Skip to content

NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10 #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PillaiManish wants to merge 1 commit into
base: main
Choose a base branch
from
+40 −2
Open

NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10 #108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions Dockerfile.openshift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.redhat.io/ubi10/go-toolset:10.1 AS builder
USER 0
WORKDIR /go/src/github.com/openshift/secrets-store-csi-driver-operator
COPY . .
RUN make
RUN go version -m secrets-store-csi-driver-operator

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.redhat.io/ubi10-minimal:10.1
COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/
ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]
Comment on lines +8 to 10

@coderabbitai coderabbitai Bot Mar 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Run the final container as non-root.

Lines 8-10 define the runtime image but never set a non-root USER, so the container will run with the base image default (typically root). Please set an explicit non-root user in the final stage.

Proposed fix 
 FROM registry.redhat.io/ubi10-minimal:10.1
 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/
+USER 65532
 ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM registry.redhat.io/ubi10-minimal:10.1
COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/
ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]
FROM registry.redhat.io/ubi10-minimal:10.1
COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver-operator/secrets-store-csi-driver-operator /usr/bin/
USER 65532
ENTRYPOINT ["/usr/bin/secrets-store-csi-driver-operator"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.openshift` around lines 8 - 10, The final image is left running as
root; update the final stage so the runtime binary copied by COPY --from=builder
(the /usr/bin/secrets-store-csi-driver-operator) is owned by a non-root user and
the image sets USER before ENTRYPOINT. Create or use a non-root UID/GID (or an
unprivileged user like 1001), chown the binary to that user/group in the final
stage, and add a USER instruction (referencing the runtime stage's ENTRYPOINT
and the copied binary) so the container runs non-root.

LABEL io.k8s.display-name="OpenShift Secrets Store CSI Driver Operator" \
Expand Down
37 changes: 37 additions & 0 deletions docs/rhcos10-ubi10-migration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# RHCOS10 UBI10 Base Image Migration

## Summary

Migrate all OpenShift Dockerfile base images from the OCP CI registry (RHEL9-based) to
`registry.redhat.io` UBI10 for native RHCOS10 compatibility.

| Dockerfile | Builder: Before | Builder: After | Runtime: Before | Runtime: After |
|------------|----------------|----------------|-----------------|----------------|
| `Dockerfile.openshift` | `ocp/builder:rhel-9-golang-1.25-openshift-4.22` | `ubi10/go-toolset:10.1` | `ocp/4.22:base-rhel9` | `ubi10-minimal:10.1` |
| `Dockerfile.mustgather` | n/a | n/a | `ocp/4.22:must-gather` | unchanged |

All images move from `registry.ci.openshift.org` → `registry.redhat.io`.

## Files Changed

| File | Change |
|------|--------|
| `Dockerfile.openshift` | Builder: `ocp/builder:rhel-9-golang-1.24-openshift-4.22` → `ubi10/go-toolset:10.1`; adds `USER 0` (required by go-toolset); Runtime: `ocp/4.22:base-rhel9` → `ubi10-minimal:10.1` |

## Unchanged Files

| File | Reason |
|------|--------|
| `Dockerfile.mustgather` | Depends on `ocp/4.22:must-gather` which is an OCP-managed image; migration tracked separately |
| `.ci-operator.yaml` | `build_root_image` uses a Prow CI imagestream tag; no `rhel-10` equivalent exists yet for the CI build root — tracked separately |

## Prerequisite

PR1 (`rhcos10-ubi9-compat-test`) should pass CI on RHCOS10 nodes before merging this.

## Test Matrix

| Cluster | Test Suite | Expected |
|---------|-----------|---------|
| RHCOS10 | e2e-azure-rhcos10 | Pass |
| RHCOS10 | e2e-azure-rhcos10-fips | Pass |