Skip to content

OCPBUGS-87482: Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0 #2685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-bot wants to merge 1 commit into
base: master
Choose a base branch
from
+2 −2
Open

OCPBUGS-87482: Updating openshift-enterprise-pod-container image to be consistent with ART for 5.0 #2685

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions build/pause/Dockerfile.Rhel
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

@coderabbitai coderabbitai Bot Jun 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Base image source deviates from security guidelines.

The coding guidelines require base images to be "UBI minimal or distroless from catalog.redhat.com", but this Dockerfile uses registry.ci.openshift.org. Since this is an automated ART alignment PR and the context shows other OpenShift Dockerfiles follow the same pattern, this may be an intentional repository-wide exception. However, consider discussing with the ART team (#forum-ocp-art) whether CI/product builds should migrate to catalog.redhat.com base images.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/pause/Dockerfile.Rhel` at line 1, The Dockerfile.Rhel uses a base image
from registry.ci.openshift.org (the FROM line referencing
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0), which
violates the guideline to use UBI minimal or distroless images from
catalog.redhat.com; replace that FROM with the equivalent UBI minimal or
distroless image hosted on catalog.redhat.com (or obtain an explicit repo-wide
exception) and, if unsure which catalog image matches, raise the question with
the ART team in `#forum-ocp-art` to confirm the correct catalog.redhat.com base to
use for the builder stage named "builder".

Source: Coding guidelines

WORKDIR /go/src/github.com/openshift/kubernetes/build/pause
COPY . .
RUN mkdir -p bin && \
gcc -Os -Wall -Werror -o bin/pause ./linux/pause.c

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
COPY --from=builder /go/src/github.com/openshift/kubernetes/build/pause/bin/pause /usr/bin/pod
LABEL io.k8s.display-name="OpenShift Pod" \
io.k8s.description="This is a component of OpenShift and contains the binary that holds the pod namespaces." \
Expand Down