From 9160386ecc1bb885e5358756f0c4f45f40c465b0 Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigoca@microsoft.com>
Date: Fri, 7 Jul 2023 17:49:22 +0200
Subject: [PATCH] cri/sbserver: Test net.ipv4.ping_group_range works with
 userns

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
---
 .../podsandbox/sandbox_run_linux_test.go      | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
index d67412b77..850d49571 100644
--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
@@ -116,6 +116,7 @@ func TestLinuxSandboxContainerSpec(t *testing.T) {
 		ContainerID: 1000,
 		Size:        10,
 	}
+
 	for _, test := range []struct {
 		desc         string
 		configChange func(*runtime.PodSandboxConfig)
@@ -144,6 +145,27 @@ func TestLinuxSandboxContainerSpec(t *testing.T) {
 				assert.Contains(t, spec.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
 			},
 		},
+		{
+			desc: "spec shouldn't have ping_group_range if userns are in use",
+			configChange: func(c *runtime.PodSandboxConfig) {
+				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
+					NamespaceOptions: &runtime.NamespaceOption{
+						UsernsOptions: &runtime.UserNamespace{
+							Mode: runtime.NamespaceMode_POD,
+							Uids: []*runtime.IDMapping{&idMap},
+							Gids: []*runtime.IDMapping{&idMap},
+						},
+					},
+				}
+			},
+			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
+				require.NotNil(t, spec.Linux)
+				assert.Contains(t, spec.Linux.Namespaces, runtimespec.LinuxNamespace{
+					Type: runtimespec.UserNamespace,
+				})
+				assert.NotContains(t, spec.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
+			},
+		},
 		{
 			desc: "host namespace",
 			configChange: func(c *runtime.PodSandboxConfig) {