See all the FAQ document: https://docs.google.com/document/d/1pihblJ5ZLmVov6Pu0pf3sIymllJG-yCnjR2CY6tqz_0/

Goal

Reduce the average number of CVEs reported in Red Hat operator and layered product container images by lowering the package count shipping in the base image.

Benefit Hypothesis:

The CVE "background noise" that customers experience when scanning OpenShift content is currently high because most operators and layered products use a RHEL base image that ships with a lot of packages pre-installed. These packages are typically not needed at runtime, but will, over time, get flagged with CVEs that may or may not be false positives or marked as WONTFIX. Analysing and triaging this causes significant toil for customers. Due to the sheer amount of images and CVEs reported every time customers evaluate a new set of operator versions, this overhead is increasingly becoming prohibitive. We can reduce this by lowering the overall amount of components we ship in in our images, starting with the base image.

Resources

Image scan analysis: https://docs.google.com/document/d/1isolfG7UXDgU5DTDN9AnkzjOCLZbvuAwIja23uGzUW8/edit?tab=t.0 

UBI minimal usage instructions: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/building_running_and_managing_containers/index#con_understanding-the-ubi-minimal-images_assembly_types-of-container-images 

Responsibilities

Red Hat operator and layered products maintainers need to update their Dockerfile/Containerfile to switch to UBI 9.7 minimal (or newer) as the base image. This base image is available starting November 11, 2025 at registry.redhat.io/ubi9/ubi-minimal. The support for versionmed UBI base image support ends when there is a new minor version (e.g. 9.8) available, so teams are also responsible for keeping up with base image updates and should preferably consume the ubi9-minimal:latest tag.

Additionally, it is possible that before the RHEL 9.9 GA date, we may have to switch back from UBI to ELS-9.8. This fact should be decided sometime in January, and ELS 9.8 will be available at the 9.8 GA date in May, allowing teams approximately five months to transition to ELS 9.8 if necessary.

As part of switching to UBI minimal base images, teams will need to switch from installing any RPM content with dnf to microdnf, which should provide similar features. Teams will also need to ensure that all runtime dependencies, if any, are met if they were previously implicitly installed in the base image.

Scope

The scope includes operators delivered in the redhat-operator-index catalog that ships with OpenShift and extends to all related images specified by this operator's metadata, also known as operands, specifically those that are maintained by the respective product engineering team.

For example, the Red Hat Quay Operator consists of its own container image that ships the controller. The related images of the Quay operator include the images that contain the Quay registry itself, the Clair vulnerability analyzer, and the Quay builders image. These are all built and maintained by the Quay engineering team and need to be rebased to UBI9-minimal. The related product images for the Quay operator, however, also include the RHEL AppStream images of PostgreSQL and Redis that can be used with the Quay product. These are not built by the Quay engineering team, so they are not required to rebase them to UBI9-minimal and can continue to use them as is.

Timelines

The delivery timeline should align with the GA date of OpenShift 4.21, scheduled for February 2026. All Red Hat layered product operators should aim to use UBI9-minimal as their base image for their latest release by this time, or earlier. For platform-aligned operators, there is (as usual) a 4-week grace period after the OCP 4.21 GA date by which they need to ship their 4.21-aligned product version, based on UBI9-minimal.

Backports

Backports of the base image change to older (but still supported) operator versions is dependent on whether the new version of the operator based on UBI-minimal is going to be supported on OCP 4.20. If not, a backport of this change to an operator version supported on OCP 4.20 is required. Anything beyond that is at the discretion of the layered product operator team.

Success Criteria

An average reduction of 30% of CVEs reported in OCP Core payload images measured at the 90 day mark of their release.

Results

Add results here once the Initiative is started. Recommend discussions & updates once per quarter in bullets.