Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9531

[Openshift Pipelines] Replace all non-UBI9 minimal base images in OpenShift Pipelines with UBI9 minimal base images across all supported OCP 4.21 versions

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • Pipelines 1.22.0
    • None
    • p12n
    • Replace all non-UBI9 minimal base images in OpenShift Pipelines with UBI9 minimal base images across all supported OCP 4.21 versions
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      • Update all ubi9 minimal base images to 9.7
      • Replace all non-UBI9 minimal base images in OpenShift Pipelines (Tekton) with UBI9 minimal base images across all supported OCP 4.21 versions to reduce package count and lower the average number of CVEs in operator and layered product container images.

      Why is this important?

      • Using minimal base images reduces the attack surface by limiting pre-installed packages, directly lowering vulnerability exposure. This aligns with Red Hat’s security best practices and helps maintain compliance for layered products and operators. It also ensures consistency across the OpenShift ecosystem, simplifies maintenance, and reduces the operational burden of patching frequent CVEs.

      Action Required:

      1. Base Image Change: Update the base image specified in the Containerfile/Dockerfile from the current Red Hat operator image to UBI Minimal.
      2. Package Manager Update: Replace the DNF package manager with micro DNF in all build instructions for installing packages.
        Note: UBI Minimal does not include the Python runtime required by DNF.
      3. Verification: Test the resulting operator and operand images to ensure no regression in functionality and that all necessary dependencies are correctly installed using microdnf.

      Scenarios

      1. ...

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
        • All existing Tekton and Pipelines-related tests pass after the base image changes.
        • Image scanning results show a reduction in CVEs compared to previous base images.
        • Automated validation ensures no pipeline tasks break due to missing dependencies.
      • Release Technical Enablement - Provide necessary release enablement details and documents.
        • Documentation updated for any changes in image tags or required environment variables.
        • Release notes include changes to base images and any potential impact on custom tasks.
        • Upgrade path tested and documented for users on earlier Pipelines versions.
      •  

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      •  

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

        1. migration_tracking.csv
          18 kB
          abdeljawed khelil
        2. openshift_pipelines_runtime_scan.csv
          43 kB
          abdeljawed khelil

              jkhelil abdeljawed khelil
              jkhelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: