NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#453
NO-JIRA: [RHCOS10] Migrate base images from UBI9 to UBI10#453PillaiManish wants to merge 3 commits intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@PillaiManish: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughUpdate RHCOS10 UBI base images and registry references: add a migration doc and replace UBI9-based images with UBI10 across CI Dockerfiles, image Dockerfiles, the release/helm Dockerfile (builder and runtime), and an e2e test script pod image. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 10✅ Passed checks (10 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: PillaiManish The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.work/compliance/rhcos10/PR2-ubi10-migration.md:
- Around line 15-17: The fenced code block containing
"registry.access.redhat.com → registry.redhat.io" is missing a language hint
(MD040); add a language specifier (e.g., "text") to the opening ``` fence so the
block becomes ```text and resolves the lint error while preserving the arrow
line content.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 04b0691b-92b7-43ff-a8c6-f75b15841505
📒 Files selected for processing (8)
.work/compliance/rhcos10/PR2-ubi10-migration.mdci/dockerfiles/go-e2e.Dockerfileci/dockerfiles/scorecard-proxy.Dockerfileimages/custom-scorecard-tests/Dockerfileimages/helm-operator/Dockerfileimages/operator-sdk/Dockerfileimages/scorecard-test/Dockerfileimages/scorecard-untar/Dockerfile
| ``` | ||
| registry.access.redhat.com → registry.redhat.io | ||
| ``` |
There was a problem hiding this comment.
Add a language hint to the fenced code block
The fenced block at Line 15 has no language specifier (MD040). Add one (for example, text) to clear lint.
Suggested patch
-```
+```text
registry.access.redhat.com → registry.redhat.io</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 15-15: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.work/compliance/rhcos10/PR2-ubi10-migration.md around lines 15 - 17, The
fenced code block containing "registry.access.redhat.com → registry.redhat.io"
is missing a language hint (MD040); add a language specifier (e.g., "text") to
the opening ``` fence so the block becomes ```text and resolves the lint error
while preserving the arrow line content.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@ci/tests/e2e-helm.sh`:
- Line 74: The pod override in the kubectl run command places container-only
fields inside spec.securityContext and misspells allowPrivilegeEscalation;
update the JSON passed to --overrides in the test-metrics invocation so that
spec.securityContext only contains pod-level settings (e.g., runAsNonRoot), and
move capabilities and allowPrivilegeEscalation (spelled exactly as
"allowPrivilegeEscalation") into spec.containers[0].securityContext for the
test-metrics pod started by kubectl run --attach --rm --restart=Never
test-metrics --image=... so the temporary metrics pod receives the intended
container-level hardening and does not get rejected by admission controllers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 111cb3d0-2856-411f-90ac-00c0f6e86f35
📒 Files selected for processing (3)
.work/compliance/rhcos10/PR2-ubi10-migration.mdci/tests/e2e-helm.shrelease/helm/Dockerfile
|
|
||
| # verify that the metrics endpoint exists | ||
| if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.access.redhat.com/ubi9/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done"; | ||
| if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.redhat.io/ubi10/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done"; |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Kubernetes PodSecurityContext vs Container securityContext fields capabilities allowPrivilegeEscalation
💡 Result:
PodSecurityContext (at spec.securityContext) and Container securityContext (at spec.containers[].securityContext) serve different purposes in Kubernetes, with distinct fields for capabilities and allowPrivilegeEscalation. PodSecurityContext applies pod-wide settings like runAsUser, runAsGroup, fsGroup, supplementalGroups, seLinuxOptions, seccompProfile, appArmorProfile, sysctls, but does NOT include capabilities or allowPrivilegeEscalation fields. These are pod-level defaults for user/group IDs, volume ownership, and shared security profiles, but capabilities and privilege escalation are handled per-container. Container securityContext applies to individual containers (and initContainers/ephemeralContainers) and includes capabilities (add/drop lists for Linux capabilities) and allowPrivilegeEscalation (boolean controlling no_new_privs flag to prevent privilege escalation via setuid etc.). Container settings override pod-level where applicable (e.g., runAsUser). allowPrivilegeEscalation defaults to true if unset. It is forced true if privileged: true or capabilities add CAP_SYS_ADMIN, and cannot be set false when privileged: true (pod rejected). Set to false for security to block escalation. Capabilities allow fine-grained privileges: drop: ["ALL"] then add: ["NET_BIND_SERVICE"] for least privilege. Pod Security Standards (Restricted) require no add capabilities except limited list, and allowPrivilegeEscalation: false. Examples: Pod-level (no capabilities/allowPrivilegeEscalation): spec: securityContext: runAsUser: 1000 fsGroup: 2000 Container-level: spec: containers: - securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] allowPrivilegeEscalation: false runAsNonRoot: true
Citations:
- 1: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- 2: https://kubernetes.io/docs/tasks/configure-pod-container/security-context
- 3: https://www.manifests.io/kubernetes/1.31/io.k8s.api.core.v1.PodSecurityContext?linked=Pod.spec.securityContext
- 4: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1
- 5: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/?wtime=4s
- 6: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- 7: https://medium.com/pareture/how-allowprivilegeescalation-works-in-kubernetes-ce696494f87b
- 8: https://oneuptime.com/blog/post/2026-02-09-prevent-privilege-escalation-kubernetes/view
Move the container-only security fields out of spec.securityContext.
