Chapter 2. Requirements for container images


Certified container images must comply with the following requirements to ensure that:

  • The operating system libraries are covered as part of the end-user Red Hat OpenShift support subscription.
  • The image is scanned to avoid introducing known security vulnerabilities in customer environments.

2.1. Image content requirements

Expand
RequirementJustification

Container images must declare a non-root user unless their functionality requires privileged access.

To certify container images requiring root access, you must:

  • Include the requirement in the product documentation.
  • Indicate that the container requires privileged host-level access in the certification project settings. This setting is subject to Red Hat review.

Test name: RunAsNonRoot

Ensures that containers do not run as the root user unless required. Images running as the root user can pose a security risk.

Container images must use a Universal Base Image (UBI) provided by Red Hat.

You can add additional RHEL packages to the UBI images, except for kernel packages.

Test name: BasedOnUbi

Ensures that application runtime dependencies, such as operating system components and libraries, are covered under the customer’s subscription.

Container images must not change content provided by Red Hat packages or layers except for files that both you or the customers can change, such as configuration files.

Test name: HasModifiedFiles

Ensures that Red Hat does not deny support on the basis of unauthorized changes to Red Hat components.

Container images must have a /licenses directory. Use this directory to add one or more files containing software terms and conditions for your product and any open source software included in the image. If you already have license files elsewhere in your image to meet other product requirements, you can either have symbolic links to those files or their direct copies in the /licenses directory.

Test name: HasLicense

Ensures that customers are aware of the terms and conditions applicable to the software included in the image.

Uncompressed container images must have less than 40 layers.

Test name: LayerCountAcceptable

Ensures that images run appropriately on containers. Too many layers could degrade the performance.

Container images must not include RHEL kernel packages.

Test name: HasNoProhibitedPackages

Ensures compliance with RHEL redistribution rules for partners.

Container images must not contain Red hat components with identified important or critical vulnerabilities.

Test name: N/A. The Red Hat Certification Service conducts this scan.

Ensures that customers are not exposed to known vulnerabilities.

Container image names must not begin with any Red Hat Marks.

Test name: HasProhibitedContainerName

Ensures compliance with Red Hat trademark guidelines.

2.2. Image metadata requirements

Expand
RequirementJustification

Container images must include the following labels:

  • name: Image name
  • maintainer: Maintainer name
  • vendor: Company name
  • version: Version of the image
  • release: A number used to identify the specific build for this image
  • summary: A short overview of the application or component in this image
  • description: A long description of the application or component in this image

Test name: HasRequiredLabel

Ensures that customers can obtain information about the image provider and the content of the images in a consistent way.

Container image label content must not begin with any Red Hat Marks:

  • name: Image Name
  • maintainer: Maintainer name
  • vendor: Company name

Test name: HasNoProhibitedLabels

The image name must follow the Red Hat trademark guidelines.

Container images must include a unique tag that is descriptive of the certified image.

Red Hat recommends appending the image version and its build date or released date to the unique tag.

Floating tags, such as latest although not adequate for certification, can be added to the image in addition to the descriptive tag.

Test name: HasUniqueTag

Ensures that images can be uniquely identified.

2.3. Image maintenance requirements

Partners are responsible for monitoring the health status of their certified containers. When an image rebuild is required because of new functionality or a security update, submit the updated container image for recertification and publication.

Partners must keep the application components up-to-date and rebuild their container images periodically.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat