diff --git a/api/v1alpha1/port_types.go b/api/v1alpha1/port_types.go
index 0a881941c..92ab95f54 100644
--- a/api/v1alpha1/port_types.go
+++ b/api/v1alpha1/port_types.go
@@ -125,12 +125,12 @@ type PortResourceSpec struct {
 	// +optional
 	Addresses []Address `json:"addresses,omitempty"`
 
-	// securityGroupRefs are the names of the security groups associated
+	// securityGroupRefs are references to the security groups associated
 	// with this port.
 	// +kubebuilder:validation:MaxItems:=32
 	// +listType=set
 	// +optional
-	SecurityGroupRefs []OpenStackName `json:"securityGroupRefs,omitempty"`
+	SecurityGroupRefs []KubernetesNameRef `json:"securityGroupRefs,omitempty"`
 
 	// vnicType specifies the type of vNIC which this port should be
 	// attached to. This is used to determine which mechanism driver(s) to
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 343fe9d5d..816fe6ebe 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1860,7 +1860,7 @@ func (in *PortResourceSpec) DeepCopyInto(out *PortResourceSpec) {
 	}
 	if in.SecurityGroupRefs != nil {
 		in, out := &in.SecurityGroupRefs, &out.SecurityGroupRefs
-		*out = make([]OpenStackName, len(*in))
+		*out = make([]KubernetesNameRef, len(*in))
 		copy(*out, *in)
 	}
 	if in.ProjectRef != nil {
diff --git a/cmd/models-schema/zz_generated.openapi.go b/cmd/models-schema/zz_generated.openapi.go
index 0f2c7790c..72e000177 100644
--- a/cmd/models-schema/zz_generated.openapi.go
+++ b/cmd/models-schema/zz_generated.openapi.go
@@ -3810,7 +3810,7 @@ func schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceSpec(ref c
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "securityGroupRefs are the names of the security groups associated with this port.",
+							Description: "securityGroupRefs are references to the security groups associated with this port.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/config/crd/bases/openstack.k-orc.cloud_ports.yaml b/config/crd/bases/openstack.k-orc.cloud_ports.yaml
index 6f9ade20c..7120022f9 100644
--- a/config/crd/bases/openstack.k-orc.cloud_ports.yaml
+++ b/config/crd/bases/openstack.k-orc.cloud_ports.yaml
@@ -314,12 +314,11 @@ spec:
                     type: string
                   securityGroupRefs:
                     description: |-
-                      securityGroupRefs are the names of the security groups associated
+                      securityGroupRefs are references to the security groups associated
                       with this port.
                     items:
-                      maxLength: 255
+                      maxLength: 253
                       minLength: 1
-                      pattern: ^[^,]+$
                       type: string
                     maxItems: 32
                     type: array
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go b/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
index 3b6153d14..ebd918399 100644
--- a/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
@@ -31,7 +31,7 @@ type PortResourceSpecApplyConfiguration struct {
 	Tags                []apiv1alpha1.NeutronTag               `json:"tags,omitempty"`
 	AllowedAddressPairs []AllowedAddressPairApplyConfiguration `json:"allowedAddressPairs,omitempty"`
 	Addresses           []AddressApplyConfiguration            `json:"addresses,omitempty"`
-	SecurityGroupRefs   []apiv1alpha1.OpenStackName            `json:"securityGroupRefs,omitempty"`
+	SecurityGroupRefs   []apiv1alpha1.KubernetesNameRef        `json:"securityGroupRefs,omitempty"`
 	VNICType            *string                                `json:"vnicType,omitempty"`
 	PortSecurity        *apiv1alpha1.PortSecurityState         `json:"portSecurity,omitempty"`
 	ProjectRef          *apiv1alpha1.KubernetesNameRef         `json:"projectRef,omitempty"`
@@ -106,7 +106,7 @@ func (b *PortResourceSpecApplyConfiguration) WithAddresses(values ...*AddressApp
 // WithSecurityGroupRefs adds the given value to the SecurityGroupRefs field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the SecurityGroupRefs field.
-func (b *PortResourceSpecApplyConfiguration) WithSecurityGroupRefs(values ...apiv1alpha1.OpenStackName) *PortResourceSpecApplyConfiguration {
+func (b *PortResourceSpecApplyConfiguration) WithSecurityGroupRefs(values ...apiv1alpha1.KubernetesNameRef) *PortResourceSpecApplyConfiguration {
 	for i := range values {
 		b.SecurityGroupRefs = append(b.SecurityGroupRefs, values[i])
 	}
diff --git a/test/apivalidations/port_test.go b/test/apivalidations/port_test.go
index 3c36dea83..2e1aeca30 100644
--- a/test/apivalidations/port_test.go
+++ b/test/apivalidations/port_test.go
@@ -70,7 +70,7 @@ var _ = Describe("ORC Port API validations", func() {
 			WithSecurityGroupRefs("sg-foo").
 			WithPortSecurity(orcv1alpha1.PortSecurityEnabled))
 		Expect(applyObj(ctx, port, patch)).To(Succeed())
-		Expect(port.Spec.Resource.SecurityGroupRefs).To(Equal([]orcv1alpha1.OpenStackName{"sg-foo"}))
+		Expect(port.Spec.Resource.SecurityGroupRefs).To(Equal([]orcv1alpha1.KubernetesNameRef{"sg-foo"}))
 		Expect(port.Spec.Resource.PortSecurity).To(Equal(orcv1alpha1.PortSecurityEnabled))
 	})
 
