test: add test for skipped sysctls

Signed-off-by: Peter Hunt <pehunt@redhat.com>

test/pod.bats

@@ -231,6 +231,39 @@ function teardown() {
 	[[ "$output" == *"net.ipv4.ip_forward = 1"* ]]
 }
 
+@test "skip pod sysctls to runtime if host" {
+	if test -n "$CONTAINER_UID_MAPPINGS"; then
+		skip "userNS enabled"
+	fi
+	CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward=0" start_crio
+
+	jq '  .linux.security_context.namespace_options = {
+			network: 2,
+			ipc: 2
+		} |
+		  .linux.sysctls = {
+			"kernel.shm_rmid_forced": "1",
+			"net.ipv4.ip_local_port_range": "2048 65000",
+			"kernel.msgmax": "16384"
+		}' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json
+
+	pod_id=$(crictl runp "$TESTDIR"/sandbox.json)
+	ctr_id=$(crictl create "$pod_id" "$TESTDATA"/container_redis.json "$TESTDIR"/sandbox.json)
+	crictl start "$ctr_id"
+
+	output=$(crictl exec --sync "$ctr_id" sysctl kernel.shm_rmid_forced)
+	[[ "$output" != *"kernel.shm_rmid_forced = 1"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl kernel.msgmax)
+	[[ "$output" != *"kernel.msgmax = 16384"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_local_port_range)
+	[[ "$output" != *"net.ipv4.ip_local_port_range = 2048	65000"* ]]
+
+	output=$(crictl exec --sync "$ctr_id" sysctl net.ipv4.ip_forward)
+	[[ "$output" != *"net.ipv4.ip_forward = 0"* ]]
+}
+
 @test "pod stop idempotent" {
 	start_crio
 	run crictl runp "$TESTDATA"/sandbox_config.json