diff --git a/api/v1alpha1/port_types.go b/api/v1alpha1/port_types.go
index 884411a07..2592082fe 100644
--- a/api/v1alpha1/port_types.go
+++ b/api/v1alpha1/port_types.go
@@ -162,12 +162,12 @@ type PortResourceSpec struct {
 	// +optional
 	AdminStateUp *bool `json:"adminStateUp,omitempty"`
 
-	// securityGroupRefs are the names of the security groups associated
+	// securityGroupRefs are references to the security groups associated
 	// with this port.
 	// +kubebuilder:validation:MaxItems:=64
 	// +listType=set
 	// +optional
-	SecurityGroupRefs []OpenStackName `json:"securityGroupRefs,omitempty"` //nolint:kubeapilinter // https://github.com/k-orc/openstack-resource-controller/issues/438
+	SecurityGroupRefs []KubernetesNameRef `json:"securityGroupRefs,omitempty"`
 
 	// vnicType specifies the type of vNIC which this port should be
 	// attached to. This is used to determine which mechanism driver(s) to
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index ec4a2eb46..fdc2aa079 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3321,7 +3321,7 @@ func (in *PortResourceSpec) DeepCopyInto(out *PortResourceSpec) {
 	}
 	if in.SecurityGroupRefs != nil {
 		in, out := &in.SecurityGroupRefs, &out.SecurityGroupRefs
-		*out = make([]OpenStackName, len(*in))
+		*out = make([]KubernetesNameRef, len(*in))
 		copy(*out, *in)
 	}
 	if in.ProjectRef != nil {
diff --git a/cmd/models-schema/zz_generated.openapi.go b/cmd/models-schema/zz_generated.openapi.go
index 2e346c070..3ca9cbb8d 100644
--- a/cmd/models-schema/zz_generated.openapi.go
+++ b/cmd/models-schema/zz_generated.openapi.go
@@ -6223,7 +6223,7 @@ func schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceSpec(ref c
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "securityGroupRefs are the names of the security groups associated with this port.",
+							Description: "securityGroupRefs are references to the security groups associated with this port.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
diff --git a/config/crd/bases/openstack.k-orc.cloud_ports.yaml b/config/crd/bases/openstack.k-orc.cloud_ports.yaml
index e409abdaa..9018183f8 100644
--- a/config/crd/bases/openstack.k-orc.cloud_ports.yaml
+++ b/config/crd/bases/openstack.k-orc.cloud_ports.yaml
@@ -379,12 +379,11 @@ spec:
                       rule: self == oldSelf
                   securityGroupRefs:
                     description: |-
-                      securityGroupRefs are the names of the security groups associated
+                      securityGroupRefs are references to the security groups associated
                       with this port.
                     items:
-                      maxLength: 255
+                      maxLength: 253
                       minLength: 1
-                      pattern: ^[^,]+$
                       type: string
                     maxItems: 64
                     type: array
diff --git a/internal/controllers/port/actuator_test.go b/internal/controllers/port/actuator_test.go
index 81a2a7cc6..1da3d948e 100644
--- a/internal/controllers/port/actuator_test.go
+++ b/internal/controllers/port/actuator_test.go
@@ -234,8 +234,8 @@ func makeSecGroupWithID(id string) *orcv1alpha1.SecurityGroup {
 }
 
 func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
-	sgWebName := orcv1alpha1.OpenStackName("sg-web")
-	sgDbName := orcv1alpha1.OpenStackName("sg-db")
+	sgWebName := orcv1alpha1.KubernetesNameRef("sg-web")
+	sgDbName := orcv1alpha1.KubernetesNameRef("sg-db")
 
