},
"spec":{
"securityContext": {
  {{runAsUser}}
  {{runAsGroup}}
  {{supplementalGroups}}
  "seccompProfile": {
      "type": "RuntimeDefault"
  }
},
"priorityClassName": "system-node-critical",
"hostNetwork": true,
"containers":[
    {
    "name": "cloud-controller-manager",
    "image": "gcr.io/k8s-staging-cloud-provider-gcp/cloud-controller-manager:v30.0.0",
    "resources": {
      "requests": {

the kernel netfilter subsystem.

## General theory of netfilter

Packet flow through netfilter looks something like:

```text
             +================+      +=====================+
             | hostNetwork IP |      | hostNetwork process |
             +================+      +=====================+
                         ^                |
  -  -  -  -  -  -  -  - | -  -  -  -  - [*] -  -  -  -  -  -  -  -  -

  "namespace": "kube-system"
},
"spec":{
"securityContext": {
    "seccompProfile": {
        "type": "RuntimeDefault"
    }
},
"priorityClassName": "system-node-critical",
"priority": 2000001000,
"hostNetwork": true,
"containers":[
    {
    "name": "etcd-container",
    {{security_context}}
    "image": "{{ pillar.get('etcd_docker_repository', 'registry.k8s.io/etcd') }}:{{ pillar.get('etcd_docker_tag', '3.5.14-0') }}",

      annotations:
        prometheus.io/port: "9253"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: node-local-dns
      hostNetwork: true
      dnsPolicy: Default  # Don't use cluster DNS.
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
      - effect: "NoExecute"
        operator: "Exists"

		"disk7": kubecontainer.VolumeInfo{Mounter: &stubVolume{path: `\mnt\disk7`}},
		"pipe1": kubecontainer.VolumeInfo{Mounter: &stubVolume{path: `\\.\pipe\pipe1`}},
	}

	pod := v1.Pod{
		Spec: v1.PodSpec{
			HostNetwork: true,
		},
	}

	fhu := hostutil.NewFakeHostUtil(nil)
	fsp := &subpath.FakeSubpath{}
	podDir, err := os.MkdirTemp("", "test-rotate-logs")
	require.NoError(t, err)
	defer os.RemoveAll(podDir)

		}
	}

	for _, test := range invalid {
		if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
			t.Errorf("expected to be rejected: %+v", test)
		}
		pod.Spec.HostNetwork = test.hostNet
		pod.Spec.HostIPC = test.hostIPC
		pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
		status := w.Admit(attrs)
		if status.Admit {

		if v, ok := r.Metadata.Labels[label.SidecarInject.Name]; ok {
			inj = v
		}
		if strings.EqualFold(inj, "false") {
			return true
		}

		if pod.HostNetwork {
			return true
		}

		proxyImage := ""
		for _, container := range append(slices.Clone(pod.Containers), pod.InitContainers...) {
			if container.Name == util.IstioProxyName {

		return lifecycle.PodAdmitResult{
			Admit: true,
		}
	}

	for _, s := range pod.Spec.SecurityContext.Sysctls {
		if err := w.validateSysctl(s.Name, pod.Spec.HostNetwork, pod.Spec.HostIPC); err != nil {
			return lifecycle.PodAdmitResult{
				Admit:   false,
				Reason:  ForbiddenReason,
				Message: fmt.Sprintf("forbidden sysctl: %v", err),
			}
		}
	}

}

// NetworkNamespaceForPod returns the runtimeapi.NamespaceMode
// for the network namespace of a pod
func NetworkNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
	if pod != nil && pod.Spec.HostNetwork {
		return runtimeapi.NamespaceMode_NODE
	}
	return runtimeapi.NamespaceMode_POD
}

// PidNamespaceForPod returns the runtimeapi.NamespaceMode
// for the PID namespace of a pod

# Pod on the host network that's not injected and should not be. Should not generate warning
---
apiVersion: v1
kind: Pod
metadata:
  name: noninjectedpodhostnetwork
  namespace: default
spec:
  hostNetwork: true
  containers:
  - image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1
    name: server
---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    istio-injection: enabled