run-as-non-root: flag explicit root group

[Zakharden]

Summary

Extend the run-as-non-root template so it also reports containers that explicitly resolve to runAsGroup: 0.

The check now resolves runAsGroup from container and pod security contexts using the same precedence as Kubernetes: container-level settings override pod-level settings. It only reports an explicit root group value, so workloads that omit runAsGroup keep the existing behavior.

Fixes #748.

Validation

• gofmt -w pkg/templates/runasnonroot/template.go pkg/templates/runasnonroot/template_test.go
• GOCACHE=/private/tmp/kube-linter-gocache GOMODCACHE=/private/tmp/kube-linter-gomodcache go test ./pkg/templates/runasnonroot
• GOCACHE=/private/tmp/kube-linter-gocache GOMODCACHE=/private/tmp/kube-linter-gomodcache go test ./pkg/templates/...
• GOCACHE=/private/tmp/kube-linter-gocache GOMODCACHE=/private/tmp/kube-linter-gomodcache go test ./pkg/builtinchecks/...
• GOCACHE=/private/tmp/kube-linter-gocache GOMODCACHE=/private/tmp/kube-linter-gomodcache go run ./cmd/kube-linter templates list --format markdown | diff - docs/generated/templates.md
• GOCACHE=/private/tmp/kube-linter-gocache GOMODCACHE=/private/tmp/kube-linter-gomodcache go run ./cmd/kube-linter checks list --format markdown | diff - docs/generated/checks.md
• git diff --check

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 31.16%. Comparing base (dbd7529) to head (b5e78d7).
⚠️ Report is 310 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1178       +/-   ##
===========================================
- Coverage   62.36%   31.16%   -31.20%     
===========================================
  Files         197      239       +42     
  Lines        4854     6545     +1691     
===========================================
- Hits         3027     2040      -987     
- Misses       1439     4328     +2889     
+ Partials      388      177      -211     

Flag	Coverage Δ
unit	31.16% <100.00%> (-31.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Zakharden]

@rhybrillou pls check

[Zakharden]

I see this as ready on the branch side and currently only maintainer/CI follow-up appears to be blocking. Please re-run checks / re-review and let me know if any additional adjustments are needed.

[Zakharden]

I confirmed this branch is still clean on code/tests and patch coverage passes; only codecov/project is failing due project coverage/coverage baseline drift on this PR.

Please rerun maintainer-side CI/codecov check for final validation after confirming no additional code changes are needed.

[Zakharden]

FYI branch is code-complete and tests pass; only is failing while all other checks are success (including ). Current blocker appears to be coverage project baseline/CI semantics, not code regressions. Please re-run coverage from maintainer side and re-review.

[Zakharden]

Branch is code-complete and tests pass. codecov/patch is green; only codecov/project remains failing, likely due repository coverage baseline behavior. Please re-run maintainer-side checks/review and adjust if you see any required code-level coverage changes.