Skip to content

OCPBUGS-87451: Updating kube-proxy-container image to be consistent with ART for 5.0#2683

Closed
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-kube-proxy
Closed

OCPBUGS-87451: Updating kube-proxy-container image to be consistent with ART for 5.0#2683
openshift-bot wants to merge 1 commit into
openshift:masterfrom
openshift-bot:art-consistency-openshift-5.0-kube-proxy

Conversation

@openshift-bot

@openshift-bot openshift-bot commented Jun 7, 2026

Copy link
Copy Markdown

Updating kube-proxy-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
kube-proxy.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

@openshift-bot openshift-bot force-pushed the art-consistency-openshift-5.0-kube-proxy branch from 800c337 to bba66a2 Compare June 7, 2026 09:12
@openshift-bot

Copy link
Copy Markdown
Author

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jun 7, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-bot: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-bot openshift-bot changed the title Updating kube-proxy-container image to be consistent with ART for 5.0 OCPBUGS-87451: Updating kube-proxy-container image to be consistent with ART for 5.0 Jun 7, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 7, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-bot: This pull request references Jira Issue OCPBUGS-87451, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating kube-proxy-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
kube-proxy.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 7, 2026
@openshift-ci openshift-ci Bot requested review from benluddy and deads2k June 7, 2026 09:12
@openshift-ci

openshift-ci Bot commented Jun 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-bot
Once this PR has been reviewed and has the lgtm label, please assign jacobsee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Walkthrough

This PR updates container image tags for Go 1.26 and OpenShift 5.0 across CI and kube-proxy build configurations. The CI operator configuration references the new builder image, and the kube-proxy Dockerfile updates both its multi-stage builder and final runtime base image to match the new versions while preserving all build logic and runtime behavior.

Changes

Go 1.26 and OpenShift 5.0 Infrastructure Upgrade

Layer / File(s) Summary
CI operator build root configuration
.ci-operator.yaml
The build_root_image.tag is updated to rhel-9-release-golang-1.26-openshift-5.0, referencing the Go 1.26 and OpenShift 5.0 builder image.
Kube-proxy Dockerfile builder and runtime images
openshift-hack/images/kube-proxy/Dockerfile.rhel
The builder stage and final runtime base image tags are updated to Go 1.26 and OpenShift 5.0 versions. Package installation steps (conntrack-tools, iptables, nftables), binary copying into /usr/bin/, and image labels remain unchanged.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR contains no Ginkgo test files or test definitions - only CI configuration and Dockerfile changes, so the test name stability check is not applicable.
Test Structure And Quality ✅ Passed PR modifies configuration and Dockerfile only—no Ginkgo test code present, making this test-quality check not applicable.
Microshift Test Compatibility ✅ Passed PR modifies only CI config and Dockerfiles (.ci-operator.yaml and kube-proxy/Dockerfile.rhel), not Ginkgo e2e tests. Check for new Ginkgo tests is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests added in this PR - only CI config and Dockerfile updates. Check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR changes only modify CI build configuration and Dockerfile base images, not deployment manifests, operator code, or controllers. No topology-aware scheduling constraints are introduced.
Ote Binary Stdout Contract ✅ Passed PR only changes build configuration and Dockerfile base images; no Go source code or OTE binary stdout-related code modifications present.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR contains no Ginkgo e2e tests; only infrastructure/build configuration changes (.ci-operator.yaml and Dockerfile updates). Check is not applicable.
No-Weak-Crypto ✅ Passed No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or insecure comparisons detected; PR only updates base image tags for OpenShift 5.0 consistency.
Container-Privileges ✅ Passed The PR modifies only .ci-operator.yaml and Dockerfile.rhel; neither contains privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN capability, or allowPrivilegeEscalation: true configurations.
No-Sensitive-Data-In-Logs ✅ Passed PR contains only base image tag updates in .ci-operator.yaml and Dockerfile.rhel with no logging statements or sensitive data exposure (passwords, tokens, API keys, PII, session IDs).
Title check ✅ Passed The title directly references the main changes: updating kube-proxy-container image and ensuring consistency with ART for OpenShift 5.0, which matches the core objective of the PR.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci-robot

Copy link
Copy Markdown

@openshift-bot: This pull request references Jira Issue OCPBUGS-87451, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Updating kube-proxy-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
kube-proxy.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

  • Chores
  • Updated build container images to Go 1.26 and OpenShift 5.0 base images for CI infrastructure.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
openshift-hack/images/kube-proxy/Dockerfile.rhel (2)

8-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the runtime image as a non-root user.

The final stage has no USER directive, so it defaults to root. Add a dedicated non-root user (or UID) before runtime.

As per coding guidelines, "USER non-root; never run as root".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` around lines 8 - 16, The
final image is running as root because there's no USER set; add a non-root user
and switch to it at the end of the Dockerfile: create a dedicated user/group (or
specific UID) in the final stage (before the LABEL/COPY or immediately after
COPY --from=builder /tmp/build/* /usr/bin/), ensure owned runtime files (e.g.,
files copied to /usr/bin/) are chowned to that user, and add a USER <non-root>
directive so the container runs non-root; update associated RUN steps that need
root to occur before switching users (reference the COPY --from=builder
/tmp/build/* /usr/bin/, the existing RUN install line and the missing USER
directive).

Source: Coding guidelines


8-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a container HEALTHCHECK for kube-proxy availability.

The runtime image does not define a health check. Add one aligned with kube-proxy startup/metrics behavior.

As per coding guidelines, "HEALTHCHECK defined".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` around lines 8 - 16, The
image lacks a Docker HEALTHCHECK; add a HEALTHCHECK Dockerfile instruction that
probes kube-proxy’s local health endpoint (e.g., GET
http://127.0.0.1:10256/healthz) using a shell command and sensible options
(--interval, --timeout, --start-period, --retries). Update the existing RUN that
installs packages (the RUN with INSTALL_PKGS="conntrack-tools iptables
nftables") to also install a lightweight HTTP probe tool (e.g., curl) so the
healthcheck command can run, then append a HEALTHCHECK line like: HEALTHCHECK
--interval=30s --timeout=5s --start-period=10s --retries=3 CMD-SHELL curl -fsS
http://127.0.0.1:10256/healthz || exit 1 to the Dockerfile.rhel.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel`:
- Line 3: The Dockerfile.rhel currently uses a broad COPY . . in the builder
stage (COPY . .), which pulls the entire build context; replace that with
explicit COPY instructions for only the required files and directories (e.g.,
copy the source dir, package files, and necessary configs) so sensitive or
irrelevant files are excluded; update the builder stage in Dockerfile.rhel to
list each required path instead of using COPY . . and remove any unnecessary
files from the build context.
- Line 1: The Dockerfile uses CI registry images for both build and final stages
(the first FROM specifying the builder stage and the second FROM at line 8),
which must be replaced with approved production base images; update both FROM
lines to use an approved UBI minimal or distroless image from catalog.redhat.com
(for example a UBI 9 minimal or equivalent distroless image) so the builder
stage (the image named by the first FROM / builder) and the final runtime stage
(the second FROM) both reference catalog.redhat.com production images instead of
registry.ci.openshift.org.

---

Outside diff comments:
In `@openshift-hack/images/kube-proxy/Dockerfile.rhel`:
- Around line 8-16: The final image is running as root because there's no USER
set; add a non-root user and switch to it at the end of the Dockerfile: create a
dedicated user/group (or specific UID) in the final stage (before the LABEL/COPY
or immediately after COPY --from=builder /tmp/build/* /usr/bin/), ensure owned
runtime files (e.g., files copied to /usr/bin/) are chowned to that user, and
add a USER <non-root> directive so the container runs non-root; update
associated RUN steps that need root to occur before switching users (reference
the COPY --from=builder /tmp/build/* /usr/bin/, the existing RUN install line
and the missing USER directive).
- Around line 8-16: The image lacks a Docker HEALTHCHECK; add a HEALTHCHECK
Dockerfile instruction that probes kube-proxy’s local health endpoint (e.g., GET
http://127.0.0.1:10256/healthz) using a shell command and sensible options
(--interval, --timeout, --start-period, --retries). Update the existing RUN that
installs packages (the RUN with INSTALL_PKGS="conntrack-tools iptables
nftables") to also install a lightweight HTTP probe tool (e.g., curl) so the
healthcheck command can run, then append a HEALTHCHECK line like: HEALTHCHECK
--interval=30s --timeout=5s --start-period=10s --retries=3 CMD-SHELL curl -fsS
http://127.0.0.1:10256/healthz || exit 1 to the Dockerfile.rhel.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 46c7c109-f3be-4dff-95e2-80bb388283ce

