CKV_K8S_40 (and others) should not trigger if .spec.hostUsers is false

[m-wynn]

Describe the issue
User Namespaces are enabled by default: https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/

This means containers can run as root and be mapped to a non-root user on the host. Inside the container the process will think it is running as root (and therefore tools like apt, yum, etc. work fine), while in reality the process doesn't have privileges on the host.
Furthermore, as users on each pod will be mapped to different non-overlapping users in the host, it is limited what they can do to other pods too.
Capabilities granted to a pod are also limited to the pod user namespace and mostly invalid out of it, some are even completely void. Here are two examples:

CAP_SYS_MODULE does not have any effect if granted to a pod using user namespaces, the pod isn't able to load kernel modules.
CAP_SYS_ADMIN is limited to the pod's user namespace and invalid outside of it.

For sure CKV_K8S_40 is completely invalid if .spec.hostUsers is set. I would argue CKV_K8S_23 should also check that field. More research would need to be done if all capabilities need to be dropped.

Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.

apiVersion: v1
kind: Pod
metadata:
  name: isolated-workload
spec:
  hostUsers: false
  containers:
  - name: app
    image: fedora:42
    securityContext:
      runAsUser: 0

This should pass CKV_K8S_40 and, I would argue, CKV_K8S_23.

Version (please complete the following information):

• Checkov Version: 3.2.92 but I spot-checked the code

Additional context
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/