Featured image for 9 best practices for building images that run well in both Kubernetes and OpenShift

After designing a universal application image that will run well on Kubernetes or Red Hat OpenShift—and that will pass Red Hat Container Certification—your next consideration is how to successfully build and store each image. This article discusses how to use a build pipeline to implement two best practices: Automating compliance with the Open Container Initiative (OCI) and tagging each image with a unique identifier. Using a build pipeline to build and store images automates the process and makes it repeatable and reliable. I'll also discuss the Red Hat Container Certification requirements for each of these best practices.

A quick review of CI/CD pipelines

As a reminder, a build pipeline performs continuous integration in a pipeline that provides continuous delivery (CI/CD) as part of DevOps or DevSecOps for a software development lifecycle. Every time the code for a software component changes, the CI pipeline builds the software, packages it for deployment, and deploys it into a development or test environment.

CI/CD pipelines:

  • Confirm that the latest code can be built and deployed.
  • Ensure that the deployed component is always running the latest code.
  • Perform quality checks on the code.
  • Prevent deployment if the software falls below an acceptable level of quality.

Best practice #1: Build images for OCI compliance

The Open Container Initiative (OCI) is a neutral body that governs open industry standards for the container image format (image-spec), how images are stored and distributed (distribution-spec), and how images are run as containers (runtime-spec).

Images built for OCI compliance avoid vendor lock-in. Any OCI-compliant container can run properly in any OCI-compliant container engine, such as containerd and CRI-O.

Red Hat Container Certification requirement

Although Red Hat does not require that images be built with specific tools, it does recommend a set of open source tools to build, transfer, and run OCI-compliant images: Buildah, Skopeo, and Podman. These tools currently run most easily on Linux, with varying support for Windows or MacOS.

You should use Buildah to build images and Skopeo to copy them between registries. You can also use Podman to run images locally, although that doesn’t matter when deploying images to a container orchestrator. OpenShift supports using Buildah to build images as part of an integrated build process with all three tools.

Build an image with Buildah

Use Buildah’s bud command to build an image like this:

buildah bud -f Dockerfile .

bud stands for "build using dockerfile." Buildah refers to the file that contains the build instructions as either the Dockerfile or the Containerfile. Regardless of the file name, they use the same syntax.

Best practice #2: Tag each image with a unique identifier

When adding an image to a registry, tag the image to indicate the version of the software and the release of the build inside the image.

Red Hat Container Certification requirement

Red Hat Container Certification requires that an image have a tag (other than latest, which is automatic) that uniquely identifies that image from others with the same name. It suggests that the tag should commonly be the image version.

Tagging your image

Use Docker’s tag command to add a tag to an image. An image can have multiple tags, which are aliases for the same image file. For example:

  1. Build the image: my-image.
  2. Tag it for the registry: my-registry and the namespace my-namespace, and with the version 1.0 and the release 1.
  3. Tag it again without the release, for the latest release of that version.
  4. Push all tags of the image to the remote registry my-registry.

Your command should look something like this:

docker build -t my-image .
docker tag my-image my-registry/my-namespace/my-image:1.0-1
docker tag my-image my-registry/my-namespace/my-image:1.0
docker push --all-tags my-registry/my-namespace/my-image

This tags the image with two tags:

  • 1.0-1 specifies release 1 of version 1.0.
  • 1.0 specifies the latest release of version 1.0.

The registry should not already contain an image with the tag 1.0-1; if it does, the old image will no longer have that tag. If this were tag 1.0-2, the registry typically already contains an image with the tags 1.0-1 and 1.0. The new 1.0 tag replaces the old one in the registry, so whereas the 1.0 used to point to the 1.0-1 image, now it points to the 1.0-2 image. Likewise, you could even add a 1 tag to point to the latest image that is a 1.x version. For example, see all the tags for various builds of the node image in DockerHub and notice how a single build often has multiple tags that act as aliases for the same build.

The image’s identifiers in the registry should match its internal identifiers. An image should contain these three identifying fields:

  • name: Name of the image.
  • version: Version of the image.
  • release: A number that’s used to identify the specific build for this image.

To make the registry identifiers match, tag the image with these same identifier values:

docker tag <registry>/<namespace>/<name>:<version>-<release>

where <registry> and <namespace> specify where the image is stored.


This article discussed best practices for building and storing images and showed you how to use a build pipeline to automate OCI compliance and tagging images with a unique identifier.

Last updated: September 20, 2023