feat(container, pod): default runAsNonRoot to true (#1143) (#1154)

# Backport

This will backport the following commits from `k8s-24/main` to `k8s-22/main`:
 - [feat(container, pod): default `runAsNonRoot` to true (#1143)](#1143)



### Questions ?
Please refer to the [Backport tool documentation](https://github.com/sqren/backport)

Author: cdk8s-automation

src/container.ts

@@ -35,7 +35,7 @@ export interface ContainerSecurityContextProps {
     * If true, the Kubelet will validate the image at runtime to ensure that it does
     * not run as UID 0 (root) and fail to start the container if it does.
     *
-    * @default false
+    * @default true
     */
   readonly ensureNonRoot?: boolean;
 
@@ -132,7 +132,7 @@ export class ContainerSecurityContext {
   public readonly group?: number;
 
   constructor(props: ContainerSecurityContextProps = {}) {
-    this.ensureNonRoot = props.ensureNonRoot ?? false;
+    this.ensureNonRoot = props.ensureNonRoot ?? true;
     this.privileged = props.privileged ?? false;
     this.readOnlyRootFilesystem = props.readOnlyRootFilesystem ?? true;
     this.user = props.user ?? 25000;
@@ -636,7 +636,7 @@ export interface ContainerProps {
    * @see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
    * @default
    *
-   *   ensureNonRoot: false
+   *   ensureNonRoot: true
    *   privileged: false
    *   readOnlyRootFilesystem: true
    */

src/pod.ts

@@ -288,7 +288,7 @@ export interface PodSecurityContextProps {
    * If true, the Kubelet will validate the image at runtime to ensure that it does
    * not run as UID 0 (root) and fail to start the container if it does.
    *
-   * @default false
+   * @default true
    */
   readonly ensureNonRoot?: boolean;
 
@@ -375,7 +375,7 @@ export interface AbstractPodProps extends base.ResourceProps {
    * @default
    *
    *   fsGroupChangePolicy: FsGroupChangePolicy.FsGroupChangePolicy.ALWAYS
-   *   ensureNonRoot: false
+   *   ensureNonRoot: true
    */
   readonly securityContext?: PodSecurityContextProps;
 
@@ -743,7 +743,7 @@ export class PodSecurityContext {
   private readonly _sysctls: Sysctl[] = [];
 
   constructor(props: PodSecurityContextProps = {}) {
-    this.ensureNonRoot = props.ensureNonRoot ?? false;
+    this.ensureNonRoot = props.ensureNonRoot ?? true;
     this.fsGroupChangePolicy = props.fsGroupChangePolicy ?? FsGroupChangePolicy.ALWAYS;
     this.user = props.user;
     this.group = props.group;