}
	}

	for _, test := range invalid {
		if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
			t.Errorf("expected to be rejected: %+v", test)
		}
		pod.Spec.HostNetwork = test.hostNet
		pod.Spec.HostIPC = test.hostIPC
		pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
		status := w.Admit(attrs)
		if status.Admit {

//
// The parameters hostNet and hostIPC are used to forbid sysctls for pod sharing the
// respective namespaces with the host. This check is only possible for sysctls on
// the static default allowlist, not those on the custom allowlist provided by the admin.
func (w *patternAllowlist) validateSysctl(sysctl string, hostNet, hostIPC bool) error {
	sysctl = utilsysctl.NormalizeName(sysctl)

	// Use the host's ipc namespace.
	// Optional: Default to false.
	// +k8s:conversion-gen=false
	// +optional
	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,13,opt,name=hostIPC"`
	// Specifies the hostname of the Carp
	// If not specified, the carp's hostname will be set to a system-defined value.
	// +optional

	// Use the host's ipc namespace.
	// Optional: Default to false.
	// +k8s:conversion-gen=false
	// +optional
	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,13,opt,name=hostIPC"`
	// Specifies the hostname of the Pod
	// If not specified, the pod's hostname will be set to a system-defined value.
	// +optional

		// the host namespace fields have to be handled here for backward compatibility
		// with v1.0.0
		out.HostPID = in.SecurityContext.HostPID
		out.HostNetwork = in.SecurityContext.HostNetwork
		out.HostIPC = in.SecurityContext.HostIPC
		out.ShareProcessNamespace = in.SecurityContext.ShareProcessNamespace
		out.HostUsers = in.SecurityContext.HostUsers
	}

	return nil
}

				Network: runtimeapi.NamespaceMode_POD,
				Pid:     runtimeapi.NamespaceMode_CONTAINER,
			},
		},
		"Host Namespaces": {
			input: &v1.Pod{
				Spec: v1.PodSpec{
					HostIPC:     true,
					HostNetwork: true,
					HostPID:     true,
				},
			},
			expected: &runtimeapi.NamespaceOption{
				Ipc:     runtimeapi.NamespaceMode_NODE,
				Network: runtimeapi.NamespaceMode_NODE,

}

// IpcNamespaceForPod returns the runtimeapi.NamespaceMode
// for the IPC namespace of a pod
func IpcNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
	if pod != nil && pod.Spec.HostIPC {
		return runtimeapi.NamespaceMode_NODE
	}
	return runtimeapi.NamespaceMode_POD
}

// NetworkNamespaceForPod returns the runtimeapi.NamespaceMode
// for the network namespace of a pod

  // hostPID determines if the policy allows the use of HostPID in the pod spec.
  // +optional
  optional bool hostPID = 8;

  // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
  // +optional
  optional bool hostIPC = 9;

  // seLinux is the strategy that will dictate the allowable labels that may be set.
  optional SELinuxStrategyOptions seLinux = 10;

  // +optional
  optional bool hostPID = 12;

  // Use the host's ipc namespace.
  // Optional: Default to false.
  // +k8s:conversion-gen=false
  // +optional
  optional bool hostIPC = 13;

  // Specifies the hostname of the Pod
  // If not specified, the pod's hostname will be set to a system-defined value.
  // +optional
  optional string hostname = 16;

  // +optional
  optional bool hostPID = 12;

  // Use the host's ipc namespace.
  // Optional: Default to false.
  // +k8s:conversion-gen=false
  // +optional
  optional bool hostIPC = 13;

  // Specifies the hostname of the Carp
  // If not specified, the carp's hostname will be set to a system-defined value.
  // +optional
  optional string hostname = 16;