Chapter 2. Requirements for container images
Certified container images must comply with the following requirements to ensure that:
- The operating system libraries are covered as part of the end-user Red Hat OpenShift support subscription.
- The image is scanned to avoid introducing known security vulnerabilities in customer environments.
2.1. Image content requirements
| Requirement | Justification |
|---|---|
| Container images must declare a non-root user unless their functionality requires privileged access. To certify container images requiring root access, you must:
Test name: RunAsNonRoot | Ensures that containers do not run as the root user unless required. Images running as the root user can pose a security risk. |
| Container images must use a Universal Base Image (UBI) provided by Red Hat. You can add additional RHEL packages to the UBI images, except for kernel packages. Test name: BasedOnUbi | Ensures that application runtime dependencies, such as operating system components and libraries, are covered under the customer’s subscription. |
| Container images must not change content provided by Red Hat packages or layers except for files that both you or the customers can change, such as configuration files. Test name: HasModifiedFiles | Ensures that Red Hat does not deny support on the basis of unauthorized changes to Red Hat components. |
| Container images must contain a “licenses” directory. Use this directory to add files containing software terms and conditions for your product and any open source software included in the image. Test name: HasLicense | Ensures that customers are aware of the terms and conditions applicable to the software included in the image. |
| Uncompressed container images must have less than 40 layers. Test name: LayerCountAcceptable | Ensures that images run appropriately on containers. Too many layers could degrade the performance. |
| Container images must not include RHEL kernel packages. Test name: HasNoProhibitedPackages | Ensures compliance with RHEL redistribution rules for partners. |
| Container images must not contain Red hat components with identified important or critical vulnerabilities. Test name: N/A. The Red Hat Certification Service conducts this scan. | Ensures that customers are not exposed to known vulnerabilities. |
2.2. Image metadata requirements
| Requirement | Justification |
|---|---|
| Container images must include the following labels:
Test name: HasRequiredLabel | Ensures that customers can obtain information about the image provider and the content of the images in a consistent way. |
| Container images must include a unique tag that is descriptive of the certified image. Red Hat recommends appending the image version and its build date or released date to the unique tag. Floating tags, such as latest although not adequate for certification, can be added to the image in addition to the descriptive tag. Test name: HasUniqueTag | Ensures that images can be uniquely identified. |
Additional resources
- For more information about container images and Red Hat support, see Red Hat Container Support Policy.
- For more information about Red Hat base images, see Red Hat Enterprise Linux documentation.
2.3. Image maintenance requirements
Partners are responsible for monitoring the health status of their certified containers. When an image rebuild is required because of new functionality or a security update, submit the updated container image for recertification and publication.
Partners must keep the application components up-to-date and rebuild their container images periodically.
