notMnt, err, b.readOnly)
--- a/pkg/volume/git_repo/git_repo.go
+++ b/pkg/volume/git_repo/git_repo.go
@ -171,12 +171,12 @@ func (b *gitRepoVolumeMounter) CanMount() error {
 }
 // SetUp creates new directory and clones a git repo.
-func (b *gitRepoVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *gitRepoVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUpAt creates new directory and clones a git repo.
-func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *gitRepoVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	if volumeutil.IsReady(b.getMetaDir()) {
 		return nil
 	}
--- a/pkg/volume/glusterfs/glusterfs.go
+++ b/pkg/volume/glusterfs/glusterfs.go
@ -251,11 +251,11 @@ func (b *glusterfsMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *glusterfsMounter) SetUp(fsGroup *int64) error {
+func (b *glusterfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *glusterfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("glusterfs: mount set up: %s %v %v", dir, !notMnt, err)
 	if err != nil && !os.IsNotExist(err) {
--- a/pkg/volume/host_path/host_path.go
+++ b/pkg/volume/host_path/host_path.go
@ -203,12 +203,12 @@ func (b *hostPathMounter) CanMount() error {
 }
 // SetUp does nothing.
-func (b *hostPathMounter) SetUp(fsGroup *int64) error {
+func (b *hostPathMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return nil
 }
 // SetUpAt does not make sense for host paths - probably programmer error.
-func (b *hostPathMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *hostPathMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	return fmt.Errorf("SetUpAt() does not make sense for host paths")
 }
--- a/pkg/volume/iscsi/disk_manager.go
+++ b/pkg/volume/iscsi/disk_manager.go
@ -20,6 +20,7 @@ import (
 	"os"
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/volume"
 )
@ -34,7 +35,7 @@ type diskManager interface {
 }
 // utility to mount a disk based filesystem
-func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
+func diskSetUp(manager diskManager, b iscsiDiskMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
 	globalPDPath := manager.MakeGlobalPDName(*b.iscsiDisk)
 	// TODO: handle failed mounts here.
 	notMnt, err := mounter.IsLikelyNotMountPoint(volPath)
--- a/pkg/volume/iscsi/iscsi.go
+++ b/pkg/volume/iscsi/iscsi.go
@ -236,11 +236,11 @@ func (b *iscsiDiskMounter) CanMount() error {
 	return nil
 }
-func (b *iscsiDiskMounter) SetUp(fsGroup *int64) error {
+func (b *iscsiDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *iscsiDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// diskSetUp checks mountpoints and prevent repeated calls
 	err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
 	if err != nil {
--- a/pkg/volume/nfs/nfs.go
+++ b/pkg/volume/nfs/nfs.go
@ -233,11 +233,11 @@ func (b *nfsMounter) GetAttributes() volume.Attributes {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *nfsMounter) SetUp(fsGroup *int64) error {
+func (b *nfsMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *nfsMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *nfsMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("NFS mount set up: %s %v %v", dir, !notMnt, err)
 	if err != nil && !os.IsNotExist(err) {
--- a/pkg/volume/photon_pd/photon_pd.go
+++ b/pkg/volume/photon_pd/photon_pd.go
@ -194,12 +194,12 @@ func (b *photonPersistentDiskMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *photonPersistentDiskMounter) SetUp(fsGroup *int64) error {
+func (b *photonPersistentDiskMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *photonPersistentDiskMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(4).Infof("Photon Persistent Disk setup %s to %s", b.pdID, dir)
 	// TODO: handle failed mounts here.
--- a/pkg/volume/portworx/portworx.go
+++ b/pkg/volume/portworx/portworx.go
@ -255,12 +255,12 @@ func (b *portworxVolumeMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *portworxVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *portworxVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
 // SetUpAt attaches the disk and bind mounts to the volume path.
-func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *portworxVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	notMnt, err := b.mounter.IsLikelyNotMountPoint(dir)
 	glog.V(4).Infof("Portworx Volume set up: %s %v %v", dir, !notMnt, err)
 	if err != nil && !os.IsNotExist(err) {
--- a/pkg/volume/projected/projected.go
+++ b/pkg/volume/projected/projected.go
@ -175,11 +175,11 @@ func (s *projectedVolumeMounter) CanMount() error {
 	return nil
 }
-func (s *projectedVolumeMounter) SetUp(fsGroup *int64) error {
+func (s *projectedVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return s.SetUpAt(s.GetPath(), fsGroup)
 }
-func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (s *projectedVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(3).Infof("Setting up volume %v for pod %v at %v", s.volName, s.pod.UID, dir)
 	wrapped, err := s.plugin.host.NewWrapperMounter(s.volName, wrappedVolumeSpec(), s.pod, *s.opts)
--- a/pkg/volume/quobyte/quobyte.go
+++ b/pkg/volume/quobyte/quobyte.go
@ -237,12 +237,12 @@ func (mounter *quobyteMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (mounter *quobyteMounter) SetUp(fsGroup *int64) error {
+func (mounter *quobyteMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	pluginDir := mounter.plugin.host.GetPluginDir(strings.EscapeQualifiedNameForDisk(quobytePluginName))
 	return mounter.SetUpAt(pluginDir, fsGroup)
 }
-func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (mounter *quobyteMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// Check if Quobyte is already mounted on the host in the Plugin Dir
 	// if so we can use this mountpoint instead of creating a new one
 	// IsLikelyNotMountPoint wouldn't check the mount type
--- a/pkg/volume/rbd/disk_manager.go
+++ b/pkg/volume/rbd/disk_manager.go
@ -26,6 +26,7 @@ import (
 	"os"
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/volume"
@ -45,7 +46,7 @@ type diskManager interface {
 }
 // utility to mount a disk based filesystem
-func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *int64) error {
+func diskSetUp(manager diskManager, b rbdMounter, volPath string, mounter mount.Interface, fsGroup *types.UnixGroupID) error {
 	globalPDPath := manager.MakeGlobalPDName(*b.rbd)
 	// TODO: handle failed mounts here.
 	notMnt, err := mounter.IsLikelyNotMountPoint(volPath)
--- a/pkg/volume/rbd/rbd.go
+++ b/pkg/volume/rbd/rbd.go
@ -396,11 +396,11 @@ func (b *rbdMounter) CanMount() error {
 	return nil
 }
-func (b *rbdMounter) SetUp(fsGroup *int64) error {
+func (b *rbdMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *rbdMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *rbdMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	// diskSetUp checks mountpoints and prevent repeated calls
 	glog.V(4).Infof("rbd: attempting to SetUp and mount %s", dir)
 	err := diskSetUp(b.manager, *b, dir, b.mounter, fsGroup)
--- a/pkg/volume/scaleio/sio_volume.go
+++ b/pkg/volume/scaleio/sio_volume.go
@ -78,12 +78,12 @@ func (v *sioVolume) CanMount() error {
 	return nil
 }
-func (v *sioVolume) SetUp(fsGroup *int64) error {
+func (v *sioVolume) SetUp(fsGroup *types.UnixGroupID) error {
 	return v.SetUpAt(v.GetPath(), fsGroup)
 }
 // SetUp bind mounts the disk global mount to the volume path.
-func (v *sioVolume) SetUpAt(dir string, fsGroup *int64) error {
+func (v *sioVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	v.plugin.volumeMtx.LockKey(v.volSpecName)
 	defer v.plugin.volumeMtx.UnlockKey(v.volSpecName)
--- a/pkg/volume/secret/secret.go
+++ b/pkg/volume/secret/secret.go
@ -178,11 +178,11 @@ func (b *secretVolumeMounter) CanMount() error {
 	return nil
 }
-func (b *secretVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *secretVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
-func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *secretVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(3).Infof("Setting up volume %v for pod %v at %v", b.volName, b.pod.UID, dir)
 	// Wrap EmptyDir, let it do the setup.
--- a/pkg/volume/testing/testing.go
+++ b/pkg/volume/testing/testing.go
@ -339,7 +339,7 @@ func (fv *FakeVolume) CanMount() error {
 	return nil
 }
-func (fv *FakeVolume) SetUp(fsGroup *int64) error {
+func (fv *FakeVolume) SetUp(fsGroup *types.UnixGroupID) error {
 	fv.Lock()
 	defer fv.Unlock()
 	fv.SetUpCallCount++
@ -352,7 +352,7 @@ func (fv *FakeVolume) GetSetUpCallCount() int {
 	return fv.SetUpCallCount
 }
-func (fv *FakeVolume) SetUpAt(dir string, fsGroup *int64) error {
+func (fv *FakeVolume) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	return os.MkdirAll(dir, 0750)
 }
--- a/pkg/volume/util/operationexecutor/operation_generator.go
+++ b/pkg/volume/util/operationexecutor/operation_generator.go
@ -440,7 +440,7 @@ func (og *operationGenerator) GenerateMountVolumeFunc(
 		volumeAttacher, _ = attachableVolumePlugin.NewAttacher()
 	}
-	var fsGroup *int64
+	var fsGroup *types.UnixGroupID
 	if volumeToMount.Pod.Spec.SecurityContext != nil &&
 		volumeToMount.Pod.Spec.SecurityContext.FSGroup != nil {
 		fsGroup = volumeToMount.Pod.Spec.SecurityContext.FSGroup
--- a/pkg/volume/volume.go
+++ b/pkg/volume/volume.go
@ -109,14 +109,14 @@ type Mounter interface {
 	// content should be owned by 'fsGroup' so that it can be
 	// accessed by the pod. This may be called more than once, so
 	// implementations must be idempotent.
-	SetUp(fsGroup *int64) error
+	SetUp(fsGroup *types.UnixGroupID) error
 	// SetUpAt prepares and mounts/unpacks the volume to the
 	// specified directory path, which may or may not exist yet.
 	// The mount point and its content should be owned by
 	// 'fsGroup' so that it can be accessed by the pod. This may
 	// be called more than once, so implementations must be
 	// idempotent.
-	SetUpAt(dir string, fsGroup *int64) error
+	SetUpAt(dir string, fsGroup *types.UnixGroupID) error
 	// GetAttributes returns the attributes of the mounter.
 	GetAttributes() Attributes
 }
--- a/pkg/volume/volume_linux.go
+++ b/pkg/volume/volume_linux.go
@ -24,6 +24,8 @@ import (
 	"os"
 	"k8s.io/apimachinery/pkg/types"
 	"github.com/golang/glog"
 )
@ -35,7 +37,7 @@ const (
 // SetVolumeOwnership modifies the given volume to be owned by
 // fsGroup, and sets SetGid so that newly created files are owned by
 // fsGroup. If fsGroup is nil nothing is done.
-func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
+func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
 	if fsGroup == nil {
 		return nil
--- a/pkg/volume/volume_unsupported.go
+++ b/pkg/volume/volume_unsupported.go
@ -18,6 +18,8 @@ limitations under the License.
 package volume
-func SetVolumeOwnership(mounter Mounter, fsGroup *int64) error {
+import "k8s.io/apimachinery/pkg/types"
 func SetVolumeOwnership(mounter Mounter, fsGroup *types.UnixGroupID) error {
 	return nil
 }
--- a/pkg/volume/vsphere_volume/vsphere_volume.go
+++ b/pkg/volume/vsphere_volume/vsphere_volume.go
@ -193,7 +193,7 @@ func (b *vsphereVolumeMounter) GetAttributes() volume.Attributes {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *vsphereVolumeMounter) SetUp(fsGroup *int64) error {
+func (b *vsphereVolumeMounter) SetUp(fsGroup *types.UnixGroupID) error {
 	return b.SetUpAt(b.GetPath(), fsGroup)
 }
@ -205,7 +205,7 @@ func (b *vsphereVolumeMounter) CanMount() error {
 }
 // SetUp attaches the disk and bind mounts to the volume path.
-func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *int64) error {
+func (b *vsphereVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) error {
 	glog.V(5).Infof("vSphere volume setup %s to %s", b.volPath, dir)
 	// TODO: handle failed mounts here.
--- a/plugin/pkg/admission/security/podsecuritypolicy/BUILD
+++ b/plugin/pkg/admission/security/podsecuritypolicy/BUILD
@ -50,6 +50,7 @@ go_test(
        "//pkg/security/podsecuritypolicy/util:go_default_library",
        "//vendor/github.com/stretchr/testify/assert:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
--- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
+++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
@ -25,6 +25,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/sets"
 	kadmission "k8s.io/apiserver/pkg/admission"
@ -834,7 +835,8 @@ func TestAdmitRunAsUser(t *testing.T) {
 		// doesn't matter if we set it here or on the container, the
 		// admission controller uses DetermineEffectiveSC to get the defaulting
 		// behavior so it can validate what will be applied at runtime
-		pod.Spec.SecurityContext.RunAsUser = &user
+		userID := types.UnixUserID(user)
 		pod.Spec.SecurityContext.RunAsUser = &userID
 		return pod
 	}
@ -853,7 +855,7 @@ func TestAdmitRunAsUser(t *testing.T) {
 		pod               *kapi.Pod
 		psps              []*extensions.PodSecurityPolicy
 		shouldPass        bool
-		expectedRunAsUser *int
+		expectedRunAsUser *types.UnixUserID
 		expectedPSP       string
 	}{
 		"runAsAny no pod request": {
@ -867,7 +869,7 @@ func TestAdmitRunAsUser(t *testing.T) {
 			pod:               createPodWithRunAsUser(1),
 			psps:              []*extensions.PodSecurityPolicy{runAsAny},
 			shouldPass:        true,
-			expectedRunAsUser: intPtr(1),
+			expectedRunAsUser: userIDPtr(1),
 			expectedPSP:       runAsAny.Name,
 		},
 		"mustRunAs pod request out of range": {
@ -879,14 +881,14 @@ func TestAdmitRunAsUser(t *testing.T) {
 			pod:               createPodWithRunAsUser(999),
 			psps:              []*extensions.PodSecurityPolicy{mustRunAs},
 			shouldPass:        true,
-			expectedRunAsUser: intPtr(int(mustRunAs.Spec.RunAsUser.Ranges[0].Min)),
+			expectedRunAsUser: &mustRunAs.Spec.RunAsUser.Ranges[0].Min,
 			expectedPSP:       mustRunAs.Name,
 		},
 		"mustRunAs no pod request": {
 			pod:               goodPod(),
 			psps:              []*extensions.PodSecurityPolicy{mustRunAs},
 			shouldPass:        true,
-			expectedRunAsUser: intPtr(int(mustRunAs.Spec.RunAsUser.Ranges[0].Min)),
+			expectedRunAsUser: &mustRunAs.Spec.RunAsUser.Ranges[0].Min,
 			expectedPSP:       mustRunAs.Name,
 		},
 		"runAsNonRoot no pod request": {
@ -905,7 +907,7 @@ func TestAdmitRunAsUser(t *testing.T) {
 			pod:               createPodWithRunAsUser(1),
 			psps:              []*extensions.PodSecurityPolicy{runAsNonRoot},
 			shouldPass:        true,
-			expectedRunAsUser: intPtr(1),
+			expectedRunAsUser: userIDPtr(1),
 			expectedPSP:       runAsNonRoot.Name,
 		},
 	}
@ -926,7 +928,7 @@ func TestAdmitRunAsUser(t *testing.T) {
 				t.Errorf("%s expected RunAsUser to be nil but found: %v", k, *v.pod.Spec.Containers[0].SecurityContext.RunAsUser)
 				continue
 			}
-			if int64(*v.expectedRunAsUser) != *v.pod.Spec.Containers[0].SecurityContext.RunAsUser {
+			if *v.expectedRunAsUser != *v.pod.Spec.Containers[0].SecurityContext.RunAsUser {
 				t.Errorf("%s expected RunAsUser to be: %v but found %v", k, *v.expectedRunAsUser, *v.pod.Spec.Containers[0].SecurityContext.RunAsUser)
 			}
 		}
@ -939,7 +941,8 @@ func TestAdmitSupplementalGroups(t *testing.T) {
 		// doesn't matter if we set it here or on the container, the
 		// admission controller uses DetermineEffectiveSC to get the defaulting
 		// behavior so it can validate what will be applied at runtime
-		pod.Spec.SecurityContext.SupplementalGroups = []int64{group}
+		groupID := types.UnixGroupID(group)
 		pod.Spec.SecurityContext.SupplementalGroups = []types.UnixGroupID{groupID}
 		return pod
 	}
@ -954,28 +957,28 @@ func TestAdmitSupplementalGroups(t *testing.T) {
 		pod               *kapi.Pod
 		psps              []*extensions.PodSecurityPolicy
 		shouldPass        bool
-		expectedSupGroups []int64
+		expectedSupGroups []types.UnixGroupID
 		expectedPSP       string
 	}{
 		"runAsAny no pod request": {
 			pod:               goodPod(),
 			psps:              []*extensions.PodSecurityPolicy{runAsAny},
 			shouldPass:        true,
-			expectedSupGroups: []int64{},
+			expectedSupGroups: []types.UnixGroupID{},
 			expectedPSP:       runAsAny.Name,
 		},
 		"runAsAny pod request": {
 			pod:               createPodWithSupGroup(1),
 			psps:              []*extensions.PodSecurityPolicy{runAsAny},
 			shouldPass:        true,
-			expectedSupGroups: []int64{1},
+			expectedSupGroups: []types.UnixGroupID{1},
 			expectedPSP:       runAsAny.Name,
 		},
 		"mustRunAs no pod request": {
 			pod:               goodPod(),
 			psps:              []*extensions.PodSecurityPolicy{mustRunAs},
 			shouldPass:        true,
-			expectedSupGroups: []int64{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
+			expectedSupGroups: []types.UnixGroupID{mustRunAs.Spec.SupplementalGroups.Ranges[0].Min},
 			expectedPSP:       mustRunAs.Name,
 		},
 		"mustRunAs bad pod request": {
@ -987,7 +990,7 @@ func TestAdmitSupplementalGroups(t *testing.T) {
 			pod:               createPodWithSupGroup(999),
 			psps:              []*extensions.PodSecurityPolicy{mustRunAs},
 			shouldPass:        true,
-			expectedSupGroups: []int64{999},
+			expectedSupGroups: []types.UnixGroupID{999},
 			expectedPSP:       mustRunAs.Name,
 		},
 	}
@ -1012,12 +1015,12 @@ func TestAdmitSupplementalGroups(t *testing.T) {
 }
 func TestAdmitFSGroup(t *testing.T) {
-	createPodWithFSGroup := func(group int64) *kapi.Pod {
+	createPodWithFSGroup := func(group int) *kapi.Pod {
 		pod := goodPod()
 		// doesn't matter if we set it here or on the container, the
 		// admission controller uses DetermineEffectiveSC to get the defaulting
 		// behavior so it can validate what will be applied at runtime
-		pod.Spec.SecurityContext.FSGroup = &group
+		pod.Spec.SecurityContext.FSGroup = groupIDPtr(group)
 		return pod
 	}
@ -1032,7 +1035,7 @@ func TestAdmitFSGroup(t *testing.T) {
 		pod             *kapi.Pod
 		psps            []*extensions.PodSecurityPolicy
 		shouldPass      bool
-		expectedFSGroup *int64
+		expectedFSGroup *types.UnixGroupID
 		expectedPSP     string
 	}{
 		"runAsAny no pod request": {
@ -1046,7 +1049,7 @@ func TestAdmitFSGroup(t *testing.T) {
 			pod:             createPodWithFSGroup(1),
 			psps:            []*extensions.PodSecurityPolicy{runAsAny},
 			shouldPass:      true,
-			expectedFSGroup: int64Ptr(1),
+			expectedFSGroup: groupIDPtr(1),
 			expectedPSP:     runAsAny.Name,
 		},
 		"mustRunAs no pod request": {
@ -1065,7 +1068,7 @@ func TestAdmitFSGroup(t *testing.T) {
 			pod:             createPodWithFSGroup(999),
 			psps:            []*extensions.PodSecurityPolicy{mustRunAs},
 			shouldPass:      true,
-			expectedFSGroup: int64Ptr(999),
+			expectedFSGroup: groupIDPtr(999),
 			expectedPSP:     mustRunAs.Name,
 		},
 	}
@ -1707,8 +1710,8 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
 		Spec: extensions.PodSecurityPolicySpec{
 			RunAsUser: extensions.RunAsUserStrategyOptions{
 				Rule: extensions.RunAsUserStrategyMustRunAs,
-				Ranges: []extensions.IDRange{
+				Ranges: []extensions.UserIDRange{
-					{Min: 999, Max: 999},
+					{Min: types.UnixUserID(999), Max: types.UnixUserID(999)},
 				},
 			},
 			SELinux: extensions.SELinuxStrategyOptions{
@ -1719,14 +1722,14 @@ func restrictivePSP() *extensions.PodSecurityPolicy {
 			},
 			FSGroup: extensions.FSGroupStrategyOptions{
 				Rule: extensions.FSGroupStrategyMustRunAs,
-				Ranges: []extensions.IDRange{
+				Ranges: []extensions.GroupIDRange{
-					{Min: 999, Max: 999},
+					{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
 				},
 			},
 			SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
 				Rule: extensions.SupplementalGroupsStrategyMustRunAs,
-				Ranges: []extensions.IDRange{
+				Ranges: []extensions.GroupIDRange{
-					{Min: 999, Max: 999},
+					{Min: types.UnixGroupID(999), Max: types.UnixGroupID(999)},
 				},
 			},
 		},
@ -1771,11 +1774,12 @@ func goodPod() *kapi.Pod {
 	}
 }
-func intPtr(i int) *int {
+func userIDPtr(i int) *types.UnixUserID {
-	return &i
+	userID := types.UnixUserID(i)
 	return &userID
 }
-func int64Ptr(i int) *int64 {
+func groupIDPtr(i int) *types.UnixGroupID {
-	i64 := int64(i)
+	groupID := types.UnixGroupID(i)
-	return &i64
+	return &groupID
 }
--- a/plugin/pkg/admission/securitycontext/scdeny/BUILD
+++ b/plugin/pkg/admission/securitycontext/scdeny/BUILD
@ -27,6 +27,7 @@ go_test(
    tags = ["automanaged"],
    deps = [
        "//pkg/api:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
    ],
 )
--- a/plugin/pkg/admission/securitycontext/scdeny/admission_test.go
+++ b/plugin/pkg/admission/securitycontext/scdeny/admission_test.go
@ -19,6 +19,7 @@ package scdeny
 import (
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/kubernetes/pkg/api"
 )
@ -27,7 +28,7 @@ import (
 func TestAdmission(t *testing.T) {
 	handler := NewSecurityContextDeny()
-	var runAsUser int64 = 1
+	runAsUser := types.UnixUserID(1)
 	priv := true
 	cases := []struct {
@ -115,7 +116,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
 		},
 	}
-	fsGroup := int64(1001)
+	fsGroup := types.UnixGroupID(1001)
 	tests := []struct {
 		securityContext api.PodSecurityContext
@ -127,7 +128,7 @@ func TestPodSecurityContextAdmission(t *testing.T) {
 		},
 		{
 			securityContext: api.PodSecurityContext{
-				SupplementalGroups: []int64{1234},
+				SupplementalGroups: []types.UnixGroupID{types.UnixGroupID(1234)},
 			},
 			errorExpected: true,
 		},
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/BUILD
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/BUILD
@ -13,10 +13,12 @@ go_test(
    srcs = ["validation_test.go"],
    library = ":go_default_library",
    tags = ["automanaged"],
    deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
 )
 go_library(
    name = "go_default_library",
    srcs = ["validation.go"],
    tags = ["automanaged"],
    deps = ["//vendor/k8s.io/apimachinery/pkg/types:go_default_library"],
 )
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
@ -22,6 +22,8 @@ import (
 	"net"
 	"regexp"
 	"strings"
 	"k8s.io/apimachinery/pkg/types"
 )
 const qnameCharFmt string = "[A-Za-z0-9]"
@ -197,16 +199,16 @@ const (
 	maxGroupID = math.MaxInt32
 )
-// IsValidGroupId tests that the argument is a valid Unix GID.
+// IsValidGroupID tests that the argument is a valid Unix GID.
-func IsValidGroupId(gid int64) []string {
+func IsValidGroupID(gid types.UnixGroupID) []string {
 	if minGroupID <= gid && gid <= maxGroupID {
 		return nil
 	}
 	return []string{InclusiveRangeError(minGroupID, maxGroupID)}
 }
-// IsValidUserId tests that the argument is a valid Unix UID.
+// IsValidUserID tests that the argument is a valid Unix UID.
