Hardening (Security improvements)#302
Conversation
There was a problem hiding this comment.
Code Review
This pull request enhances security across the GeoNode Helm chart by configuring non-root execution, dropping capabilities, and setting seccomp profiles for various components. It also migrates from a single shared persistent volume to four distinct PVCs, updates Nginx to run unprivileged on port 8080 with a read-only root filesystem, and configures Celery to log to stdout/stderr. Feedback highlights a potential permission conflict on the shared statics volume due to mismatched fsGroup values, resource waste from using a single hardcoded storage size for all split PVCs, the need to conditionally render storageClassName, and cleanup of unused favicon values.
|
@jwkaltz I appreciate your PR. But we will need an upgrade path, as you changes to the PVC setup seems like a breaking change to me on first view. |
Good point, we will at least need some migration notes (and a new release). |
…ng and better control of subdirectory creation (avoid subPath)
…Cs, to allow more granular handling and better control of subdirectory creation (avoid subPath); Celery: do not write to log files within container; nginx: use other image (unprivileged)
… creates directory creation permission issues and is already copied anyway in another process.
…Cs, to allow more granular handling and better control of subdirectory creation (avoid subPath)
…Cs, to allow more granular handling and better control of subdirectory creation (avoid subPath). Note: requires a Geoserver Docker image which supports non-root runtime
… by mwallschlaeger)
|
I would like to do a major version for this changes along with the introduction of gateway api. |
…i-code-assist suggestion)
…con to match GeoNode UserGroup icon color, to differentiate from out-of-the-box geonode favicon.
|
/gemini review I have addressed the previous review comments. Please review the latest revision of this pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces significant security and storage enhancements to the GeoNode Helm chart. Key changes include splitting the single shared persistent volume into separate dedicated PVCs for statics, geoserver data, backup/restore, and data directories, as well as applying strict security contexts (non-root execution, dropped capabilities, and read-only root filesystems) across all components. Additionally, Nginx is migrated to an unprivileged image running on port 8080 with temporary writable scratch directories. Review feedback highlights critical improvements: wrapping octal file modes (e.g., 0555) in double quotes to prevent YAML 1.2 parsing errors, defaulting Nginx's runAsUser to 101 to avoid template rendering issues, and adding fsGroupChangePolicy: OnRootMismatch to the GeoNode deployment to prevent slow pod startup times when mounting large volumes.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review I have addressed the previous review comments, and integrated your suggestions, except changing defaultMode to a string, which does not work. Please review the latest revision of this pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces security context configurations across various GeoNode components to support running containers as non-root users, updates Nginx to an unprivileged image listening on port 8080, and splits the single persistent volume claim into separate PVCs for statics, GeoServer data, backup/restore, and general data. Feedback on these changes focuses on preventing potential Helm rendering errors by safely defaulting the newly introduced component-specific securityContext values to empty dictionaries before accessing nested fields. Additionally, it is recommended to use the -D flag with the install command in the statics job to ensure target directories are created automatically.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review I have added refactoring in order to be able to run the standard geonode container as non-root, and also introduced a temporary fix in order to be able to run celery as non-root. Please review the latest revision of this pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces significant security and architectural improvements to the GeoNode Helm chart, including running containers as non-root, configuring Nginx as unprivileged on port 8080, splitting the single PVC into dedicated PVCs for different storage needs, and implementing a Python settings wrapper to handle configuration overrides. Feedback on these changes highlights a copy-paste typo in the Celery temporary fix script, potential nil pointer evaluation errors across multiple templates if nested keys under persistant or component securityContext are omitted in custom values, and a recommendation to pass globals() to exec() in the settings wrapper.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
@jwkaltz I haven't checked your latest changes. That said first i will give this version a try in the upcoming week. Also we will need default As we are building our geonode ourself, too. I will evaluate your recommendations on this, too. Further more we need an update path for updating from chart version 1.3.3 to version 2.0.0 (incl. hardening). Furthermore we will add support for gateway API to this repository as a last feature of 1.x chart version next week. |
…uld use the default
…rent standard image)
I changed the default now so that the default geonode/geoserver image can be used. (The default geonode/geonode image can already be used with hardened settings, because we have an included patch for the celery-cmd script, this is the only issue I have found so far).
I have added a note regarding update path, it is not much but I am not sure what further information would be useful. |
|
@jwkaltz I managed to do my first tests on your PR. What I did:
Could deploy the chart without problems. GeoNode was working properly on first glance.
Image was not starting properly as it has missing permission. This change was applied to existing deployment.
Geoserver still has missing permission as the files were created with root user permission before.
In general thinks look quite ready to me, but are missing more documentation regarding updates. I will to do some more tests on:
|
Zalfsten
left a comment
There was a problem hiding this comment.
At first glance, everything looks fine
Only I for myself came to the conclusion that UID/GID 1000 is not the best idea.
Yes, we don't want to maintain this in the long run, the goal definitely is to run a standard geonode/geoserver image as non-root. There is a discussion about that here: GeoNode/geonode-docker#59 (comment) So the custom image is just a workaround if you need geonode now in a non-root K8S, hopefully we can get rid of it with one of the next versions of geonode. |
Yes this is tricky and requires manual intervention on the storage. If Geoserver was run as root before, the file ownerships in the geoserver pvc need to be manually changed once. |
|
I have run claude for some deeper security checks on this changes. He came up with many ways of improvements, most of them are not the scope of this PR, so i will create individual issues for them. This will be the target on the first minor patch of the next version. But some parts of the review are relevant for this PR, too. Please review the remarks below, i think these are reasonable change requests for the current PR: Pod Security Matrix
H4 — Statics PVC is shared and writable by geonode, celery, and geoserverThe If an attacker compromises GeoServer (e.g., via the GeoServer RCE CVEs from 2024), they can write malicious JavaScript or HTML into Recommendation: Mount the statics PVC as # geoserver-deploy.yaml volumeMounts
- name: pvc-statics
mountPath: /mnt/volumes/statics
readOnly: true # add thisMEDIUMM1 — Setuid binaries present in the geoserver-nonroot imageWith all Linux capabilities dropped ( Recommendation: Strip setuid bits in RUN find / -xdev -perm -4000 -exec chmod u-s {} \; 2>/dev/null || trueM2 —
|
Thanks @mwallschlaeger I will test them all (today if possible) with my use cases, and commit everything that does not cause problems. |
|
@jwkaltz i will review your changes in the upcoming week, again. i'm planning to do some tests on chart update from current to hardened version with the goal to know how to update our deployments, and to provide some docs on how to deal with the update. Again thx to your great work on this PR. |
Thanks @mwallschlaeger , I have just now committed the final changes for the review comments up to "M2 — readOnlyRootFilesystem", I think these are complete now. |
This finding is not correct for the image that the helm chart currently uses. 11211 is correct: So no change to this pull request here (but all other findings have been implemented now). |
Description
Hardening (security improvement) as described in #301.
Current status:
Type of Change
Please select the relevant option:
Related Issue
closes #301