Chapter 2. Requirements for container images

Container images must declare a non-root user unless their functionality requires privileged access.

To certify container images requiring root access, you must:

Test name: RunAsNonRoot

Ensures that containers do not run as the root user unless required. Images running as the root user can pose a security risk.

Container images must use a Universal Base Image (UBI) provided by Red Hat.

You can add additional RHEL packages to the UBI images, except for kernel packages.

Test name: BasedOnUbi

Ensures that application runtime dependencies, such as operating system components and libraries, are covered under the customer’s subscription.

Container images must not change content provided by Red Hat packages or layers except for files that both you or the customers can change, such as configuration files.

Test name: HasModifiedFiles

Ensures that Red Hat does not deny support on the basis of unauthorized changes to Red Hat components.

Container images must have a /licenses directory. Use this directory to add one or more files containing software terms and conditions for your product and any open source software included in the image. If you already have license files elsewhere in your image to meet other product requirements, you can either have symbolic links to those files or their direct copies in the /licenses directory.

Test name: HasLicense

Ensures that customers are aware of the terms and conditions applicable to the software included in the image.

Uncompressed container images must have less than 40 layers.

Test name: LayerCountAcceptable

Ensures that images run appropriately on containers. Too many layers could degrade the performance.

Container images must not include RHEL kernel packages.

Test name: HasNoProhibitedPackages

Ensures compliance with RHEL redistribution rules for partners.

Container images must not contain Red hat components with identified important or critical vulnerabilities.

Test name: N/A. The Red Hat Certification Service conducts this scan.

Ensures that customers are not exposed to known vulnerabilities.

Container image names must not begin with any Red Hat Marks.

Test name: HasProhibitedContainerName

Ensures compliance with Red Hat trademark guidelines.

Container images must include the following labels:

Test name: HasRequiredLabel

Ensures that customers can obtain information about the image provider and the content of the images in a consistent way.

Container image label content must not begin with any Red Hat Marks:

Test name: HasNoProhibitedLabels

The image name must follow the Red Hat trademark guidelines.

Container images must include a unique tag that is descriptive of the certified image.

Red Hat recommends appending the image version and its build date or released date to the unique tag.

Floating tags, such as latest although not adequate for certification, can be added to the image in addition to the descriptive tag.

Test name: HasUniqueTag

Ensures that images can be uniquely identified.