-func IsValidUserId(uid int64) []string {
+func IsValidUserID(uid types.UnixUserID) []string {
 	if minUserID <= uid && uid <= maxUserID {
 		return nil
 	}
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
@ -19,6 +19,8 @@ package validation
 import (
 	"strings"
 	"testing"
 	"k8s.io/apimachinery/pkg/types"
 )
 func TestIsDNS1123Label(t *testing.T) {
@ -154,33 +156,49 @@ func TestIsValidPortNum(t *testing.T) {
 	}
 }
-func TestIsValidGroupId(t *testing.T) {
+func createGroupIDs(ids ...int64) []types.UnixGroupID {
-	goodValues := []int64{0, 1, 1000, 65535, 2147483647}
+	var output []types.UnixGroupID
 	for _, id := range ids {
 		output = append(output, types.UnixGroupID(id))
 	}
 	return output
 }
 func createUserIDs(ids ...int64) []types.UnixUserID {
 	var output []types.UnixUserID
 	for _, id := range ids {
 		output = append(output, types.UnixUserID(id))
 	}
 	return output
 }
 func TestIsValidGroupID(t *testing.T) {
 	goodValues := createGroupIDs(0, 1, 1000, 65535, 2147483647)
 	for _, val := range goodValues {
-		if msgs := IsValidGroupId(val); len(msgs) != 0 {
+		if msgs := IsValidGroupID(val); len(msgs) != 0 {
 			t.Errorf("expected true for '%d': %v", val, msgs)
 		}
 	}
-	badValues := []int64{-1, -1003, 2147483648, 4147483647}
+	badValues := createGroupIDs(-1, -1003, 2147483648, 4147483647)
 	for _, val := range badValues {
-		if msgs := IsValidGroupId(val); len(msgs) == 0 {
+		if msgs := IsValidGroupID(val); len(msgs) == 0 {
 			t.Errorf("expected false for '%d'", val)
 		}
 	}
 }
-func TestIsValidUserId(t *testing.T) {
+func TestIsValidUserID(t *testing.T) {
-	goodValues := []int64{0, 1, 1000, 65535, 2147483647}
+	goodValues := createUserIDs(0, 1, 1000, 65535, 2147483647)
 	for _, val := range goodValues {
-		if msgs := IsValidUserId(val); len(msgs) != 0 {
+		if msgs := IsValidUserID(val); len(msgs) != 0 {
 			t.Errorf("expected true for '%d': %v", val, msgs)
 		}
 	}
-	badValues := []int64{-1, -1003, 2147483648, 4147483647}
+	badValues := createUserIDs(-1, -1003, 2147483648, 4147483647)
 	for _, val := range badValues {
-		if msgs := IsValidUserId(val); len(msgs) == 0 {
+		if msgs := IsValidUserID(val); len(msgs) == 0 {
 			t.Errorf("expected false for '%d'", val)
 		}
 	}
--- a/staging/src/k8s.io/client-go/pkg/api/types.go
+++ b/staging/src/k8s.io/client-go/pkg/api/types.go
@ -2153,7 +2153,7 @@ type PodSecurityContext struct {
 	// PodSecurityContext, the value specified in SecurityContext takes precedence
 	// for that container.
 	// +optional
-	RunAsUser *int64
+	RunAsUser *types.UnixUserID
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
@ -2166,7 +2166,7 @@ type PodSecurityContext struct {
 	// to the container's primary GID.  If unspecified, no groups will be added to
 	// any container.
 	// +optional
-	SupplementalGroups []int64
+	SupplementalGroups []types.UnixGroupID
 	// A special supplemental group that applies to all containers in a pod.
 	// Some volume types allow the Kubelet to change the ownership of that volume
 	// to be owned by the pod:
@ -2177,7 +2177,7 @@ type PodSecurityContext struct {
 	//
 	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
 	// +optional
-	FSGroup *int64
+	FSGroup *types.UnixGroupID
 }
 // PodQOSClass defines the supported qos classes of Pods.
@ -3780,7 +3780,7 @@ type SecurityContext struct {
 	// May also be set in PodSecurityContext.  If set in both SecurityContext and
 	// PodSecurityContext, the value specified in SecurityContext takes precedence.
 	// +optional
-	RunAsUser *int64
+	RunAsUser *types.UnixUserID
 	// Indicates that the container must run as a non-root user.
 	// If true, the Kubelet will validate the image at runtime to ensure that it
 	// does not run as UID 0 (root) and fail to start the container if it does.
--- a/Show More
+++ b/Show More