OCPBUGS-87451: Updating kube-proxy-container image to be consistent with ART for 5.0#2683
Conversation
800c337 to
bba66a2
Compare
|
Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216 |
|
@openshift-bot: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
Comment |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87451, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-bot The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThis PR updates container image tags for Go 1.26 and OpenShift 5.0 across CI and kube-proxy build configurations. The CI operator configuration references the new builder image, and the kube-proxy Dockerfile updates both its multi-stage builder and final runtime base image to match the new versions while preserving all build logic and runtime behavior. ChangesGo 1.26 and OpenShift 5.0 Infrastructure Upgrade
🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87451, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
openshift-hack/images/kube-proxy/Dockerfile.rhel (2)
8-16:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRun the runtime image as a non-root user.
The final stage has no
USERdirective, so it defaults to root. Add a dedicated non-root user (or UID) before runtime.As per coding guidelines, "USER non-root; never run as root".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` around lines 8 - 16, The final image is running as root because there's no USER set; add a non-root user and switch to it at the end of the Dockerfile: create a dedicated user/group (or specific UID) in the final stage (before the LABEL/COPY or immediately after COPY --from=builder /tmp/build/* /usr/bin/), ensure owned runtime files (e.g., files copied to /usr/bin/) are chowned to that user, and add a USER <non-root> directive so the container runs non-root; update associated RUN steps that need root to occur before switching users (reference the COPY --from=builder /tmp/build/* /usr/bin/, the existing RUN install line and the missing USER directive).Source: Coding guidelines
8-16:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a container
HEALTHCHECKfor kube-proxy availability.The runtime image does not define a health check. Add one aligned with kube-proxy startup/metrics behavior.
As per coding guidelines, "HEALTHCHECK defined".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` around lines 8 - 16, The image lacks a Docker HEALTHCHECK; add a HEALTHCHECK Dockerfile instruction that probes kube-proxy’s local health endpoint (e.g., GET http://127.0.0.1:10256/healthz) using a shell command and sensible options (--interval, --timeout, --start-period, --retries). Update the existing RUN that installs packages (the RUN with INSTALL_PKGS="conntrack-tools iptables nftables") to also install a lightweight HTTP probe tool (e.g., curl) so the healthcheck command can run, then append a HEALTHCHECK line like: HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 CMD-SHELL curl -fsS http://127.0.0.1:10256/healthz || exit 1 to the Dockerfile.rhel.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel`:
- Line 3: The Dockerfile.rhel currently uses a broad COPY . . in the builder
stage (COPY . .), which pulls the entire build context; replace that with
explicit COPY instructions for only the required files and directories (e.g.,
copy the source dir, package files, and necessary configs) so sensitive or
irrelevant files are excluded; update the builder stage in Dockerfile.rhel to
list each required path instead of using COPY . . and remove any unnecessary
files from the build context.
- Line 1: The Dockerfile uses CI registry images for both build and final stages
(the first FROM specifying the builder stage and the second FROM at line 8),
which must be replaced with approved production base images; update both FROM
lines to use an approved UBI minimal or distroless image from catalog.redhat.com
(for example a UBI 9 minimal or equivalent distroless image) so the builder
stage (the image named by the first FROM / builder) and the final runtime stage
(the second FROM) both reference catalog.redhat.com production images instead of
registry.ci.openshift.org.
---
Outside diff comments:
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel`:
- Around line 8-16: The final image is running as root because there's no USER
set; add a non-root user and switch to it at the end of the Dockerfile: create a
dedicated user/group (or specific UID) in the final stage (before the LABEL/COPY
or immediately after COPY --from=builder /tmp/build/* /usr/bin/), ensure owned
runtime files (e.g., files copied to /usr/bin/) are chowned to that user, and
add a USER <non-root> directive so the container runs non-root; update
associated RUN steps that need root to occur before switching users (reference
the COPY --from=builder /tmp/build/* /usr/bin/, the existing RUN install line
and the missing USER directive).
- Around line 8-16: The image lacks a Docker HEALTHCHECK; add a HEALTHCHECK
Dockerfile instruction that probes kube-proxy’s local health endpoint (e.g., GET
http://127.0.0.1:10256/healthz) using a shell command and sensible options
(--interval, --timeout, --start-period, --retries). Update the existing RUN that
installs packages (the RUN with INSTALL_PKGS="conntrack-tools iptables
nftables") to also install a lightweight HTTP probe tool (e.g., curl) so the
healthcheck command can run, then append a HEALTHCHECK line like: HEALTHCHECK
--interval=30s --timeout=5s --start-period=10s --retries=3 CMD-SHELL curl -fsS
http://127.0.0.1:10256/healthz || exit 1 to the Dockerfile.rhel.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 46c7c109-f3be-4dff-95e2-80bb388283ce
📒 Files selected for processing (2)
.ci-operator.yamlopenshift-hack/images/kube-proxy/Dockerfile.rhel
| @@ -1,11 +1,11 @@ | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder | |||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder | |||
There was a problem hiding this comment.
Use approved production base images for both stages.
Line 1 and Line 8 use CI registry images instead of approved production bases. This violates the container hardening baseline for release Dockerfiles.
As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com".
Also applies to: 8-8
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` at line 1, The Dockerfile
uses CI registry images for both build and final stages (the first FROM
specifying the builder stage and the second FROM at line 8), which must be
replaced with approved production base images; update both FROM lines to use an
approved UBI minimal or distroless image from catalog.redhat.com (for example a
UBI 9 minimal or equivalent distroless image) so the builder stage (the image
named by the first FROM / builder) and the final runtime stage (the second FROM)
both reference catalog.redhat.com production images instead of
registry.ci.openshift.org.
Source: Coding guidelines
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder | ||
| FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder | ||
| WORKDIR /go/src/k8s.io/kubernetes | ||
| COPY . . |
There was a problem hiding this comment.
Avoid COPY . . in the builder stage.
Line 3 copies the entire build context, which expands attack surface and can unintentionally include sensitive or irrelevant files. Copy only required paths/files.
As per coding guidelines, "COPY specific files, not entire context".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` at line 3, The
Dockerfile.rhel currently uses a broad COPY . . in the builder stage (COPY . .),
which pulls the entire build context; replace that with explicit COPY
instructions for only the required files and directories (e.g., copy the source
dir, package files, and necessary configs) so sensitive or irrelevant files are
excluded; update the builder stage in Dockerfile.rhel to list each required path
instead of using COPY . . and remove any unnecessary files from the build
context.
Source: Coding guidelines
|
ART wants to connect issue OCPBUGS-87705 to this PR, but found it is currently hooked up to ['OCPBUGS-87451']. Please consult with #forum-ocp-art if it is not clear what there is to do. |
|
/retest |
|
@openshift-bot: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/close |
|
@jubittajohn: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@openshift-bot: This pull request references Jira Issue OCPBUGS-87451. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Updating kube-proxy-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.
The configuration in the following ART component metadata is driving this alignment request:
kube-proxy.yml.
Detail:
This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.
Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.
PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.
Roles & Responsibilities:
tests OR that necessary metadata changes are reported to the ART team
in
#forum-ocp-arton Slack. If necessary, the changes required by this pull request can beintroduced with a separate PR opened by the component team. Once the repository is aligned,
this PR will be closed automatically.
verify-depsis complaining. In that case, please opena new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
any required labels to ensure the PR merges once tests are passing. In cases where ART config is
canonical, downstream builds are already being built with these changes, and merging this PR
only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
a grace period for the component team to align their CI with ART's configuration before it becomes
canonical in product builds.
ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:
Change behavior of future PRs:
set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
To do so, open a PR to set the
auto_labelattribute in the image configuration. ExampleUPSTREAM: <carry>:. An example.If you have any questions about this pull request, please reach out in the
#forum-ocp-artSlack channel.