OCPBUGS-87482: Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0

[openshift-bot]

Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-pod.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216

[openshift-ci-robot]

@openshift-bot: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• dfe6781|UPSTREAM: : Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0: does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87482, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-pod.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This PR updates the Dockerfile for the pause binary to use newer OpenShift and Go toolchains. The builder image is bumped from the Go 1.25 / OpenShift 4.22 toolchain to Go 1.26 / OpenShift 5.0, and the runtime base image moves from OpenShift 4.22 to 5.0. Build steps remain unchanged.

Changes

Pause Binary Builder Images

Layer / File(s)	Summary
Base image version upgrades build/pause/Dockerfile.Rhel	Builder image updated from rhel-9-golang-1.25-openshift-4.22 to rhel-9-golang-1.26-openshift-5.0 and runtime base image updated from ocp/4.22:base-rhel9 to ocp/5.0:base-rhel9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR is an initial codebase import. It adds files without modifying test names, so the Ginkgo test naming check does not apply.
Test Structure And Quality	✅ Passed	The custom check targets Ginkgo test code quality, but this PR only modifies a Dockerfile (build/pause/Dockerfile.Rhel) with no test files introduced or changed. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The change only updates base image versions in build/pause/Dockerfile.Rhel, which is not a test file. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; it only updates base images in build/pause/Dockerfile.Rhel. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a build Dockerfile (no deployment manifests, operator code, or controllers), and introduces no scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	Check not applicable: The pause binary is a Kubernetes utility binary (not an OTE test extension), and the PR only updates Dockerfile base images without changing pause's code or stdout behavior.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies build/pause/Dockerfile.Rhel to update base image versions (OpenShift 4.22→5.0). No Ginkgo e2e tests were added, so IPv6/disconnected network check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography, custom crypto, or non-constant-time secret comparisons found in pause container code or Dockerfile changes.
Container-Privileges	✅ Passed	PR only updates Dockerfile.Rhel base image versions. No K8s manifests or privileged container security configurations detected.
No-Sensitive-Data-In-Logs	✅ Passed	Dockerfile contains no logging that exposes sensitive data. RUN commands are minimal (compilation only) and pause.c contains only generic informational/warning messages with no secrets or PII.
Title check	✅ Passed	The title accurately describes the main change: updating the openshift-enterprise-pod-container image to be consistent with ART for version 5.0, which matches the Dockerfile updates from Go 1.25 to 1.26 and base image versions from 4.22 to 5.0.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87482, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
openshift-enterprise-pod.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Updated the build toolchain and runtime environment to newer versions, ensuring improved compatibility and security.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

build/pause/Dockerfile.Rhel (2)

7-12: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add USER directive to run as non-root.

The coding guidelines require "USER non-root; never run as root". The final stage should include a USER directive to avoid running the pause container as root, which presents a significant security risk.

🔒 Proposed fix to add non-root user

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/kubernetes/build/pause/bin/pause /usr/bin/pod
+USER 65534:65534
 LABEL io.k8s.display-name="OpenShift Pod" \

Note: User ID 65534 is the conventional "nobody" user. Adjust if OpenShift requires a different non-root UID.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` around lines 7 - 12, The Dockerfile final stage
currently sets ENTRYPOINT to "/usr/bin/pod" but lacks a USER directive; add a
non-root USER entry (for example USER 65534 or USER non-root) to the final stage
so the /usr/bin/pod container does not run as root, ensuring the pause image
complies with the "never run as root" guideline while keeping the existing
ENTRYPOINT and labels intact.

Source: Coding guidelines

---

7-12: ⚠️ Potential issue | 🟠 Major | 💤 Low value

Add HEALTHCHECK directive.

The coding guidelines require "HEALTHCHECK defined" for container images. While the pause container is minimal and typically doesn't expose health endpoints, consider adding a basic HEALTHCHECK that verifies the process is running.

🏥 Proposed fix to add HEALTHCHECK

 LABEL io.k8s.display-name="OpenShift Pod" \
       io.k8s.description="This is a component of OpenShift and contains the binary that holds the pod namespaces." \
       io.openshift.tags="openshift"
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD ps aux | grep -v grep | grep -q /usr/bin/pod || exit 1
 ENTRYPOINT [ "/usr/bin/pod" ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` around lines 7 - 12, Add a HEALTHCHECK
instruction to the Dockerfile to satisfy the "HEALTHCHECK defined" guideline by
verifying the pause process launched by ENTRYPOINT is still running; update the
Dockerfile.Rhel near the ENTRYPOINT [ "/usr/bin/pod" ] block to include a
HEALTHCHECK that periodically runs a lightweight check (e.g., ps/pgrep or kill
-0 against the binary name or PID) and returns appropriate exit codes so
container runtimes can mark unhealthy containers; ensure you set sensible
--interval/--timeout/--retries values and keep the command minimal to avoid
altering the pause container behavior.

Source: Coding guidelines

🧹 Nitpick comments (2)

build/pause/Dockerfile.Rhel (2)

7-12: 💤 Low value

Consider adding read-only rootfs.

The coding guidelines recommend "Read-only rootfs where possible". Since the pause container is minimal and likely doesn't require write access to the filesystem, consider documenting whether the container can run with a read-only root filesystem (e.g., via Kubernetes securityContext or Docker --read-only flag).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` around lines 7 - 12, The Dockerfile.Rhel
currently sets ENTRYPOINT to /usr/bin/pod and includes descriptive LABELs but
doesn't document read-only rootfs support; update the Dockerfile (or
accompanying docs) to state whether the image can run with a read-only root
filesystem (e.g., add a label like io.openshift.read-only-rootfs or a short
comment near the LABEL/ENTRYPOINT) and, if it cannot, make minimal changes to
ensure compatibility (create required writable runtime dirs or adjust the
ENTRYPOINT logic in /usr/bin/pod to use tmpfs paths) so the image can be safely
run with Kubernetes securityContext.readOnlyRootFilesystem or Docker
--read-only.

