userns: Fix running tests inside a userns

containerd creates a userns and inside there, it runs the critest tool.
However, in that setup, the length of containerd's userns is not the
whole UID space.

Let's verify that the length of the userns inside the pod, when we
created it with NamespaceMode_NODE (IOW, when not using a new userns for
the pod) is the same as outside the pod.

This works fine when contained itsel runs inside a userns.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>

Author: rata

pkg/validate/security_context_linux.go

@@ -936,13 +936,18 @@ var _ = framework.KubeDescribe("Security Context", func() {
 				podID, podConfig = createNamespacePodSandbox(rc, namespaceOption, podName, podLogPath)
 				containerName := runUserNamespaceContainer(rc, ic, podID, podConfig)
 
-				// 4294967295 means that the entire range is available
 				expectedOutput := hostUsernsContent()
 				if expectedOutput == "" {
 					Fail("failed to get host userns content")
 				}
-				// 4294967295 means that the entire range is available
-				matchContainerOutputRe(podConfig, containerName, `\s+0\s+0\s+4294967295\n`)
+				// We need to see that the same mapping than from outside the
+				// container is used.
+				// This is because critest can run inside a userns (containerd
+				// does that with critest) and then the mapping we see here is not
+				// the mapping of the initial user namespace.
+				for _, line := range strings.Split(expectedOutput, "\n") {
+					matchContainerOutput(podConfig, containerName, line)
+				}
 			})
 
 			It("runtime should fail if more than one mapping provided", func() {
@@ -1564,3 +1569,12 @@ func rootfsPath(info map[string]string) string {
 	// always exist.
 	return filepath.Join(cfg.StateDir, "../")
 }
+
+func hostUsernsContent() string {
+	uidMapPath := "/proc/self/uid_map"
+	uidMapContent, err := os.ReadFile(uidMapPath)
+	if err != nil {
+		return ""
+	}
+	return string(uidMapContent)
+}