diff --git a/pkg/util/utils_test.go b/pkg/util/utils_test.go
index 36670caf17..dbe7822d38 100644
--- a/pkg/util/utils_test.go
+++ b/pkg/util/utils_test.go
@@ -3,6 +3,7 @@ package util
 import (
 	"fmt"
 	"math"
+	"sort"
 	"testing"
 	"time"
 
@@ -636,3 +637,124 @@ func TestGetRootlessKeepIDMapping(t *testing.T) {
 		assert.Equal(t, test.expectedGID, gid)
 	}
 }
+
+func getDefaultMountOptionsNoStat(path string) (defaultMountOptions, error) {
+	return defaultMountOptions{false, true, true}, nil
+}
+
+func TestProcessOptions(t *testing.T) {
+	tests := []struct {
+		name       string
+		options    []string
+		isTmpfs    bool
+		sourcePath string
+		expected   []string
+		expectErr  bool
+	}{
+		{
+			name:       "tmpfs",
+			options:    []string{"rw", "size=512m"},
+			isTmpfs:    true,
+			sourcePath: "",
+			expected:   []string{"nodev", "nosuid", "rprivate", "rw", "size=512m", "tmpcopyup"},
+		},
+		{
+			name:       "duplicate idmap option",
+			sourcePath: "/path/to/source",
+			options:    []string{"idmap", "idmap"},
+			expectErr:  true,
+		},
+		{
+			name:       "mode allowed only with tmpfs",
+			sourcePath: "/path/to/source",
+			options:    []string{"rw", "rbind", "mode=0123"},
+			expectErr:  true,
+		},
+		{
+			name:       "noswap allowed only with tmpfs",
+			sourcePath: "/path/to/source",
+			options:    []string{"noswap"},
+			expectErr:  true,
+		},
+		{
+			name:       "tmpcopyup allowed only with tmpfs",
+			sourcePath: "/path/to/source",
+			options:    []string{"tmpcopyup"},
+			expectErr:  true,
+		},
+		{
+			name:       "notmpcopyup allowed only with tmpfs",
+			sourcePath: "/path/to/source",
+			options:    []string{"notmpcopyup"},
+			expectErr:  true,
+		},
+		{
+			name:       "z not allowed with tmpfs",
+			isTmpfs:    true,
+			sourcePath: "/path/to/source",
+			options:    []string{"z"},
+			expectErr:  true,
+		},
+		{
+			name:       "size allowed only with tmpfs",
+			sourcePath: "/path/to/source",
+			options:    []string{"size=123456"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option dev/nodev",
+			sourcePath: "/path/to/source",
+			options:    []string{"dev", "nodev"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option suid/nosuid",
+			sourcePath: "/path/to/source",
+			options:    []string{"suid", "nosuid"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option exec/noexec",
+			sourcePath: "/path/to/source",
+			options:    []string{"noexec", "exec"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option ro/rw",
+			sourcePath: "/path/to/source",
+			options:    []string{"ro", "rw"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option bind/rbind",
+			sourcePath: "/path/to/source",
+			options:    []string{"bind", "rbind"},
+			expectErr:  true,
+		},
+		{
+			name:       "conflicting option bind/rbind",
+			sourcePath: "/path/to/source",
+			options:    []string{"bind", "rbind"},
+			expectErr:  true,
+		},
+		{
+			name:       "default bind mount",
+			sourcePath: "/path/to/source",
+			expected:   []string{"nodev", "nosuid", "rbind", "rprivate", "rw"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			opts, err := processOptionsInternal(tt.options, tt.isTmpfs, tt.sourcePath, getDefaultMountOptionsNoStat)
+			if tt.expectErr {
+				assert.NotNil(t, err)
+			} else {
+				assert.Nil(t, err)
+				sort.Strings(opts)
+				sort.Strings(tt.expected)
+				assert.Equal(t, opts, tt.expected)
+			}
+		})
+	}
+}