continue
			}
		}

		// SELinuxOptions
		{
			modifiedSC := nonNilSC(tc.newSC())
			m := NewPodSecurityContextMutator(tc.newSC())
			modifiedSC.SELinuxOptions = &api.SELinuxOptions{User: "bob"}
			m.SetSELinuxOptions(&api.SELinuxOptions{User: "bob"})
			if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {

}
func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
	if v := w.containerSC.SELinuxOptions(); v != nil {
		return v
	}
	return w.podSC.SELinuxOptions()
}
func (w *effectiveContainerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
	if !reflect.DeepEqual(w.SELinuxOptions(), v) {
		w.containerSC.SetSELinuxOptions(v)
	}
}

		return effectiveSc
	}
	if effectiveSc == nil && containerSc != nil {
		return containerSc
	}

	if containerSc.SELinuxOptions != nil {
		effectiveSc.SELinuxOptions = new(v1.SELinuxOptions)
		*effectiveSc.SELinuxOptions = *containerSc.SELinuxOptions
	}

	if containerSc.WindowsOptions != nil {
		// only override fields that are set at the container level, not the whole thing

	"k8s.io/kubernetes/pkg/features"
	"k8s.io/kubernetes/pkg/volume"
)

// SELinuxLabelTranslator translates v1.SELinuxOptions of a process to SELinux file label.
type SELinuxLabelTranslator interface {
	// SELinuxOptionsToFileLabel returns SELinux file label for given SELinuxOptions
	// of a container process.
	// When Role, User or Type are empty, they're read from the system defaults.

	if securityContext == nil {
		return nil
	}

	sc := &runtimeapi.LinuxContainerSecurityContext{
		Capabilities:   convertToRuntimeCapabilities(securityContext.Capabilities),
		SelinuxOptions: convertToRuntimeSELinuxOption(securityContext.SELinuxOptions),
	}
	if securityContext.RunAsUser != nil {
		sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)}
	}
	if securityContext.RunAsGroup != nil {

	// Arrange: prepare a different pod with the same context
	seLinux2 := v1.SELinuxOptions{
		User:  "system_u",
		Role:  "object_r",
		Type:  "container_t",
		Level: "s0:c3,c4",
	}
	seLinuxContainerContexts2 := []*v1.SELinuxOptions{&seLinux2}
	pod2 := pod.DeepCopy()
	pod2.Name = "pod2"
	pod2.UID = "pod2uid"
	pod2.Spec.SecurityContext.SELinuxOptions = &seLinux2
	pod2Name := util.GetUniquePodName(pod2)

	// Act

			SelinuxOptions: &runtimeapi.SELinuxOption{
				User: "qux",
			},
			RunAsUser:  &runtimeapi.Int64Value{Value: 1000},
			RunAsGroup: &runtimeapi.Int64Value{Value: 10},
		},
	}

	podSandboxConfig, err := m.generatePodSandboxConfig(pod, 1)
	assert.NoError(t, err)

// PodSecurityContextApplyConfiguration represents an declarative configuration of the PodSecurityContext type for use
// with apply.
type PodSecurityContextApplyConfiguration struct {
	SELinuxOptions           *SELinuxOptionsApplyConfiguration                `json:"seLinuxOptions,omitempty"`
	WindowsOptions           *WindowsSecurityContextOptionsApplyConfiguration `json:"windowsOptions,omitempty"`

          readOnlyRootFilesystem: true
          runAsGroup: 1337
          runAsNonRoot: false
          runAsUser: 0
{{- if .Values.seLinuxOptions }}
          seLinuxOptions:
{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
{{- end }}
        readinessProbe:
          httpGet:
            port: 15021
            path: /healthz/ready
        args:
        - proxy

		{
			desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
			sc: &v1.SecurityContext{
				// verifyRunAsNonRoot should ignore the RunAsUser, SELinuxOptions, and RunAsGroup options.
				RunAsUser:      &uid,
				SELinuxOptions: &v1.SELinuxOptions{},
				RunAsGroup:     &uid,
				RunAsNonRoot:   &runAsNonRootTrue,
			},
			fail: false,
		},
		{