Uploaded image for project: 'OpenShift Hive'
  1. OpenShift Hive
  2. HIVE-2208

Provide Option to Not Pull CLI and openshift/release images during cluster provisioning

    XMLWordPrintable

Details

    • Hive Should not Download images with CVEs
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 0
    • 0% 0%

    Description

      Description
      In ARO, Microsoft has container scanning which is performed against all production assets running and cached container images. Because of this, during cluster provisioning Hive will pull down the openshift-release image and the associated CLI images.

      The CLI image is used to perform a must-gather on installation failure, which ARO does not have configured. Additionally, the openshift-release image is used to find the associated CLI image used for a must-gather on installation failure.

      Because these release images are not updated after a Z stream is cut, over time, vulnerabilities will be found within these images.

      The high-level ask is to not pull down the ocp-release and CLI images if hive is not configured to perform a must-gather on cluster failure. There appears to be no way to patch existing release images as the ART team leverages new Z streams to have updated packages or patched base images.

      Acceptance Criteria

      1. One can toggle a flag, environment variable, or hiveConfig property to disable pull down of the ocp-release and cli images on cluster installs.

      Slack thread: https://redhat-internal.slack.com/archives/CE3ETN3J8/p1682524817374499

      Attachments

        Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. HIVE-2209 Add Environment Variable to Set ImagePullPolicy on Installer Image for ClusterProvisioning

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is triggering

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. CORS-2606 Hybrid SRE: Decoupling installer from release payload

          • Undefined - Priority not specified.
          • New
          links to

          GitHub openshift/hive#2157: Minimal install mode (don't pull release or oc images)

          Activity

            People

              efried.openshift Eric Fried
              bvesel@redhat.com Benjamin Vesel
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: