Description
In ARO, Microsoft has container scanning which is performed against all production assets running and cached container images. Because of this, during cluster provisioning Hive will pull down the openshift-release image and the associated CLI images.

The CLI image is used to perform a must-gather on installation failure, which ARO does not have configured. Additionally, the openshift-release image is used to find the associated CLI image used for a must-gather on installation failure.

Because these release images are not updated after a Z stream is cut, over time, vulnerabilities will be found within these images.

The high-level ask is to not pull down the ocp-release and CLI images if hive is not configured to perform a must-gather on cluster failure. There appears to be no way to patch existing release images as the ART team leverages new Z streams to have updated packages or patched base images.

Acceptance Criteria

1. One can toggle a flag, environment variable, or hiveConfig property to disable pull down of the ocp-release and cli images on cluster installs.

Slack thread: https://redhat-internal.slack.com/archives/CE3ETN3J8/p1682524817374499