{"id":"image-governed-from-build-through-lifecycle","text":"OpenShift image governance spans the complete lifecycle: images flow through build systems and supply chains (S2I/Shipwright → ImageStream → registry for apps; FBC → OLM for operators) and are then subject to lifecycle controls (managed annotation for pruning eligibility, registry operator for automated cleanup) — the same governance model that controls creation also controls deletion.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["image-supply-chain-end-to-end","image-lifecycle-management-model"],"outlist":[],"label":"depth-3 supply chain covers creation/delivery while depth-1 lifecycle covers pruning/cleanup; combining shows that image governance is a closed loop, not a one-way pipeline"}],"dependents":["governed-immutable-image-and-operator-platform"],"metadata":{},"explanation":{"steps":[{"node":"image-governed-from-build-through-lifecycle","truth_value":"IN","reason":"SL justification valid","antecedents":["image-supply-chain-end-to-end","image-lifecycle-management-model"],"label":"depth-3 supply chain covers creation/delivery while depth-1 lifecycle covers pruning/cleanup; combining shows that image governance is a closed loop, not a one-way pipeline"},{"node":"image-supply-chain-end-to-end","truth_value":"IN","reason":"SL justification valid","antecedents":["build-and-image-delivery-pipeline","operator-catalog-to-deployment-pipeline"],"label":"depth-3 — application and operator image delivery are structurally parallel managed pipelines"},{"node":"build-and-image-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["build-system-openshift-native-duality","imagestream-controlled-access-model","image-registry-external-access-model"],"label":"Build systems, ImageStream access control, and registry exposure form a complete image delivery chain"},{"node":"build-system-openshift-native-duality","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-build-systems-shipwright-buildconfig","ocp-buildconfigs-not-in-upstream-k8s","imagestream-buildconfig-openshift-native"],"label":"The build system is entirely OpenShift-native — both build mechanisms and their image output target (ImageStream) have no K8s equivalents"},{"node":"ocp-two-build-systems-shipwright-buildconfig","truth_value":"IN","reason":"premise"},{"node":"ocp-buildconfigs-not-in-upstream-k8s","truth_value":"IN","reason":"premise"},{"node":"imagestream-buildconfig-openshift-native","truth_value":"IN","reason":"premise"},{"node":"imagestream-controlled-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-objects-immutable-content-addressed","end-users-access-images-via-imagestreamtag-or-imagestreamimage","imagestream-pull-requires-get-layers-permission","ocp-imagestreammapping-privileged-only"],"label":"Four beliefs collectively enforce a layered access control model over image content"},{"node":"image-objects-immutable-content-addressed","truth_value":"IN","reason":"premise"},{"node":"end-users-access-images-via-imagestreamtag-or-imagestreamimage","truth_value":"IN","reason":"premise"},{"node":"imagestream-pull-requires-get-layers-permission","truth_value":"IN","reason":"premise"},{"node":"ocp-imagestreammapping-privileged-only","truth_value":"IN","reason":"premise"},{"node":"image-registry-external-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-registry-default-route-true-exposes-externally","default-route-uses-reencrypt","registry-credential-secret-name","image-registry-storage-backends"],"label":"Four beliefs that together describe how the registry is configured, secured, and exposed"},{"node":"image-registry-default-route-true-exposes-externally","truth_value":"IN","reason":"premise"},{"node":"default-route-uses-reencrypt","truth_value":"IN","reason":"premise"},{"node":"registry-credential-secret-name","truth_value":"IN","reason":"premise"},{"node":"image-registry-storage-backends","truth_value":"IN","reason":"premise"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"image-lifecycle-management-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-managed-image-annotation-required","imagepruner-managed-by-image-registry-operator","ocp-image-pruning-requires-registry-restart"],"label":"Three base beliefs about image pruning combine into a complete image lifecycle management model"},{"node":"ocp-managed-image-annotation-required","truth_value":"IN","reason":"premise"},{"node":"imagepruner-managed-by-image-registry-operator","truth_value":"IN","reason":"premise"},{"node":"ocp-image-pruning-requires-registry-restart","truth_value":"IN","reason":"premise"}]}}