capabilities and allowPrivilegeEscalation belong on spec.containers[0].securityContext, not the pod-level spec.securityContext. Additionally, allowPrivelegeEscalation is misspelled (should be allowPrivilegeEscalation). As written, the temp metrics pod does not receive the intended hardening, and stricter admission controllers will cause this loop to timeout.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@ci/tests/e2e-helm.sh` at line 74, The pod override in the kubectl run command
places container-only fields inside spec.securityContext and misspells
allowPrivilegeEscalation; update the JSON passed to --overrides in the
test-metrics invocation so that spec.securityContext only contains pod-level
settings (e.g., runAsNonRoot), and move capabilities and
allowPrivilegeEscalation (spelled exactly as "allowPrivilegeEscalation") into
spec.containers[0].securityContext for the test-metrics pod started by kubectl
run --attach --rm --restart=Never test-metrics --image=... so the temporary
metrics pod receives the intended container-level hardening and does not get
rejected by admission controllers.
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
Update all container base images from UBI9 to UBI10 to align with the RHCOS10 host OS. Moves registry from registry.access.redhat.com to registry.redhat.io. Changes: - ubi9/ubi-minimal:9.6 -> ubi10/ubi-minimal:10.1 (4 primary images) - ubi9/ubi:9.5 -> ubi10/ubi:10.1 (scorecard-untar) - ubi9/ubi-minimal:latest -> ubi10/ubi-minimal:latest (2 CI dockerfiles) - release/helm/Dockerfile: replace OCP CI RHEL9 builder and base-rhel9 runtime with ubi10/go-toolset:10.1 (builder, USER root) and ubi10:10.1 - ci/tests/e2e-helm.sh: update metrics curl pod from ubi9 to ubi10 Made-with: Cursor
PillaiManish
force-pushed
the
rhcos10-ubi10-migration
branch
from
0c25ebd to
2752c18
Compare
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.work/compliance/rhcos10/PR2-ubi10-migration.md (1)
15-17:⚠️ Potential issue | 🟡 MinorAdd a language hint to this fenced block (MD040).
Line 15 should use a typed fence (for example,
text) to satisfy markdownlint.Suggested patch
-``` +```text registry.access.redhat.com → registry.redhat.io</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In @.work/compliance/rhcos10/PR2-ubi10-migration.md around lines 15 - 17, The
fenced code block containing "registry.access.redhat.com → registry.redhat.io"
needs a language hint to satisfy markdownlint MD040; update that fenced block
(the triple-backtick block with that arrow text) to use a typed fence such as
text (i.e., changeto ```text) so the block is recognized as plain text.</details> </blockquote></details> <details> <summary>ci/tests/e2e-helm.sh (1)</summary><blockquote> `74-74`: _⚠️ Potential issue_ | _🟠 Major_ **Fix invalid securityContext fields in `--overrides` JSON.** Line 74 places `capabilities` and misspelled `allowPrivelegeEscalation` under `spec.securityContext` (pod-level). Those must be container-level (`spec.containers[0].securityContext`) and `allowPrivilegeEscalation` must be spelled exactly. Current hardening is not applied reliably. <details> <summary>Suggested patch</summary> ```diff - if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.redhat.io/ubi10/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"capabilities\": {\"drop\": [\"ALL\"]}, \"allowPrivelegeEscalation\": false, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}}}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done"; + if ! timeout 1m bash -c -- "until kubectl run --attach --rm --restart=Never test-metrics --image=registry.redhat.io/ubi10/ubi-minimal:latest -n memcached-operator-system --overrides='{\"spec\":{\"securityContext\":{\"runAsNonRoot\": true, \"seccompProfile\": {\"type\": \"RuntimeDefault\"}},\"containers\":[{\"name\":\"test-metrics\",\"securityContext\":{\"allowPrivilegeEscalation\": false, \"capabilities\": {\"drop\": [\"ALL\"]}}}]}}' -- curl -sfkH \"Authorization: Bearer ${token}\" https://memcached-operator-controller-manager-metrics-service:8443/metrics; do sleep 1; done"; ``` </details> ```shell #!/bin/bash set -euo pipefail # Verify the current overrides payload still has the typo and misplaced keys. rg -n 'allowPrivelegeEscalation|allowPrivilegeEscalation|"capabilities"|"securityContext"' ci/tests/e2e-helm.sh -C2 python - <<'PY' import json, re, pathlib text = pathlib.Path("ci/tests/e2e-helm.sh").read_text() m = re.search(r"--overrides='(\{.*?\})'\s+--\s+curl", text) if not m: print("overrides payload not found") raise SystemExit(1) payload = m.group(1).replace('\\"', '"') obj = json.loads(payload) pod_sc = obj.get("spec", {}).get("securityContext", {}) print("pod securityContext keys:", sorted(pod_sc.keys())) print("contains typo allowPrivelegeEscalation:", "allowPrivelegeEscalation" in pod_sc) print("container securityContext exists:", bool(obj.get("spec", {}).get("containers"))) PY ``` <details> <summary>🤖 Prompt for AI Agents</summary> ``` Verify each finding against the current code and only fix it if needed. In `@ci/tests/e2e-helm.sh` at line 74, The overrides JSON in the kubectl run command places "capabilities" and the misspelled "allowPrivelegeEscalation" under pod-level spec.securityContext; move those keys into the first container's securityContext (spec.containers[0].securityContext) and correct the spelling to "allowPrivilegeEscalation", keeping existing seccompProfile and runAsNonRoot fields as appropriate; update the --overrides payload used in the kubectl run invocation so the container securityContext contains capabilities.drop, allowPrivilegeEscalation: false, and seccompProfile/type as RuntimeDefault. ``` </details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.work/compliance/rhcos10/PR2-ubi10-migration.md:
- Around line 60-64: The fenced code block showing the registry lines (the block
containing "registry.access.redhat.com/ubi9/ubi-minimal:latest →
registry.redhat.io/ubi10/ubi-minimal:latest") lacks a language hint and triggers
MD040; update the opening fence fromtotext so the block becomes a text
fenced block, preserving the existing lines and arrows exactly.