📥 Commits

Reviewing files that changed from the base of the PR and between 872bd37 and bba66a2.

📒 Files selected for processing (2)
  • .ci-operator.yaml
  • openshift-hack/images/kube-proxy/Dockerfile.rhel

@@ -1,11 +1,11 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use approved production base images for both stages.

Line 1 and Line 8 use CI registry images instead of approved production bases. This violates the container hardening baseline for release Dockerfiles.

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com".

Also applies to: 8-8

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` at line 1, The Dockerfile
uses CI registry images for both build and final stages (the first FROM
specifying the builder stage and the second FROM at line 8), which must be
replaced with approved production base images; update both FROM lines to use an
approved UBI minimal or distroless image from catalog.redhat.com (for example a
UBI 9 minimal or equivalent distroless image) so the builder stage (the image
named by the first FROM / builder) and the final runtime stage (the second FROM)
both reference catalog.redhat.com production images instead of
registry.ci.openshift.org.

Source: Coding guidelines

FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder
WORKDIR /go/src/k8s.io/kubernetes
COPY . .

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid COPY . . in the builder stage.

Line 3 copies the entire build context, which expands attack surface and can unintentionally include sensitive or irrelevant files. Copy only required paths/files.

As per coding guidelines, "COPY specific files, not entire context".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift-hack/images/kube-proxy/Dockerfile.rhel` at line 3, The
Dockerfile.rhel currently uses a broad COPY . . in the builder stage (COPY . .),
which pulls the entire build context; replace that with explicit COPY
instructions for only the required files and directories (e.g., copy the source
dir, package files, and necessary configs) so sensitive or irrelevant files are
excluded; update the builder stage in Dockerfile.rhel to list each required path
instead of using COPY . . and remove any unnecessary files from the build
context.

Source: Coding guidelines

@openshift-bot

Copy link
Copy Markdown
Author

ART wants to connect issue OCPBUGS-87705 to this PR, but found it is currently hooked up to ['OCPBUGS-87451']. Please consult with #forum-ocp-art if it is not clear what there is to do.

@openshift-bot openshift-bot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 10, 2026
@vinnie1110

Copy link
Copy Markdown

/retest

@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-techpreview bba66a2 link false /test e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn-runc bba66a2 link false /test e2e-aws-ovn-runc
ci/prow/verify bba66a2 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jubittajohn

Copy link
Copy Markdown

/close
Updating in the Kube rebase PR : #2653

@openshift-ci openshift-ci Bot closed this Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

@jubittajohn: Closed this PR.

Details

In response to this:

/close
Updating in the Kube rebase PR : #2653

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot

Copy link
Copy Markdown

@openshift-bot: This pull request references Jira Issue OCPBUGS-87451. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

Updating kube-proxy-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
kube-proxy.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

  • Component owners are responsible for ensuring these alignment PRs merge with passing
    tests OR that necessary metadata changes are reported to the ART team
    in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
    introduced with a separate PR opened by the component team. Once the repository is aligned,
    this PR will be closed automatically.
  • In particular, it could be that a job like verify-deps is complaining. In that case, please open
    a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
  • Patch-manager or those with sufficient privileges within this repository may add
    any required labels to ensure the PR merges once tests are passing. In cases where ART config is
    canonical, downstream builds are already being built with these changes, and merging this PR
    only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
    a grace period for the component team to align their CI with ART's configuration before it becomes
    canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

  • In case you just want to follow the base images that ART suggests, you can configure additional labels to be
    set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
    To do so, open a PR to set the auto_label attribute in the image configuration. Example
  • You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants