NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10 #453
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| # PR2: RHCOS10 — Migrate Base Images from UBI9 to UBI10 | ||
|
|
||
| ## Purpose | ||
|
|
||
| Migrate all container base images from UBI9 to UBI10 to align with the RHCOS10 host OS. | ||
| This is the follow-up to PR1 (`rhcos10-ubi9-compat-test`), which validated that UBI9 images | ||
| run on RHCOS10 nodes. This PR adopts UBI10 as the native base for RHCOS10 deployments. | ||
|
|
||
| ## Changes | ||
|
|
||
| ### Registry change | ||
|
|
||
| All images move from the unauthenticated public registry to the authenticated Red Hat registry: | ||
|
|
||
| ``` | ||
| registry.access.redhat.com → registry.redhat.io | ||
| ``` | ||
|
|
||
| ### UBI minimal images (pinned version) | ||
|
|
||
| `ubi9/ubi-minimal:9.6` → `ubi10/ubi-minimal:10.1` | ||
|
|
||
| | Dockerfile | Before | After | | ||
| |---|---|---| | ||
| | `images/helm-operator/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | | ||
| | `images/operator-sdk/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | | ||
| | `images/scorecard-test/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | | ||
| | `images/custom-scorecard-tests/Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:9.6` | `registry.redhat.io/ubi10/ubi-minimal:10.1` | | ||
|
|
||
| ### Full UBI image (pinned version) | ||
|
|
||
| `ubi9/ubi:9.5` → `ubi10/ubi:10.1` | ||
|
|
||
| | Dockerfile | Before | After | | ||
| |---|---|---| | ||
| | `images/scorecard-untar/Dockerfile` | `registry.access.redhat.com/ubi9/ubi:9.5` | `registry.redhat.io/ubi10/ubi:10.1` | | ||
|
|
||
| ### UBI minimal images (floating latest tag) | ||
|
|
||
| `ubi9/ubi-minimal:latest` → `ubi10/ubi-minimal:latest` | ||
|
|
||
| | Dockerfile | Before | After | | ||
| |---|---|---| | ||
| | `ci/dockerfiles/go-e2e.Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:latest` | `registry.redhat.io/ubi10/ubi-minimal:latest` | | ||
| | `ci/dockerfiles/scorecard-proxy.Dockerfile` | `registry.access.redhat.com/ubi9/ubi-minimal:latest` | `registry.redhat.io/ubi10/ubi-minimal:latest` | | ||
|
|
||
| ### OCP product image (release/helm/Dockerfile) | ||
|
|
||
| Previously used OCP CI registry images pinned to RHEL9. Replaced with publicly available Red Hat registry images: | ||
|
|
||
| | Stage | Before | After | | ||
| |---|---|---| | ||
| | Builder | `registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22` | `registry.redhat.io/ubi10/go-toolset:10.1` | | ||
| | Runtime | `registry.ci.openshift.org/ocp/4.22:base-rhel9` | `registry.redhat.io/ubi10:10.1` | | ||
|
|
||
| ### E2E test curl pod (ci/tests/e2e-helm.sh) | ||
|
|
||
| The metrics verification step spins up a temporary `kubectl run` pod using a UBI image to curl the metrics endpoint. Updated from UBI9 to UBI10: | ||
|
|
||
| ``` | ||
| registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| → | ||
| registry.redhat.io/ubi10/ubi-minimal:latest | ||
| ``` | ||
|
Comment on lines
+60
to
+64
There was a problem hiding this comment. Add a language hint to this fenced block (MD040). Line 60 has the same lint issue; add Suggested patch-```
+```text
registry.access.redhat.com/ubi9/ubi-minimal:latest
→
registry.redhat.io/ubi10/ubi-minimal:latest🧰 Tools🪛 markdownlint-cli2 (0.22.0)[warning] 60-60: Fenced code blocks should have a language specified (MD040, fenced-code-language) 🤖 Prompt for AI Agents |
||
|
|
||
| ## Files NOT Changed | ||
|
|
||
| | File | Reason | | ||
| |---|---| | ||
| | `release/helm/upstream.Dockerfile` | Uses `ubi8/ubi-minimal` — separate RHEL8 lineage, unrelated to this migration | | ||
| | `ci/dockerfiles/builder.Dockerfile` | Uses `openshift/origin-release:golang-1.13` — legacy, not RHEL9-specific | | ||
| | `.ci-operator.yaml` | Build root (`rhel-9-release-golang-1.24-openshift-4.22`) is managed by OCP CI team in `openshift/release` | | ||
|
|
||
| ## Test Plan | ||
|
|
||
| - [ ] All images build successfully against `ubi10` base | ||
| - [ ] `release/helm/Dockerfile` builds successfully with `go-toolset:10.1` as builder | ||
| - [ ] CI jobs pass on RHCOS10 cluster nodes with UBI10 base images | ||
| - [ ] `microdnf` commands in `images/operator-sdk/Dockerfile` work under UBI10 | ||
| - [ ] E2e metrics check passes with UBI10 curl pod (`ci/tests/e2e-helm.sh`) | ||
| - [ ] No regressions observed compared to UBI9 baseline (PR1) | ||
|
|
||
| ## References | ||
|
|
||
| - [Red Hat UBI10 Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi/66f2b46b122803e4937d11ae) | ||
| - [Red Hat UBI10 Minimal Container Catalog](https://catalog.redhat.com/en/software/containers/ubi10/ubi-minimal) | ||
| - PR1 baseline: `.work/compliance/rhcos10/PR1-ubi9-compat-test.md` | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,7 +71,7 @@ EOF | |
| token=$(kubectl get secret service-account-secret -o jsonpath={.data.token} | base64 -d) | ||
|
|
||
| # verify that the metrics endpoint exists | ||
| if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.redhat.io/ubi10/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done"; | ||
|
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: PodSecurityContext (at spec.securityContext) and Container securityContext (at spec.containers[].securityContext) serve different purposes in Kubernetes, with distinct fields for capabilities and allowPrivilegeEscalation. PodSecurityContext applies pod-wide settings like runAsUser, runAsGroup, fsGroup, supplementalGroups, seLinuxOptions, seccompProfile, appArmorProfile, sysctls, but does NOT include capabilities or allowPrivilegeEscalation fields. These are pod-level defaults for user/group IDs, volume ownership, and shared security profiles, but capabilities and privilege escalation are handled per-container. Container securityContext applies to individual containers (and initContainers/ephemeralContainers) and includes capabilities (add/drop lists for Linux capabilities) and allowPrivilegeEscalation (boolean controlling no_new_privs flag to prevent privilege escalation via setuid etc.). Container settings override pod-level where applicable (e.g., runAsUser). allowPrivilegeEscalation defaults to true if unset. It is forced true if privileged: true or capabilities add CAP_SYS_ADMIN, and cannot be set false when privileged: true (pod rejected). Set to false for security to block escalation. Capabilities allow fine-grained privileges: drop: ["ALL"] then add: ["NET_BIND_SERVICE"] for least privilege. Pod Security Standards (Restricted) require no add capabilities except limited list, and allowPrivilegeEscalation: false. Examples: Pod-level (no capabilities/allowPrivilegeEscalation): spec: securityContext: runAsUser: 1000 fsGroup: 2000 Container-level: spec: containers: - securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] allowPrivilegeEscalation: false runAsNonRoot: true Citations:
Move the container-only security fields out of
🤖 Prompt for AI Agents |
||
| then | ||
| echo "Failed to verify that metrics endpoint exists" | ||
| kubectl describe pods | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| FROM registry.redhat.io/ubi10/ubi:10.1 | ||
|
|
||
| ## Create a new non-root user to run as | ||
| ENV HOME=/opt/scorecard-untar \ | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a language hint to the fenced code block
The fenced block at Line 15 has no language specifier (MD040). Add one (for example,
text) to clear lint.Suggested patch
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 15-15: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents