CSPL-3434: Use ubi8-minimal base image

Dockerfile

@@ -3,9 +3,9 @@ ARG PLATFORMS=linux/amd64
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-# This sha relates to ubi version 8.10-1132, which is tagged as 8.10 and latest as of Nov 15, 2024
-ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi@sha256
-ARG BASE_IMAGE_VERSION=8990388831e1b41c9a67389e4b691dae8b1283f77d5fb7263e1f4fc69c0a9d05
+# This sha relates to ubi minimal version 8.10-1179, which is tagged as 8.10 and latest as of Feb 6, 2025
+ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-minimal@sha256
+ARG BASE_IMAGE_VERSION=d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
 
 # Build the manager binary
 FROM golang:1.23.0 AS builder
@@ -49,14 +49,11 @@ RUN if grep -q 'Ubuntu' /etc/os-release; then \
         unattended-upgrades -v && \
         apt-get clean && rm -rf /var/lib/apt/lists/*; \
     else \
-        yum -y install shadow-utils && \
+        microdnf -y install shadow-utils && \
         useradd -ms /bin/bash nonroot -u 1001 && \
-        yum install -y ca-certificates && \
+        microdnf install -y ca-certificates && \
         update-ca-trust &&  \
-        yum update -y krb5-libs && yum clean all && \
-        yum -y update-minimal --security --sec-severity=Important --sec-severity=Critical && \
-        yum -y update-minimal --security --sec-severity=Moderate && \
-        yum -y update-minimal --security --sec-severity=Low; \
+        microdnf update -y krb5-libs && microdnf clean all; \
     fi
 
 # Metadata

Makefile

@@ -150,13 +150,13 @@ docker-push: ## Push docker image with the manager.
 # IMG is a mandatory argument to specify the image name
 # Defaults:
 #   Build Platform: linux/amd64
-#   Build Base OS: registry.access.redhat.com/ubi8/ubi
-#   Build Base OS Version: 8.10
+#   Build Base OS: registry.access.redhat.com/ubi8/ubi-minimal@sha256
+#   Build Base OS Version: d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e (corresponds to tag 8.10)
 # Pass only what is required, the rest will be defaulted
 # Setup defaults for build arguments
 PLATFORMS ?= linux/amd64
-BASE_IMAGE ?= registry.access.redhat.com/ubi8/ubi
-BASE_IMAGE_VERSION ?= 8.10
+BASE_IMAGE ?= registry.access.redhat.com/ubi8/ubi-minimal@sha256
+BASE_IMAGE_VERSION ?= d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
 
 docker-buildx:
 	@if [ -z "$(IMG)" ]; then \

docs/Images.md

@@ -5,7 +5,7 @@ The Splunk Operator requires these docker images to be present or available to y
 * `splunk/splunk-operator`: The Splunk Operator image built by this repository or the [official release](https://hub.docker.com/r/splunk/splunk-operator)
 * `splunk/splunk:<version>`: The [Splunk Enterprise image](https://github.com/splunk/docker-splunk)
 
-All of these images are publicly available, and published on [Docker Hub](https://hub.docker.com/).
+All of these images are publicly available, and published on [Docker Hub](https://hub.docker.com/). Starting with release 2.7.2, the base image for the released image is ubi8/ubi-minimal, which minimizes security risks and reduces unneeded packages in the image. A released image based on the distroless base image is also available under the `-distroless` suffix tag on Docker Hub.
 
 If your cluster does not have access to pull directly from Docker Hub, you will need to manually download and push these images to an accessible registry. You will also need to specify the location of these images by using an environment variable passed to the Operator, or by adding additional `spec` parameters to your
 custom resource definition.