From 88203cbf8dee04f25bef22a2c53b0795f81cf8a5 Mon Sep 17 00:00:00 2001
From: Chiranjeevi Uddanti <244287281+chiranjeevi-max@users.noreply.github.com>
Date: Mon, 16 Feb 2026 06:52:44 +0000
Subject: [PATCH] tests: Add regression test for sandbox_cgroup_only=false

Add unit test for get_ch_vcpu_tids() and integration test that creates
a pod with sandbox_cgroup_only=false to verify it starts successfully.

Signed-off-by: Chiranjeevi Uddanti <244287281+chiranjeevi-max@users.noreply.github.com>
Co-authored-by: Antigravity <antigravityagent@google.com>
---
 .../hypervisor/src/ch/inner_hypervisor.rs     | 61 +++++++++++++++++++
 .../kubernetes/k8s-sandbox-cgroup.bats        | 39 ++++++++++++
 .../kubernetes/run_kubernetes_tests.sh        |  1 +
 .../pod-sandbox-cgroup.yaml                   | 18 ++++++
 4 files changed, 119 insertions(+)
 create mode 100644 tests/integration/kubernetes/k8s-sandbox-cgroup.bats
 create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/pod-sandbox-cgroup.yaml

diff --git a/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs b/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
index 87cfcfdc3a..06391f407f 100644
--- a/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
+++ b/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
@@ -1613,4 +1613,65 @@ mod tests {
             assert!(actual_error == expected_error, "{}", msg);
         }
     }
+
+    #[actix_rt::test]
+    async fn test_get_ch_vcpu_tids_mapping() {
+        let tmp_dir = Builder::new().prefix("fake-proc-pid").tempdir().unwrap();
+        let task_dir = tmp_dir.path().join("task");
+        fs::create_dir_all(&task_dir).unwrap();
+
+        #[derive(Debug)]
+        struct ThreadInfo<'a> {
+            tid: &'a str,
+            comm: &'a str,
+        }
+
+        let threads = &[
+            // Non-vcpu thread, should be skipped.
+            ThreadInfo {
+                tid: "1000",
+                comm: "main_thread\n",
+            },
+            ThreadInfo {
+                tid: "2001",
+                comm: "vcpu0\n",
+            },
+            ThreadInfo {
+                tid: "2002",
+                comm: "vcpu1\n",
+            },
+            ThreadInfo {
+                tid: "2003",
+                comm: "vcpu2\n",
+            },
+        ];
+
+        for t in threads {
+            let tid_dir = task_dir.join(t.tid);
+            fs::create_dir_all(&tid_dir).unwrap();
+            fs::write(tid_dir.join("comm"), t.comm).unwrap();
+        }
+
+        let proc_path = tmp_dir.path().to_str().unwrap();
+        let result = get_ch_vcpu_tids(proc_path);
+
+        let msg = format!("result: {result:?}");
+
+        if std::env::var("DEBUG").is_ok() {
+            println!("DEBUG: {msg}");
+        }
+
+        let vcpus = result.unwrap();
+
+        // The mapping must be vcpu_id -> tid.
+        assert_eq!(vcpus.len(), 3, "non-vcpu threads should be excluded");
+        assert_eq!(vcpus[&0], 2001, "vcpu 0 should map to tid 2001");
+        assert_eq!(vcpus[&1], 2002, "vcpu 1 should map to tid 2002");
+        assert_eq!(vcpus[&2], 2003, "vcpu 2 should map to tid 2003");
+
+        assert!(
+            !vcpus.contains_key(&1000),
+            "non-vcpu thread should not be in the map"
+        );
+    }
 }
diff --git a/tests/integration/kubernetes/k8s-sandbox-cgroup.bats b/tests/integration/kubernetes/k8s-sandbox-cgroup.bats
new file mode 100644
index 0000000000..183df197f9
--- /dev/null
+++ b/tests/integration/kubernetes/k8s-sandbox-cgroup.bats
@@ -0,0 +1,39 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2026 Chiranjeevi Uddanti
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+	pod_name="sandbox-cgroup-pod"
+
+	setup_common || die "setup_common failed"
+
+	yaml_file="${pod_config_dir}/pod-sandbox-cgroup.yaml"
+	set_node "$yaml_file" "$node"
+
+	# Add policy to yaml
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
+}
+
+# Regression test for https://github.com/kata-containers/kata-containers/issues/12479
+@test "Pod with sandbox_cgroup_only=false starts successfully" {
+	# Create pod
+	kubectl create -f "${yaml_file}"
+
+	# Wait for pod to be ready
+	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
+}
+
+teardown() {
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
+	teardown_common "${node}" "${node_start_time:-}"
+}
diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh
index bdd6a79def..c2219cf844 100755
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -88,6 +88,7 @@ else
 		"k8s-privileged.bats" \
 		"k8s-projected-volume.bats" \
 		"k8s-replication.bats" \
+		"k8s-sandbox-cgroup.bats" \
 		"k8s-seccomp.bats" \
 		"k8s-sysctls.bats" \
 		"k8s-security-context.bats" \
diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-sandbox-cgroup.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-sandbox-cgroup.yaml
new file mode 100644
index 0000000000..b0690a723e
--- /dev/null
+++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-sandbox-cgroup.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2026 Chiranjeevi Uddanti
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sandbox-cgroup-pod
+  annotations:
+    io.katacontainers.config.runtime.sandbox_cgroup_only: "false"
+spec:
+  runtimeClassName: kata
+  restartPolicy: Never
+  containers:
+  - image: quay.io/prometheus/busybox:latest
+    name: sandbox-cgroup-test