For your application to run well in Kubernetes and Red Hat OpenShift, you need to build an image with qualities that will make its containers run well. Getting your container certified through Red Hat Container Certification signals to users of your container that it is secure, supported, and trustworthy, and that your applications will run properly and consistently across any of OpenShift’s supported platforms, including bare metal and cloud.
This guide walks you through getting a container image certified by Red Hat. Because Red Hat documentation is the best source of information, this guide points you to the right documentation and also highlights some steps to watch out for that could hinder you from getting your container certified.
A note about operators: If you plan to produce an operator and this image is the operand, it will get certified as part of operator certification. You aren’t required to certify the container separately unless you want to in order to make sure your image is good while you work on building your operator.
Configure your Red Hat Technology Partner account
The first step in applying for container certification from Red Hat is to create and configure a Red Hat Technology Partner account. To do so, log in via the Certified Technology portal and create an account.
- Read the Program Requirements to set up an account.
Accept all licenses
During your account creation process, you will be prompted to accept three licenses. You need to accept one additional license for the Container Program Appendix.
To do so, in your Technology Portal navigate to “My Company > View user agreements > View and accept” where you can select to accept the “Container Program Appendix”.
Create a project
To certify your container, you need to create a project where you will push your conatiner image.
A few things to note:
- The first time you create a project, from the Certified Technology Portal navigate to “Zones & Resources > Red Hat OpenShift and Containers” and select Join to join the zone. From there you can either click Certify or go to “Product & Certification > Manage Projects”.
- For container certification you will choose “container image”. You will be prompted to choose a project name, publishing registry, and base operating system. In the example below, I use a Red Hat Universal Base Image.
Follow these instructions to create your project: Creating a container application project.
Requirements for certification
The Design, build, and deploy universal application image learning path details key elements you need to include in your image in order for it to pass Red Hat certification. These include:
- Choose a certified image, preferably a UBI to ensure your image is from a secure registry and certified on its own.
- Embed identifying information into your image so that your users can know exactly what’s included in the image.
- Add appropriate license information that clearly define the licenses that govern the use of the software it contains. This information should be an immutable part of the image that cannot be separated.
- Design the image to run as a non-root user ID so that if the process breaks out of the container, its access on the host machine is much more limited.
- Build your image with the latest security updates to ensure your image includes the additional dependencies or packages that the image requires.
Refer to Red Hat’s documentation for information on how to choose packages and dependencies that are safe:
Configure the project with your image
Once you’ve included all the required information in your image, you need to push your tested image to a project. You can either push an image that you’ve built or configure a build service that will find your Dockerfile in your repo and build the image for you.
For the push image Manually, You will have to go to the project creation or project “push image manually” to get the registry key.
In either case, after you load the image into the project, Red Hat automatically begins to scan the image for certification.
# Login to the RH registry, for mac users add the -password-stdin <registry key> $ docker login -u unused scan.connect.redhat.com # Tag container $ docker tag [image-id] scan.connect.redhat.com/<repo id>/[image-name]:[tag] # Push the iamge to the RH registry $ docker push scan.connect.redhat.com/<repo id>/[image-name]:[tag]
Once the image is added, you will see it populate to the project list and begin scanning. The scan can take several hours to run depending on the images and applications. If the container fails certification, you will receive a full list of faults for you to correct before resubmitting your container for certificaiton.
Check out these links for additional information about Red Hat certification.