diff --git a/website/docs/crd-reference.md b/website/docs/crd-reference.md
index bdae9b481..2443af685 100644
--- a/website/docs/crd-reference.md
+++ b/website/docs/crd-reference.md
@@ -1828,7 +1828,7 @@ _Appears in:_
 | `tags` _[NeutronTag](#neutrontag) array_ | tags is a list of tags which will be applied to the port. |  | MaxItems: 32 <br />MaxLength: 255 <br />MinLength: 1 <br /> |
 | `allowedAddressPairs` _[AllowedAddressPair](#allowedaddresspair) array_ | allowedAddressPairs are allowed addresses associated with this port. |  | MaxItems: 32 <br /> |
 | `addresses` _[Address](#address) array_ | addresses are the IP addresses for the port. |  | MaxItems: 32 <br /> |
-| `securityGroupRefs` _[OpenStackName](#openstackname) array_ | securityGroupRefs are the names of the security groups associated<br />with this port. |  | MaxItems: 32 <br />MaxLength: 255 <br />MinLength: 1 <br />Pattern: `^[^,]+$` <br /> |
+| `securityGroupRefs` _[KubernetesNameRef](#kubernetesnameref) array_ | securityGroupRefs are references to the security groups associated<br />with this port. |  | MaxItems: 32 <br />MaxLength: 253 <br />MinLength: 1 <br /> |
 | `vnicType` _string_ | vnicType specifies the type of vNIC which this port should be<br />attached to. This is used to determine which mechanism driver(s) to<br />be used to bind the port. The valid values are normal, macvtap,<br />direct, baremetal, direct-physical, virtio-forwarder, smart-nic and<br />remote-managed, although these values will not be validated in this<br />API to ensure compatibility with future neutron changes or custom<br />implementations. What type of vNIC is actually available depends on<br />deployments. If not specified, the Neutron default value is used. |  | MaxLength: 64 <br /> |
 | `portSecurity` _[PortSecurityState](#portsecuritystate)_ | portSecurity controls port security for this port.<br />When set to Enabled, port security is enabled.<br />When set to Disabled, port security is disabled and SecurityGroupRefs must be empty.<br />When set to Inherit (default), it takes the value from the network level. | Inherit | Enum: [Enabled Disabled Inherit] <br /> |
 | `projectRef` _[KubernetesNameRef](#kubernetesnameref)_ | projectRef is a reference to the ORC Project this resource is associated with.<br />Typically, only used by admin. |  | MaxLength: 253 <br />MinLength: 1 <br /> |