Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2492

Slim down OCP core payload and optional operator images

XMLWordPrintable

    • Icon: Outcome Outcome
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • Security & Compliance
    • 86% To Do, 0% In Progress, 14% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Outcome Overview

      OpenShift's security posture can be improved by lowering the overall number of CVEs found in any image related to OpenShift, by reducing the number of components and packages we ship with them. This also reduces the overhead we and our customers incur by triaging CVEs reported by major vendors' vulnerability scanners, which often originate from packages in base images and their dependencies.
      In addition, this can also reduce the overall storage consumption of OCP releases and optional operators when mirrored for disconnected use, lowering hardware requirements and transfer times for OpenShift in edge environments.

       

      Success Criteria

      OpenShift core payload and optional operator images should rely on minimalistic base images that only carry the components that are required for the containerized workload at runtime.
      As a result, vulnerability reports for the latest version of OCP release images and optional operator images contain low to no CVEs from the base layer and the overall image size is reduced.

       

       

      Expected Results (what, how, when)

      We pursue a two-phased approach:

      • Phase 1: Reduction of CVEs / package count in OCP core images and optional operators, by leveraging existing base images with reduced package count, e.g. UBI minimal in the next two quarters
      • Phase 2: Minimizing CVE / package count in OCP core images and optional operators by leveraging a scratch-like final image that contains only the components required at runtime, in the next 3-4 quarters

       

       

      Post Completion Review – Actual Results

      • average package count in OCP core payload image reduced by 30% after phase 1 completes
      • average CVEs reported from base layers in OCP core payload images significantly reduced after phase 1 completes (exact numbers are hard to pre-determine)
      • With the exception of a debug specific image or images which will be held to a standard that only requires the package set be generally useful in debugging, low to no components unrelated to runtime requirements found in OCP core payload images after phase 2 completes

       

              DanielMesser Daniel Messer
              DanielMesser Daniel Messer
              None
              Scott Dodson Scott Dodson
              None
              None
              Votes:
              8 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated: