Skip to content

OCPBUGS-87454: Updating ose-cluster-samples-operator-container image to be consistent with ART for 5.0 #700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-bot wants to merge 1 commit into
base: main
Choose a base branch
from
+3 −3
Open

OCPBUGS-87454: Updating ose-cluster-samples-operator-container image to be consistent with ART for 5.0 #700

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .ci-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
build_root_image:
name: release
namespace: openshift
tag: rhel-9-release-golang-1.25-openshift-4.22
tag: rhel-9-release-golang-1.26-openshift-5.0
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder

@coderabbitai coderabbitai Bot Jun 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify base image source and type for OpenShift operators

# Check if there are other Dockerfiles in the repo using catalog.redhat.com
echo "=== Checking for catalog.redhat.com usage in Dockerfiles ==="
rg -n 'FROM.*catalog\.redhat\.com' --type dockerfile -g 'Dockerfile*'

# Check for UBI minimal/distroless patterns
echo -e "\n=== Checking for UBI minimal or distroless base images ==="
rg -n 'FROM.*(ubi.*-minimal|distroless)' --type dockerfile -g 'Dockerfile*'

# Check for documentation about base image requirements
echo -e "\n=== Searching for base image documentation ==="
fd -t f 'README|CONTRIBUTING|HACKING' -x rg -l 'base.image|UBI|catalog.redhat' {}

Repository: openshift/cluster-samples-operator

Length of output: 335

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Locate Dockerfile(s) ==="
fd -a -t f -g 'Dockerfile*' . -x echo {} 2>/dev/null | head -n 50 || true
DOCKERFILE=$(fd -a -t f 'Dockerfile' . -x echo {} 2>/dev/null | head -n 1 || true)
echo "Detected Dockerfile: ${DOCKERFILE:-<none>}"

echo -e "\n=== Show Dockerfile header (1-120) with line numbers ==="
if [[ -n "${DOCKERFILE:-}" ]]; then
  nl -ba "$DOCKERFILE" | head -n 160
else
  echo "No Dockerfile found."
fi

echo -e "\n=== Quick checks inside Dockerfile (if present) ==="
if [[ -n "${DOCKERFILE:-}" ]]; then
  echo "-- FROM lines"
  rg -n '^FROM ' "$DOCKERFILE" || true
  echo "-- COPY lines"
  rg -n '^COPY ' "$DOCKERFILE" || true
  echo "-- USER line"
  rg -n '^USER ' "$DOCKERFILE" || true
  echo "-- HEALTHCHECK"
  rg -n '^HEALTHCHECK' "$DOCKERFILE" || true
  echo "-- read-only rootfs hints (volume/mount options)"
  rg -n 'read[- ]only|ReadonlyRootFilesystem|readOnlyRootFilesystem' "$DOCKERFILE" || true
fi

echo -e "\n=== Check for catalog.redhat.com usage in any Dockerfile ==="
fd -a -t f 'Dockerfile*' . | while read -r f; do
  rg -n 'FROM.*catalog\.redhat\.com' "$f" && echo "---- $f"
done || true

echo -e "\n=== Check for UBI minimal/distroless base images in any Dockerfile ==="
fd -a -t f 'Dockerfile*' . | while read -r f; do
  rg -n 'FROM.*(ubi.*-minimal|distroless)' "$f" && echo "---- $f"
done || true

Repository: openshift/cluster-samples-operator

Length of output: 384

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== List Dockerfile* files ==="
DOCKERFILES=()
while IFS= read -r f; do DOCKERFILES+=("$f"); done < <(fd -a -t f -g 'Dockerfile*' . 2>/dev/null || true)
printf '%s\n' "${DOCKERFILES[@]:-<none>}"

echo -e "\n=== Inspect first 200 lines of each Dockerfile* (or until end) ==="
for f in "${DOCKERFILES[@]:-}"; do
  echo -e "\n---- FILE: $f ----"
  wc -l "$f" || true
  head -n 200 "$f" | cat -n
done

echo -e "\n=== Quick extraction across Dockerfile* files ==="
for f in "${DOCKERFILES[@]:-}"; do
  echo -e "\n---- FILE: $f ----"
  echo "-- FROM:"
  rg -n '^FROM ' "$f" || true
  echo "-- COPY:"
  rg -n '^(COPY|ADD) ' "$f" || true
  echo "-- USER:"
  rg -n '^USER ' "$f" || true
  echo "-- HEALTHCHECK:"
  rg -n '^HEALTHCHECK' "$f" || true
  echo "-- read-only rootfs hints (mount/readonly):"
  rg -n 'read[- ]only|ReadonlyRootFilesystem|readOnlyRootFilesystem' "$f" || true
done

echo -e "\n=== Check for catalog.redhat.com usage in any Dockerfile* ==="
for f in "${DOCKERFILES[@]:-}"; do
  rg -n 'FROM.*catalog\.redhat\.com' "$f" && echo "---- $f" || true
done

echo -e "\n=== Check for UBI minimal/distroless base images in any Dockerfile* ==="
for f in "${DOCKERFILES[@]:-}"; do
  rg -n 'FROM.*(ubi.*-minimal|distroless)' "$f" && echo "---- $f" || true
done

echo -e "\n=== Search repo docs for base image requirements terms ==="
rg -n 'base\.image|UBI|minimal/distroless|catalog\.redhat\.com|registry\.ci\.openshift\.org' -S README* .github* docs* 2>/dev/null || true

Repository: openshift/cluster-samples-operator

Length of output: 184

🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmpfile="/tmp/dockerfiles_list.txt"
rm -f "$tmpfile"

echo "=== Discover Dockerfile* files ==="
fd -a -t f -g 'Dockerfile*' . > "$tmpfile" 2>/dev/null || true
if [[ ! -s "$tmpfile" ]]; then
  echo "No Dockerfile* files found by fd."
  exit 0
fi
cat "$tmpfile"

echo -e "\n=== Inspect each Dockerfile* (header + key directives) ==="
while IFS= read -r f; do
  echo -e "\n---- FILE: $f ----"
  echo "First 120 lines:"
  head -n 120 "$f" | cat -n

  echo -e "\nFROM lines:"
  rg -n '^FROM ' "$f" || true

  echo -e "\nCOPY/ADD lines:"
  rg -n '^(COPY|ADD) ' "$f" || true

  echo -e "\nUSER lines:"
  rg -n '^USER ' "$f" || true

  echo -e "\nHEALTHCHECK lines:"
  rg -n '^HEALTHCHECK' "$f" || true

  echo -e "\nRead-only rootfs hints (mount/readonly/ReadonlyRootFilesystem):"
  rg -n 'read[- ]only|ReadonlyRootFilesystem|readOnlyRootFilesystem' "$f" || true
done < "$tmpfile"

echo -e "\n=== Cross-check: catalog.redhat.com usage in any Dockerfile* ==="
while IFS= read -r f; do
  rg -n 'FROM.*catalog\.redhat\.com' "$f" && echo "---- $f" || true
done < "$tmpfile"

echo -e "\n=== Cross-check: UBI minimal/distroless base images in any Dockerfile* ==="
while IFS= read -r f; do
  rg -n 'FROM.*(ubi.*-minimal|distroless)' "$f" && echo "---- $f" || true
done < "$tmpfile"

echo -e "\n=== Cross-check: registry.ci.openshift.org usage in any Dockerfile* ==="
while IFS= read -r f; do
  rg -n 'FROM.*registry\.ci\.openshift\.org' "$f" && echo "---- $f" || true
done < "$tmpfile"

Repository: openshift/cluster-samples-operator

Length of output: 6477

Fix Docker base-image/security guideline violations in Dockerfile(s)

  • Base images come from registry.ci.openshift.org (not catalog.redhat.com) and the runtime image is not UBI minimal/distroless (Dockerfile: FROM registry.ci.openshift.org/ocp/5.0:base-rhel9; Dockerfile.okd/Dockerfile.rhel7: final stage uses FROM .../ocp/builder:rhel-*-base-openshift-*).
  • Builder context is copied wholesale (COPY . .) in Dockerfile, Dockerfile.okd, and Dockerfile.rhel7 (guideline requires copying specific files).
  • No HEALTHCHECK instruction exists in any Dockerfile* (Dockerfile, Dockerfile.okd, Dockerfile.rhel7).
  • No read-only-rootfs hardening is expressed in the Dockerfile(s) (no relevant config beyond USER cluster-samples-operator).

Source: Coding guidelines

WORKDIR /go/src/github.com/openshift/cluster-samples-operator
COPY . .

@coderabbitai coderabbitai Bot Jun 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Avoid copying entire build context.

Line 3 copies the entire repository context (.) into the builder stage. As per coding guidelines, COPY should target specific files rather than the entire context to minimize the attack surface and prevent unintended file inclusion during build.

🔒 Proposed fix to copy specific files 
-COPY . .
+COPY go.mod go.sum ./
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+COPY vendor/ vendor/
+COPY Makefile ./

Note: Adjust the paths based on what make build actually requires.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
COPY . .
COPY go.mod go.sum ./
COPY cmd/ cmd/
COPY pkg/ pkg/
COPY vendor/ vendor/
COPY Makefile ./
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 3, The Dockerfile currently uses a broad COPY . . which
pulls the entire build context into the image; replace that with explicit COPY
lines that only bring in the files needed to build (for example COPY
package.json yarn.lock ./, COPY go.mod go.sum ./, COPY cmd/ ./cmd/, COPY pkg/
./pkg/, COPY Makefile ./) or the exact source directories your build requires
for make build, and remove the COPY . . line so only those targeted files are
included in the builder stage.

Source: Coding guidelines

RUN make build

FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
COPY --from=builder /go/src/github.com/openshift/cluster-samples-operator/cluster-samples-operator /usr/bin/
RUN ln -f /usr/bin/cluster-samples-operator /usr/bin/cluster-samples-operator-watch
COPY manifests/image-references manifests/0* /manifests/
Expand Down