Skip to content

Hardening (Security improvements)#302

Open
jwkaltz wants to merge 40 commits into
GeoNodeUserGroup-DE:mainfrom
jwkaltz:hardening
Open

Hardening (Security improvements)#302
jwkaltz wants to merge 40 commits into
GeoNodeUserGroup-DE:mainfrom
jwkaltz:hardening

Conversation

@jwkaltz

@jwkaltz jwkaltz commented May 29, 2026

Copy link
Copy Markdown
Collaborator

Description

Hardening (security improvement) as described in #301.

Current status:

  • Validate in a Dev environment with RKE2, NFS
  • Consider Gemini suggestions to this PR
  • Validate in a Production environment
  • Check if custom Geonode-Geoserver image can be avoided (currently needed to run as non root) or propose improvement to Geonode project
  • Check if custom Geonode image can be avoided -> yes, helm chart was now refactored to allow for running standard geonode image as non-root including settings-additions.
  • Document usage and update steps (notably PVC changes)

Type of Change

Please select the relevant option:

  • Bug fix
  • New feature
  • Documentation update
  • Refactoring
  • Other (please describe)

Related Issue

closes #301

@jwkaltz jwkaltz marked this pull request as draft May 29, 2026 08:05

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances security across the GeoNode Helm chart by configuring non-root execution, dropping capabilities, and setting seccomp profiles for various components. It also migrates from a single shared persistent volume to four distinct PVCs, updates Nginx to run unprivileged on port 8080 with a read-only root filesystem, and configures Celery to log to stdout/stderr. Feedback highlights a potential permission conflict on the shared statics volume due to mismatched fsGroup values, resource waste from using a single hardcoded storage size for all split PVCs, the need to conditionally render storageClassName, and cleanup of unused favicon values.

Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml
@mwallschlaeger

Copy link
Copy Markdown
Member

@jwkaltz I appreciate your PR. But we will need an upgrade path, as you changes to the PVC setup seems like a breaking change to me on first view.

Comment thread charts/geonode/templates/geonode/jobs/geonode-statics-job.yaml
Comment thread charts/geonode/templates/geonode/jobs/geonode-statics-job.yaml
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml
@jwkaltz

jwkaltz commented May 29, 2026

Copy link
Copy Markdown
Collaborator Author

@jwkaltz I appreciate your PR. But we will need an upgrade path, as you changes to the PVC setup seems like a breaking change to me on first view.

Good point, we will at least need some migration notes (and a new release).
But for now, it is still a work in progress anyway, although this is a first working helm chart, there are still a couple of non-trivial things I am not happy with (see description), and I will also consider the Gemini feedback, and your review comments as well (thanks for that).

@mwallschlaeger

Copy link
Copy Markdown
Member

I would like to do a major version for this changes along with the introduction of gateway api.

@mwallschlaeger mwallschlaeger added this to the v2.0.0 milestone Jun 2, 2026
@jwkaltz

jwkaltz commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have addressed the previous review comments. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant security and storage enhancements to the GeoNode Helm chart. Key changes include splitting the single shared persistent volume into separate dedicated PVCs for statics, geoserver data, backup/restore, and data directories, as well as applying strict security contexts (non-root execution, dropped capabilities, and read-only root filesystems) across all components. Additionally, Nginx is migrated to an unprivileged image running on port 8080 with temporary writable scratch directories. Review feedback highlights critical improvements: wrapping octal file modes (e.g., 0555) in double quotes to prevent YAML 1.2 parsing errors, defaulting Nginx's runAsUser to 101 to avoid template rendering issues, and adding fsGroupChangePolicy: OnRootMismatch to the GeoNode deployment to prevent slow pod startup times when mounting large volumes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml
Comment thread charts/geonode/templates/geonode/jobs/geonode-init-db-job.yaml
Comment thread charts/geonode/templates/pycsw/pycsw-deploy.yaml
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
@jwkaltz

jwkaltz commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have addressed the previous review comments, and integrated your suggestions, except changing defaultMode to a string, which does not work. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces security context configurations across various GeoNode components to support running containers as non-root users, updates Nginx to an unprivileged image listening on port 8080, and splits the single persistent volume claim into separate PVCs for statics, GeoServer data, backup/restore, and general data. Feedback on these changes focuses on preventing potential Helm rendering errors by safely defaulting the newly introduced component-specific securityContext values to empty dictionaries before accessing nested fields. Additionally, it is recommended to use the -D flag with the install command in the statics job to ensure target directories are created automatically.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/templates/geonode/jobs/geonode-statics-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
Comment thread charts/geonode/templates/geoserver/geoserver-deploy.yaml Outdated
Comment thread charts/geonode/templates/pycsw/pycsw-deploy.yaml Outdated
@jwkaltz

jwkaltz commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have added refactoring in order to be able to run the standard geonode container as non-root, and also introduced a temporary fix in order to be able to run celery as non-root. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant security and architectural improvements to the GeoNode Helm chart, including running containers as non-root, configuring Nginx as unprivileged on port 8080, splitting the single PVC into dedicated PVCs for different storage needs, and implementing a Python settings wrapper to handle configuration overrides. Feedback on these changes highlights a copy-paste typo in the Celery temporary fix script, potential nil pointer evaluation errors across multiple templates if nested keys under persistant or component securityContext are omitted in custom values, and a recommendation to pass globals() to exec() in the settings wrapper.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml Outdated
Comment thread charts/geonode/files/celery-cmd-temporary-fix Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml Outdated
Comment thread charts/geonode/templates/geoserver/geoserver-deploy.yaml Outdated
Comment thread charts/geonode/templates/geoserver/geoserver-deploy.yaml Outdated
Comment thread charts/geonode/templates/pycsw/pycsw-deploy.yaml Outdated
Comment thread charts/geonode/templates/pycsw/pycsw-deploy.yaml Outdated
Comment thread charts/geonode/templates/nginx/nginx-deploy.yaml Outdated
@jwkaltz

jwkaltz commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have addressed the previous review comments. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances security by configuring containers to run as non-root, updates Nginx to run unprivileged on port 8080, splits the single persistent volume claim into dedicated PVCs, and introduces a settings wrapper. Feedback focuses on preventing Helm rendering errors by safely defaulting nested security context and persistence values. Other recommendations include correctly formatting the multi-line favicon ConfigMap, quoting arguments in bash scripts, safely handling empty PID files, using standard Celery stdout logging, and replacing exec() with dynamic imports in Python.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/templates/geonode/geonode-favicon.yaml
Comment thread charts/geonode/templates/geonode/geonode-entrypoint-sh-conf.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-deploy.yaml
Comment thread charts/geonode/templates/geonode/jobs/geonode-init-db-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/jobs/geonode-init-db-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/jobs/geonode-statics-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/jobs/geonode-statics-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-pvc.yaml
@jwkaltz

jwkaltz commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have addressed the previous review comments. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances the security posture of the GeoNode Helm chart by implementing non-root execution, dropping capabilities, and configuring seccomp profiles across various components. It also splits the monolithic persistent volume claim into dedicated PVCs for statics, GeoServer data, backup/restore, and general data, and transitions Nginx to an unprivileged container running on port 8080. The review feedback highlights several critical robustness improvements, including quoting shell variables in entrypoint scripts, safely handling potentially nil Helm values using the default dict helper in cleanup jobs, replacing fragile ast.literal_eval parsing for boolean environment variables, and ensuring process IDs are non-empty before signaling them in the Celery startup script.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/templates/geonode/geonode-entrypoint-sh-conf.yaml Outdated
Comment thread charts/geonode/templates/geonode/jobs/geonode-cleanup-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/jobs/geonode-cleanup-job.yaml Outdated
Comment thread charts/geonode/templates/geonode/geonode-settings-additions.yaml
Comment thread charts/geonode/files/celery-cmd-temporary-fix
@jwkaltz

jwkaltz commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

/gemini review

I have addressed the previous review comments. Please review the latest revision of this pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant security hardening and configuration improvements to the GeoNode Helm chart, including running containers as non-root, updating Nginx to an unprivileged image listening on port 8080, splitting the persistent volume claim into dedicated PVCs, and refactoring settings overrides. Feedback on these changes highlights a typo in the Celery temporary fix script where CELERY__HARVESTER_MAX_MEMORY_PER_CHILD incorrectly defaults to the standard worker's memory limit. Additionally, reviewers recommend making runAsNonRoot configurable for GeoServer to prevent deployment failures with standard images, and omitting the -f flag in Celery when logging to /dev/stdout to avoid permission issues in non-root environments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread charts/geonode/files/celery-cmd-temporary-fix Outdated
Comment thread charts/geonode/templates/geoserver/geoserver-deploy.yaml
Comment thread charts/geonode/files/celery-cmd-temporary-fix
@jwkaltz jwkaltz changed the title [DRAFT] Hardening (Security improvements) Hardening (Security improvements) Jun 5, 2026
@jwkaltz jwkaltz marked this pull request as ready for review June 5, 2026 12:30
@jwkaltz

jwkaltz commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator Author

@mwallschlaeger
From what I have found so far, this "hardened" version of the helm chart is now ready for usage, please review.

Note that, unfortunately, one custom image is still needed, I have documented that and will track progress upstream so we can get rid of that one day.

I will do some more integration and functional tests in the next few weeks, if I find more issues or improvements ideas, I will add them.

@jwkaltz jwkaltz requested a review from mwallschlaeger June 5, 2026 12:33
@mwallschlaeger

Copy link
Copy Markdown
Member

@jwkaltz I haven't checked your latest changes. That said first i will give this version a try in the upcoming week. Also we will need default values.yaml working with the default geonode/geonode image. And have some documentation on how the hardened version can be deployed together with the steps on howto build a geonode image capable to support the hardened features.

As we are building our geonode ourself, too. I will evaluate your recommendations on this, too. Further more we need an update path for updating from chart version 1.3.3 to version 2.0.0 (incl. hardening). Furthermore we will add support for gateway API to this repository as a last feature of 1.x chart version next week.

@jwkaltz

jwkaltz commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

@jwkaltz I haven't checked your latest changes. That said first i will give this version a try in the upcoming week. Also we will need default values.yaml working with the default geonode/geonode image. And have some documentation on how the hardened version can be deployed together with the steps on howto build a geonode image capable to support the hardened features.

I changed the default now so that the default geonode/geoserver image can be used. (The default geonode/geonode image can already be used with hardened settings, because we have an included patch for the celery-cmd script, this is the only issue I have found so far).
And there is some documentation on how to harden geonode/geoserver as well.

As we are building our geonode ourself, too. I will evaluate your recommendations on this, too. Further more we need an update path for updating from chart version 1.3.3 to version 2.0.0 (incl. hardening). Furthermore we will add support for gateway API to this repository as a last feature of 1.x chart version next week.

I have added a note regarding update path, it is not much but I am not sure what further information would be useful.

@mwallschlaeger mwallschlaeger requested a review from Zalfsten June 9, 2026 08:04
@mwallschlaeger

Copy link
Copy Markdown
Member

@jwkaltz I managed to do my first tests on your PR. What I did:

  1. Run the new default configuration using minikube-values.yaml:

Could deploy the chart without problems. GeoNode was working properly on first glance.

  1. Build Non Root Geoserver image:

build.sh worked as expected. With this step I'm a bit afraid that this build.sh will always work in future as things can change in geoserver Dockerfile. So the expectation would be that geonode-k8s maintaince this build.sh, what i'm atm not quite sure about. But nevertheless its working for the sake of this PR.

  1. I deployed non-root geoserver without editing minikube-values.yaml

Image was not starting properly as it has missing permission. This change was applied to existing deployment.

  1. I updated minikube-values.yaml along your documentation

Geoserver still has missing permission as the files were created with root user permission before.

so applying this changes to existing infrastructure will need to update permissions of the files on geoserver before updating. This need to be investigated and documented.

In general thinks look quite ready to me, but are missing more documentation regarding updates. I will to do some more tests on:

  • container level to see if thinks work properly inside the containers (executing manage.py, logfiles ...)
  • apply this changes to an existing deployment and gather information on how an update strategy could look like
  • review new pvc setup in more detail

@Zalfsten Zalfsten left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first glance, everything looks fine

Only I for myself came to the conclusion that UID/GID 1000 is not the best idea.

Comment thread charts/geonode/values.yaml
Comment thread geoserver-nonroot/build.sh
Comment thread geoserver-nonroot/Dockerfile
jwkaltz added 27 commits July 7, 2026 16:12
@mwallschlaeger

Copy link
Copy Markdown
Member

@jwkaltz i will take myself some time this week to merge this PR. I think we are close. Only documentation on the migration path from 1.3.x to hardening coming with release 2.0.0 is missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Hardening of Geonode K8S

3 participants