 	idWeb := "d564a44b-346c-4f71-92b1-5899b8979374"
 	idDb := "1d23d83b-2a78-4c12-9e55-0a6e026dd201"
@@ -243,14 +243,14 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 
 	testCases := []struct {
 		name          string
-		newValue      []orcv1alpha1.OpenStackName
+		newValue      []orcv1alpha1.KubernetesNameRef
 		existingValue []string
 		secGroupMap   map[string]*orcv1alpha1.SecurityGroup
 		expectChange  bool
 	}{
 		{
 			name:          "Identical",
-			newValue:      []orcv1alpha1.OpenStackName{sgWebName, sgDbName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgWebName, sgDbName},
 			existingValue: []string{idWeb, idDb},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
@@ -260,7 +260,7 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 		},
 		{
 			name:          "Identical but different order",
-			newValue:      []orcv1alpha1.OpenStackName{sgDbName, sgWebName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgDbName, sgWebName},
 			existingValue: []string{idWeb, idDb},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
@@ -270,7 +270,7 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 		},
 		{
 			name:          "Add a security group",
-			newValue:      []orcv1alpha1.OpenStackName{sgWebName, sgDbName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgWebName, sgDbName},
 			existingValue: []string{idWeb},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
@@ -280,7 +280,7 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 		},
 		{
 			name:          "Remove a security group",
-			newValue:      []orcv1alpha1.OpenStackName{sgWebName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgWebName},
 			existingValue: []string{idWeb, idDb},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
@@ -290,7 +290,7 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 		},
 		{
 			name:          "Replace a security group",
-			newValue:      []orcv1alpha1.OpenStackName{sgWebName, sgDbName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgWebName, sgDbName},
 			existingValue: []string{idWeb, idOther},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
@@ -300,14 +300,14 @@ func TestHandleSecurityGroupRefsUpdate(t *testing.T) {
 		},
 		{
 			name:          "Remove all security groups",
-			newValue:      []orcv1alpha1.OpenStackName{},
+			newValue:      []orcv1alpha1.KubernetesNameRef{},
 			existingValue: []string{idWeb, idDb},
 			secGroupMap:   map[string]*orcv1alpha1.SecurityGroup{},
 			expectChange:  true,
 		},
 		{
 			name:          "Add to empty list",
-			newValue:      []orcv1alpha1.OpenStackName{sgWebName},
+			newValue:      []orcv1alpha1.KubernetesNameRef{sgWebName},
 			existingValue: []string{},
 			secGroupMap: map[string]*orcv1alpha1.SecurityGroup{
 				string(sgWebName): makeSecGroupWithID(idWeb),
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go b/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
index 491a5c818..b1c4a2955 100644
--- a/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/portresourcespec.go
@@ -32,7 +32,7 @@ type PortResourceSpecApplyConfiguration struct {
 	AllowedAddressPairs []AllowedAddressPairApplyConfiguration `json:"allowedAddressPairs,omitempty"`
 	Addresses           []AddressApplyConfiguration            `json:"addresses,omitempty"`
 	AdminStateUp        *bool                                  `json:"adminStateUp,omitempty"`
-	SecurityGroupRefs   []apiv1alpha1.OpenStackName            `json:"securityGroupRefs,omitempty"`
+	SecurityGroupRefs   []apiv1alpha1.KubernetesNameRef        `json:"securityGroupRefs,omitempty"`
 	VNICType            *string                                `json:"vnicType,omitempty"`
 	PortSecurity        *apiv1alpha1.PortSecurityState         `json:"portSecurity,omitempty"`
 	ProjectRef          *apiv1alpha1.KubernetesNameRef         `json:"projectRef,omitempty"`
@@ -117,7 +117,7 @@ func (b *PortResourceSpecApplyConfiguration) WithAdminStateUp(value bool) *PortR
 // WithSecurityGroupRefs adds the given value to the SecurityGroupRefs field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the SecurityGroupRefs field.
-func (b *PortResourceSpecApplyConfiguration) WithSecurityGroupRefs(values ...apiv1alpha1.OpenStackName) *PortResourceSpecApplyConfiguration {
+func (b *PortResourceSpecApplyConfiguration) WithSecurityGroupRefs(values ...apiv1alpha1.KubernetesNameRef) *PortResourceSpecApplyConfiguration {
 	for i := range values {
 		b.SecurityGroupRefs = append(b.SecurityGroupRefs, values[i])
 	}
diff --git a/test/apivalidations/port_test.go b/test/apivalidations/port_test.go
index 6c963f4dd..4d84531c5 100644
--- a/test/apivalidations/port_test.go
+++ b/test/apivalidations/port_test.go
@@ -107,7 +107,7 @@ var _ = Describe("ORC Port API validations", func() {
 			WithSecurityGroupRefs("sg-foo").
 			WithPortSecurity(orcv1alpha1.PortSecurityEnabled))
 		Expect(applyObj(ctx, port, patch)).To(Succeed())
-		Expect(port.Spec.Resource.SecurityGroupRefs).To(Equal([]orcv1alpha1.OpenStackName{"sg-foo"}))
+		Expect(port.Spec.Resource.SecurityGroupRefs).To(Equal([]orcv1alpha1.KubernetesNameRef{"sg-foo"}))
 		Expect(port.Spec.Resource.PortSecurity).To(Equal(orcv1alpha1.PortSecurityEnabled))
 	})
 