Duplicate comments:
In @.work/compliance/rhcos10/PR2-ubi10-migration.md:
- Around line 15-17: The fenced code block containing
"registry.access.redhat.com → registry.redhat.io" needs a language hint to
satisfy markdownlint MD040; update that fenced block (the triple-backtick block
with that arrow text) to use a typed fence such astext (i.e., changetoIn `@ci/tests/e2e-helm.sh`: - Line 74: The overrides JSON in the kubectl run command places "capabilities" and the misspelled "allowPrivelegeEscalation" under pod-level spec.securityContext; move those keys into the first container's securityContext (spec.containers[0].securityContext) and correct the spelling to "allowPrivilegeEscalation", keeping existing seccompProfile and runAsNonRoot fields as appropriate; update the --overrides payload used in the kubectl run invocation so the container securityContext contains capabilities.drop, allowPrivilegeEscalation: false, and seccompProfile/type as RuntimeDefault.🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID:
11060a77-bb88-4ead-b93d-ddaf70be3b2e📒 Files selected for processing (10)
.work/compliance/rhcos10/PR2-ubi10-migration.mdci/dockerfiles/go-e2e.Dockerfileci/dockerfiles/scorecard-proxy.Dockerfileci/tests/e2e-helm.shimages/custom-scorecard-tests/Dockerfileimages/helm-operator/Dockerfileimages/operator-sdk/Dockerfileimages/scorecard-test/Dockerfileimages/scorecard-untar/Dockerfilerelease/helm/Dockerfile✅ Files skipped from review due to trivial changes (7)
- ci/dockerfiles/scorecard-proxy.Dockerfile
- ci/dockerfiles/go-e2e.Dockerfile
- images/helm-operator/Dockerfile
- images/scorecard-test/Dockerfile
- images/custom-scorecard-tests/Dockerfile
- images/operator-sdk/Dockerfile
- images/scorecard-untar/Dockerfile
| ``` | ||
| registry.access.redhat.com/ubi9/ubi-minimal:latest | ||
| → | ||
| registry.redhat.io/ubi10/ubi-minimal:latest | ||
| ``` |
There was a problem hiding this comment.
Add a language hint to this fenced block (MD040).
Line 60 has the same lint issue; add text to the opening fence.
Suggested patch
-```
+```text
registry.access.redhat.com/ubi9/ubi-minimal:latest
→
registry.redhat.io/ubi10/ubi-minimal:latest</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 60-60: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.work/compliance/rhcos10/PR2-ubi10-migration.md around lines 60 - 64, The
fenced code block showing the registry lines (the block containing
"registry.access.redhat.com/ubi9/ubi-minimal:latest →
registry.redhat.io/ubi10/ubi-minimal:latest") lacks a language hint and triggers
MD040; update the opening fence from ``` to ```text so the block becomes a text
fenced block, preserving the existing lines and arrows exactly.
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
openshift-ci
Bot
added
the
needs-rebase
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
openshift-ci
Bot
removed
the
needs-rebase
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
|
/retest |
|
/test e2e-helm-fips e2e-helm-rhcos10-fips e2e-helm-rhcos10 |
|
@PillaiManish: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
Summary
Migrate all container base images from UBI9 to UBI10 for native RHCOS10 compatibility.
Also moves the registry from
registry.access.redhat.comtoregistry.redhat.io.ubi9/ubi-minimal:9.6ubi10/ubi-minimal:10.1ubi9/ubi:9.5ubi10/ubi:10.1ubi9/ubi-minimal:latestubi10/ubi-minimal:latestPrerequisite
PR1 (
rhcos10-ubi9-compat-test) should pass CI on RHCOS10 nodes before merging this.Summary by CodeRabbit
Release Notes
Documentation
Chores