DefaultInitImage needs updating #7044
Description
When installing operators manually from a bundle with the operator-sdk, a highly vulnerable UBI 9.4 Pod is left running on the cluster:
operator-sdk/internal/olm/fbcutil/util.go
Line 51 in f6829d4
Example:
$ operator-sdk run bundle --security-context-config=restricted -n hpe-storage quay.io/hpestorage/csi-driver-operator-bundle-ocp:v3.1.0-beta
...
$ k describe pods -nhpe-storage quay-io-hpestorage-csi-driver-operator-bundle-ocp-v3-1-0-beta
Name: quay-io-hpestorage-csi-driver-operator-bundle-ocp-v3-1-0-beta
Namespace: hpe-storage
Priority: 0
Service Account: default
Node: tme-lnxc-ocp/16.172.68.202
Start Time: Fri, 06 Feb 2026 11:19:58 -0800
Labels: <none>
Annotations: k8s.ovn.org/pod-networks:
{"default":{"ip_addresses":["10.128.0.74/23"],"mac_address":"0a:58:0a:80:00:4a","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0...
k8s.v1.cni.cncf.io/network-status:
[{
"name": "ovn-kubernetes",
"interface": "eth0",
"ips": [
"10.128.0.74"
],
"mac": "0a:58:0a:80:00:4a",
"default": true,
"dns": {}
}]
openshift.io/scc: restricted-v2
seccomp.security.alpha.kubernetes.io/pod: runtime/default
security.openshift.io/validated-scc-subject-type: user
Status: Running
SeccompProfile: RuntimeDefault
IP: 10.128.0.74
IPs:
IP: 10.128.0.74
Init Containers:
registry-grpc-init:
Container ID: cri-o://ae8655d00ef461aea4e3b67b11bfb6071c34e41b569517c726b80c0a3296130b
Image: registry.access.redhat.com/ubi9/ubi:9.4
Image ID: registry.access.redhat.com/ubi9/ubi@sha256:970d60bb110b60c175f5b261596957a6c8ccfbd0b252d6a1d28b1655d25cb3a8
Port: <none>
Host Port: <none>
Command:
sh
-c
for dir in /compressed/hpe-csi-operator-catalog-configs/*configmap-partition*; do for f in ${dir}/*; do file="${f%.*}";file="${file#/compressed}";cat ${f} | gzip -d -c > "${file}";done;done;
State: Terminated
Reason: Completed
Exit Code: 0
Started: Fri, 06 Feb 2026 11:20:04 -0800
Finished: Fri, 06 Feb 2026 11:20:04 -0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/compressed/hpe-csi-operator-catalog-configs/hpe-csi-operator-catalog-configmap-partition-1 from hpe-csi-operator-catalog-configmap-partition-1-volume (rw,path="hpe-csi-operator-catalog-configmap-partition-1")
/hpe-csi-operator-catalog-configs/hpe-csi-operator-catalog-configmap-partition-1 from hpe-csi-operator-catalog-configmap-partition-1-unzip (rw,path="hpe-csi-operator-catalog-configmap-partition-1")
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-fd898 (ro)
Containers:
registry-grpc:
Container ID: cri-o://dbee7bc33f5a3e2da3d54ce5b2c52597d9bc16e8ecddbc77bbd963815c9a07b4
Image: quay.io/operator-framework/opm:latest
Image ID: quay.io/operator-framework/opm@sha256:1b3ded7cb299f107af91460476f0178365531360e4eee0873ca1c963ab20fcf8
Port: 50051/TCP
Host Port: 0/TCP
Command:
sh
-c
opm serve /hpe-csi-operator-catalog-configs -p 50051
State: Running
Started: Fri, 06 Feb 2026 11:20:08 -0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/hpe-csi-operator-catalog-configs/hpe-csi-operator-catalog-configmap-partition-1 from hpe-csi-operator-catalog-configmap-partition-1-unzip (rw,path="hpe-csi-operator-catalog-configmap-partition-1")
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-fd898 (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
hpe-csi-operator-catalog-configmap-partition-1-volume:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: hpe-csi-operator-catalog-configmap-partition-1
Optional: false
hpe-csi-operator-catalog-configmap-partition-1-unzip:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
kube-api-access-fd898:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
Optional: false
DownwardAPI: true
ConfigMapName: openshift-service-ca.crt
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 91m default-scheduler Successfully assigned hpe-storage/quay-io-hpestorage-csi-driver-operator-bundle-ocp-v3-1-0-beta to tme-lnxc-ocp
Normal AddedInterface 91m multus Add eth0 [10.128.0.74/23] from ovn-kubernetes
Normal Pulling 91m kubelet Pulling image "registry.access.redhat.com/ubi9/ubi:9.4"
Normal Pulled 91m kubelet Successfully pulled image "registry.access.redhat.com/ubi9/ubi:9.4" in 5.696s (5.696s including waiting). Image size: 220830397 bytes.
Normal Created 91m kubelet Created container: registry-grpc-init
Normal Started 91m kubelet Started container registry-grpc-init
Normal Pulling 91m kubelet Pulling image "quay.io/operator-framework/opm:latest"
Normal Pulled 91m kubelet Successfully pulled image "quay.io/operator-framework/opm:latest" in 2.586s (2.586s including waiting). Image size: 88592288 bytes.
Normal Created 91m kubelet Created container: registry-grpc
Normal Started 91m kubelet Started container registry-grpc