Uploaded image for project: 'OpenShift Hive'
  1. OpenShift Hive
  2. HIVE-2208

Provide Option to Not Pull CLI and openshift/release images during cluster provisioning

XMLWordPrintable

    • Hive Should not Download images with CVEs
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 0
    • 0% 0%

      Description
      In ARO, Microsoft has container scanning which is performed against all production assets running and cached container images. Because of this, during cluster provisioning Hive will pull down the openshift-release image and the associated CLI images.

      The CLI image is used to perform a must-gather on installation failure, which ARO does not have configured. Additionally, the openshift-release image is used to find the associated CLI image used for a must-gather on installation failure.

      Because these release images are not updated after a Z stream is cut, over time, vulnerabilities will be found within these images.

      The high-level ask is to not pull down the ocp-release and CLI images if hive is not configured to perform a must-gather on cluster failure. There appears to be no way to patch existing release images as the ART team leverages new Z streams to have updated packages or patched base images.

      Acceptance Criteria

      1. One can toggle a flag, environment variable, or hiveConfig property to disable pull down of the ocp-release and cli images on cluster installs.

      Slack thread: https://redhat-internal.slack.com/archives/CE3ETN3J8/p1682524817374499

            efried.openshift Eric Fried
            bvesel@redhat.com Benjamin Vesel
            Jianping Shu Jianping Shu
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: