},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			fhu := hostutil.NewFakeHostUtil(nil)
			fsp := &subpath.FakeSubpath{}
			pod := v1.Pod{
				Spec: v1.PodSpec{
					HostNetwork: true,
				},
			}

			mounts, _, err := makeMounts(&pod, "/pod", &tc.container, "fakepodname", "", []string{""}, tc.podVolumes, fhu, fsp, nil, tc.supportsRRO)

			// validate only the error if we expect an error

      annotations:
        prometheus.io/port: "9253"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: node-local-dns
      hostNetwork: true
      dnsPolicy: Default  # Don't use cluster DNS.
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
      - effect: "NoExecute"
        operator: "Exists"

		"disk7": kubecontainer.VolumeInfo{Mounter: &stubVolume{path: `\mnt\disk7`}},
		"pipe1": kubecontainer.VolumeInfo{Mounter: &stubVolume{path: `\\.\pipe\pipe1`}},
	}

	pod := v1.Pod{
		Spec: v1.PodSpec{
			HostNetwork: true,
		},
	}

	fhu := hostutil.NewFakeHostUtil(nil)
	fsp := &subpath.FakeSubpath{}
	podDir, err := os.MkdirTemp("", "test-rotate-logs")
	require.NoError(t, err)
	defer os.RemoveAll(podDir)

Using a namespace selector for dns egress traffic as shown [here](https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced)
might not be enough since the node-local-dns pods run with `hostNetwork: True`

One way to enable connectivity from node-local-dns pods to clusterDNS ip is to use an ipBlock rule instead:

```
spec:
  egress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53

		}
	}

	for _, test := range invalid {
		if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err == nil {
			t.Errorf("expected to be rejected: %+v", test)
		}
		pod.Spec.HostNetwork = test.hostNet
		pod.Spec.HostIPC = test.hostIPC
		pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
		status := w.Admit(attrs)
		if status.Admit {

		if v, ok := r.Metadata.Labels[label.SidecarInject.Name]; ok {
			inj = v
		}
		if strings.EqualFold(inj, "false") {
			return true
		}

		if pod.HostNetwork {
			return true
		}

		proxyImage := ""
		for _, container := range append(slices.Clone(pod.Containers), pod.InitContainers...) {
			if container.Name == util.IstioProxyName {

		return lifecycle.PodAdmitResult{
			Admit: true,
		}
	}

	for _, s := range pod.Spec.SecurityContext.Sysctls {
		if err := w.validateSysctl(s.Name, pod.Spec.HostNetwork, pod.Spec.HostIPC); err != nil {
			return lifecycle.PodAdmitResult{
				Admit:   false,
				Reason:  ForbiddenReason,
				Message: fmt.Sprintf("forbidden sysctl: %v", err),
			}
		}
	}

}

// NetworkNamespaceForPod returns the runtimeapi.NamespaceMode
// for the network namespace of a pod
func NetworkNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
	if pod != nil && pod.Spec.HostNetwork {
		return runtimeapi.NamespaceMode_NODE
	}
	return runtimeapi.NamespaceMode_POD
}

// PidNamespaceForPod returns the runtimeapi.NamespaceMode
// for the PID namespace of a pod

# Pod on the host network that's not injected and should not be. Should not generate warning
---
apiVersion: v1
kind: Pod
metadata:
  name: noninjectedpodhostnetwork
  namespace: default
spec:
  hostNetwork: true
  containers:
  - image: gcr.io/google-samples/microservices-demo/adservice:v0.1.1
    name: server
---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    istio-injection: enabled

			expectMatch:   false,
		},
		{
			in: &api.Pod{
				Spec: api.PodSpec{
					SecurityContext: &api.PodSecurityContext{
						HostNetwork: false,
					},
				},
			},
			fieldSelector: fields.ParseSelectorOrDie("spec.hostNetwork=false"),
			expectMatch:   true,
		},
		{
			in: &api.Pod{
				Spec: api.PodSpec{},
			},