}
		if prefixed {
			w.prefixes[sysctlOrPrefix] = ns
		} else {
			w.sysctls[sysctlOrPrefix] = ns
		}
	}
	return w, nil
}

// validateSysctl checks that a sysctl is allowlisted because it is known
// to be namespaced by the Linux kernel. Note that being allowlisted is required, but not

	w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem", "net.b.*"))
	if err != nil {
		t.Fatalf("failed to create allowlist: %v", err)
	}

	for _, test := range valid {
		if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil {
			t.Errorf("expected to be allowlisted: %+v, got: %v", test, err)
		}
		pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}

		Sysctls:     sysctls,
		HostIPC:     false,
		HostNetwork: true,
	}
	errs = validateSysctls(invalidSecurityContextWithHostNet, field.NewPath("foo"), opts)
	if len(errs) != 2 {
		t.Errorf("unexpected validation errors: %v", errs)
	}
	opts.AllowNamespacedSysctlsForHostNetAndHostIPC = true
	errs = validateSysctls(invalidSecurityContextWithHostNet, field.NewPath("foo"), opts)
	if len(errs) != 0 {

func IsValidSysctlName(name string) bool {
	if len(name) > SysctlMaxLength {
		return false
	}
	return sysctlContainSlashRegexp.MatchString(name)
}

func validateSysctls(securityContext *core.PodSecurityContext, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
	allErrs := field.ErrorList{}
	names := make(map[string]struct{})
	for i, s := range securityContext.Sysctls {