Source: Coding guidelines

---

3-3: ⚡ Quick win

Copy specific files instead of entire context.

The coding guidelines require "COPY specific files, not entire context" to minimize attack surface. Consider changing COPY . . to copy only the required source files (e.g., COPY build/pause ./ or COPY build/pause/linux/pause.c ./linux/).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` at line 3, Replace the insecure broad COPY . .
in the Dockerfile with explicit COPY statements that enumerate only the files
and directories required to build the pause binary (e.g., replace the COPY . .
instruction with lines like COPY build/pause ./ or COPY
build/pause/linux/pause.c ./linux/ and any other exact source, header, or config
files needed), ensure paths match the build steps that reference the pause
sources, and remove any unused context files from the image copy operations to
minimize attack surface.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/pause/Dockerfile.Rhel`:
- Line 1: The Dockerfile.Rhel uses a base image from registry.ci.openshift.org
(the FROM line referencing
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0), which
violates the guideline to use UBI minimal or distroless images from
catalog.redhat.com; replace that FROM with the equivalent UBI minimal or
distroless image hosted on catalog.redhat.com (or obtain an explicit repo-wide
exception) and, if unsure which catalog image matches, raise the question with
the ART team in `#forum-ocp-art` to confirm the correct catalog.redhat.com base to
use for the builder stage named "builder".

---

Outside diff comments:
In `@build/pause/Dockerfile.Rhel`:
- Around line 7-12: The Dockerfile final stage currently sets ENTRYPOINT to
"/usr/bin/pod" but lacks a USER directive; add a non-root USER entry (for
example USER 65534 or USER non-root) to the final stage so the /usr/bin/pod
container does not run as root, ensuring the pause image complies with the
"never run as root" guideline while keeping the existing ENTRYPOINT and labels
intact.
- Around line 7-12: Add a HEALTHCHECK instruction to the Dockerfile to satisfy
the "HEALTHCHECK defined" guideline by verifying the pause process launched by
ENTRYPOINT is still running; update the Dockerfile.Rhel near the ENTRYPOINT [
"/usr/bin/pod" ] block to include a HEALTHCHECK that periodically runs a
lightweight check (e.g., ps/pgrep or kill -0 against the binary name or PID) and
returns appropriate exit codes so container runtimes can mark unhealthy
containers; ensure you set sensible --interval/--timeout/--retries values and
keep the command minimal to avoid altering the pause container behavior.

---

Nitpick comments:
In `@build/pause/Dockerfile.Rhel`:
- Around line 7-12: The Dockerfile.Rhel currently sets ENTRYPOINT to
/usr/bin/pod and includes descriptive LABELs but doesn't document read-only
rootfs support; update the Dockerfile (or accompanying docs) to state whether
the image can run with a read-only root filesystem (e.g., add a label like
io.openshift.read-only-rootfs or a short comment near the LABEL/ENTRYPOINT) and,
if it cannot, make minimal changes to ensure compatibility (create required
writable runtime dirs or adjust the ENTRYPOINT logic in /usr/bin/pod to use
tmpfs paths) so the image can be safely run with Kubernetes
securityContext.readOnlyRootFilesystem or Docker --read-only.
- Line 3: Replace the insecure broad COPY . . in the Dockerfile with explicit
COPY statements that enumerate only the files and directories required to build
the pause binary (e.g., replace the COPY . . instruction with lines like COPY
build/pause ./ or COPY build/pause/linux/pause.c ./linux/ and any other exact
source, header, or config files needed), ensure paths match the build steps that
reference the pause sources, and remove any unused context files from the image
copy operations to minimize attack surface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ddc4ff25-2ec8-4f1a-8928-f4aaa2c1ec97

📥 Commits

Reviewing files that changed from the base of the PR and between 872bd37 and dfe6781.

📒 Files selected for processing (1)

• build/pause/Dockerfile.Rhel

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Base image source deviates from security guidelines.

The coding guidelines require base images to be "UBI minimal or distroless from catalog.redhat.com", but this Dockerfile uses registry.ci.openshift.org. Since this is an automated ART alignment PR and the context shows other OpenShift Dockerfiles follow the same pattern, this may be an intentional repository-wide exception. However, consider discussing with the ART team (#forum-ocp-art) whether CI/product builds should migrate to catalog.redhat.com base images.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` at line 1, The Dockerfile.Rhel uses a base image
from registry.ci.openshift.org (the FROM line referencing
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0), which
violates the guideline to use UBI minimal or distroless images from
catalog.redhat.com; replace that FROM with the equivalent UBI minimal or
distroless image hosted on catalog.redhat.com (or obtain an explicit repo-wide
exception) and, if unsure which catalog image matches, raise the question with
the ART team in `#forum-ocp-art` to confirm the correct catalog.redhat.com base to
use for the builder stage named "builder".

Source: Coding guidelines

[jubittajohn]

We are updating this in the Kube rebase PR: 9d4b587.

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-runc	dfe6781	link	false	/test e2e-aws-ovn-runc
ci/prow/k8s-e2e-gcp-ovn	dfe6781	link	true	/test k8s-e2e-gcp-ovn
ci/prow/e2e-aws-ovn-techpreview	dfe6781	link	false	/test e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn-fips	dfe6781	link	true	/test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

ART wants to connect issue OCPBUGS-87735 to this PR, but found it is currently hooked up to ['OCPBUGS-87482']. Please consult with #forum-ocp-art if it is not clear what there is to do.