All articles
GUIDE · 6 min read

Container Image Hardening That Survives Production

Most container CVEs never get exploited — but the ones that do almost always succeed because the image runs as root with a writable filesystem. Fix the basics and you remove the blast radius.

Shrink the image

Distroless or chainguard base images. Fewer binaries = fewer LOLBins for the attacker.

Drop privileges by default

runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities, allowPrivilegeEscalation: false. Make these PodSecurity defaults.

  • seccomp: RuntimeDefault
  • AppArmor / SELinux enforcing
  • No hostPath, no hostNetwork

Scan in the pipeline AND at runtime

Trivy/Grype at build time, Falco at runtime. Vulnerable images that never get pulled are a paperwork problem; vulnerable images running in prod are an incident.

Tools mentioned

TrivyGrypeFalcoChainguardDistrolessKyverno
⟩ takeaway

Small, non-root, read-only. Three properties that turn most container exploits into noisy failures.

⟩ keep reading

Related articles