How to make Sonarqube POD/ container runAsNonRoot in AKS deployed through HELM charts?

rughvi_v_v · November 1, 2023, 4:46pm

Kubernetes cluster is present in Azure (AKS). Deployed SONARQUBE using HEM CHARTS.

We are security hardening the pods in our cluster.

Running the following command shows SONARQUBE pods violate the PodSecurity enforcement.

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted

Result of the above is as follows:

Warning: sonarqube-sonarqube-0: privileged, allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/dev labeled (server dry run)

What are the HELM config values to enforce POD security hardening?

Any help is highly appreciated.

Thanks in advance.

rughvi_v_v · November 1, 2023, 4:58pm

Also when the following is set in the HELM values

securityContext:
          runAsNonRoot: true
          fsGroup: 1000
          runAsUser: 1000

The pod struggles to run and errors out. The logs of the pod (all containers is as follows)

k logs sonarqube-sonarqube-0 --all-containers

chown: /opt/sonarqube/temp: Operation not permitted
chown: /opt/sonarqube/temp: Operation not permitted
chown: /opt/sonarqube/extensions: Operation not permitted
chown: /opt/sonarqube/extensions: Operation not permitted
chown: /opt/sonarqube/logs: Operation not permitted
chown: /opt/sonarqube/logs: Operation not permitted
chown: /opt/sonarqube/data: Operation not permitted
chown: /opt/sonarqube/data: Operation not permitted
chown: /opt/sonarqube: Operation not permitted
chown: /opt/sonarqube: Operation not permitted
Error from server (BadRequest): container "sonarqube" in pod "sonarqube-sonarqube-0" is waiting to start: PodInitializing

ganncamp · November 2, 2023, 5:18pm

Hi,

Welcome to the community!

Per the docs, that’s required:

Pod Security Standards

The following Pod Security levels cannot be used in combination with SonarQube’s chart:

Baseline. The “init-sysctl” and “init-fs” containers require securityContext.privileged=true.

Restricted. In addition to the previous requirement,

The “sonarqube-postgresql”, “wait-for-db”, “init-sysctl”, “init-fs”, “sonarqube-dce-search”, and “sonarqube-dce” containers require securityContext.allowPrivilegeEscalation=true, unrestricted capabilities, running as root, and a seccompProfile different from “RuntimeDefault” or “Localhost”.

HTH,
Ann

Topic		Replies	Views
Sonarqube container without root? SonarQube Server / Community Build sonarqube	4	182	November 28, 2024
SonarQube installation issue on AKS cluster SonarQube Server / Community Build	3	18	May 23, 2025
Sonarqube Helm chart deployment (enterprise edition) SonarQube Server / Community Build	13	353	September 9, 2024
Error while deploying sonarqube version 9.7 through Helm chart Version 6.1.1 SonarQube Server / Community Build	1	165	March 21, 2024
Deploying sonarqube using helm chart provided by sonarqube SonarQube Server / Community Build	15	1478	July 30, 2024

How to make Sonarqube POD/ container runAsNonRoot in AKS deployed through HELM charts?

Pod Security Standards

Related topics