},
	}

	sysctls := make(map[string]string)
	if pod.Spec.SecurityContext != nil {
		for _, c := range pod.Spec.SecurityContext.Sysctls {
			sysctls[c.Name] = c.Value
		}
	}

	lc.Sysctls = sysctls

	if pod.Spec.SecurityContext != nil {
		sc := pod.Spec.SecurityContext
		if sc.RunAsUser != nil && runtime.GOOS != "windows" {
			lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: int64(*sc.RunAsUser)}
		}

			assert.Equal(t, api.AppArmorProfileTypeLocalhost, pod.Spec.Containers[0].SecurityContext.AppArmorProfile.Type)
			assert.Equal(t, testProfile, *pod.Spec.Containers[0].SecurityContext.AppArmorProfile.LocalhostProfile)
			assert.Nil(t, pod.Spec.Containers[1].SecurityContext)
			assert.Nil(t, pod.Spec.Containers[2].SecurityContext)

				ImagePullPolicy:          "IfNotPresent",
				TerminationMessagePath:   "/dev/termination-log",
				TerminationMessagePolicy: v1.TerminationMessageReadFile,
				SecurityContext:          securitycontext.ValidSecurityContextWithContainerDefaults(),
			}},
			SecurityContext:    &v1.PodSecurityContext{},
			SchedulerName:      v1.DefaultSchedulerName,
			EnableServiceLinks: &enableServiceLinks,
		},
		Status: v1.PodStatus{

defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
  type: MustRunAs
  ranges:
  - max: {{ .Values.securityContext.fsGroup }}
    min: {{ .Values.securityContext.fsGroup }}
runAsUser:
  type: MustRunAs
  uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir

			containerSc:   &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
			expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
		},
		{
			description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",

##################################################################################################
# This file defines the same services, service accounts, and deployments as bookinfo.yaml with
# added securityContext fields to allow the bookinfo demo to run on a PodSecurityAdmission
# enabled cluster that enforces the baseline policy.
##################################################################################################

		{
			Name:  "net.ipv4.ip_local_port_range",
			Value: "1024 65535",
		},
	}
	securityContext := &v1.PodSecurityContext{
		Sysctls: sysctls,
	}

	ConvertPodSysctlsVariableToDotsSeparator(securityContext)
	assert.Equalf(t, exceptSysctls, securityContext.Sysctls, "The sysctls name was not converted correctly. got: %s, want: %s", securityContext.Sysctls, exceptSysctls)

      runtimeClassName: "{{ .Values.runtimeClassName }}"
      {{- end }}
      {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
      securityContext:
        runAsUser: {{ .Values.securityContext.runAsUser }}
        runAsGroup: {{ .Values.securityContext.runAsGroup }}
        fsGroup: {{ .Values.securityContext.fsGroup }}
        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: target
  name: target
spec:
  securityContext:
    seccompProfile: 
      type: RuntimeDefault
  containers:
  - image: busybox
    name: target
    command: ["/bin/sh", "-c", "sleep 100"]
    securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop: 

See the License for the specific language governing permissions and
limitations under the License.
*/

// Package securitycontext contains security context api implementations