Security hardening for Sonarqube POD/containers deployed through HELM charts in Azure Kubernetes cluster

[rughvi]

Kubernetes cluster is present in Azure (AKS). Deployed SONARQUBE using HEM CHARTS. We are security hardening the pods in our cluster. Running the following command shows SONARQUBE pods violate the PodSecurity enforcement.

kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted

Result of the above is as follows:

Warning: sonarqube-sonarqube-0: privileged, allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/dev labeled (server dry run)

The following HELM config values were used:

        securityContext:
          fsGroup: 1000
        containerSecurityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
          runAsGroup: 1000
          seccompProfile:
            type: RuntimeDefault
          capabilities:
            drop: ["ALL"]

What are the HELM config values to enforce POD security hardening?

Any help is highly appreciated.

Thanks in advance.

[jCOTINEAU]

Dear @rughvi

thanks again for posting this issue. We really value the input we get from our users and that's why we have a dedicated forum for it.

To centralize the triaging process and improve the way we handle these requests (e.g., new features or bugs), please create a new thread in our forum.

Ps: to answer your question, your configuration seems correct, nonetheless be careful as by default the helm chart comes with multiple init containers that might not inherit this containerSecurityContext and rely on this config block instead:

initContainers:
  securityContext:
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop: ["ALL"]

I will proceed by closing this issue, feel free as stated to creat it back in the forum so we can dig further.