diff --git a/website/docs/crd-reference.md b/website/docs/crd-reference.md
index 3db974f26..caf1705ca 100644
--- a/website/docs/crd-reference.md
+++ b/website/docs/crd-reference.md
@@ -2730,7 +2730,7 @@ _Appears in:_
 | `allowedAddressPairs` _[AllowedAddressPair](#allowedaddresspair) array_ | allowedAddressPairs are allowed addresses associated with this port. |  | MaxItems: 128 <br />Optional: \{\} <br /> |
 | `addresses` _[Address](#address) array_ | addresses are the IP addresses for the port. |  | MaxItems: 128 <br />Optional: \{\} <br /> |
 | `adminStateUp` _boolean_ | adminStateUp is the administrative state of the port,<br />which is up (true) or down (false). The default value is true. | true | Optional: \{\} <br /> |
-| `securityGroupRefs` _[OpenStackName](#openstackname) array_ | securityGroupRefs are the names of the security groups associated<br />with this port. |  | MaxItems: 64 <br />MaxLength: 255 <br />MinLength: 1 <br />Pattern: `^[^,]+$` <br />Optional: \{\} <br /> |
+| `securityGroupRefs` _[KubernetesNameRef](#kubernetesnameref) array_ | securityGroupRefs are references to the security groups associated<br />with this port. |  | MaxItems: 64 <br />MaxLength: 253 <br />MinLength: 1 <br />Optional: \{\} <br /> |
 | `vnicType` _string_ | vnicType specifies the type of vNIC which this port should be<br />attached to. This is used to determine which mechanism driver(s) to<br />be used to bind the port. The valid values are normal, macvtap,<br />direct, baremetal, direct-physical, virtio-forwarder, smart-nic and<br />remote-managed, although these values will not be validated in this<br />API to ensure compatibility with future neutron changes or custom<br />implementations. What type of vNIC is actually available depends on<br />deployments. If not specified, the Neutron default value is used. |  | MaxLength: 64 <br />Optional: \{\} <br /> |
 | `portSecurity` _[PortSecurityState](#portsecuritystate)_ | portSecurity controls port security for this port.<br />When set to Enabled, port security is enabled.<br />When set to Disabled, port security is disabled and SecurityGroupRefs must be empty.<br />When set to Inherit (default), it takes the value from the network level. | Inherit | Enum: [Enabled Disabled Inherit] <br />Optional: \{\} <br /> |
 | `projectRef` _[KubernetesNameRef](#kubernetesnameref)_ | projectRef is a reference to the ORC Project this resource is associated with.<br />Typically, only used by admin. |  | MaxLength: 253 <br />MinLength: 1 <br />Optional: \{\} <br /> |