From 1cfe682ad55556089ee95c00bd56c1830359dd5a Mon Sep 17 00:00:00 2001 From: Jean-Fabrice Bobo Date: Mon, 22 Jun 2026 11:19:39 +0200 Subject: [PATCH 1/3] docs(eck): add container image support note to install.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Adds a new "Container images" section to the ECK install page clarifying: - The Elastic/Chainguard partnership for Wolfi-based hardened images - That only images from `docker.elastic.co` are officially supported by Elastic - That third-party hardened image sources (e.g. Docker Hardened Images on Docker Hub) are not maintained by Elastic and fall outside the scope of Elastic support Closes #6822 (superseded by this PR — previous PR covered more scope than what has internal consensus). ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8) --- deploy-manage/deploy/cloud-on-k8s/install.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy-manage/deploy/cloud-on-k8s/install.md b/deploy-manage/deploy/cloud-on-k8s/install.md index dbaa6611ce..9f27de0b8d 100644 --- a/deploy-manage/deploy/cloud-on-k8s/install.md +++ b/deploy-manage/deploy/cloud-on-k8s/install.md @@ -29,6 +29,14 @@ Deleting CRDs will trigger deletion of all custom resources ({{eck_resources_lis For a list of supported Kubernetes versions refer to [](../cloud-on-k8s.md#k8s-supported) +## Container images [k8s-installing-eck-container-images] + +Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://github.com/wolfi-dev/os), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). + +::::{note} +Only container images distributed via `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support. +:::: + ## Installation methods ECK supports multiple installation methods. Choose the one that best fits your infrastructure: From ad1fc6978456e87aea0d8e507d7f54a745434940 Mon Sep 17 00:00:00 2001 From: Jean-Fabrice Bobo Date: Mon, 22 Jun 2026 11:27:29 +0200 Subject: [PATCH 2/3] docs(eck): rework hardened container image section in install.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Updates the "Container images" section added in the previous commit: - Rename section to "Hardened ECK container image" (singular — only the ECK operator image is covered here, not Stack component images) - Add a sentence stating that since ECK 2.15.0, the operator container image is built on Wolfi by default, requiring no additional configuration ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8) --- deploy-manage/deploy/cloud-on-k8s/install.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/install.md b/deploy-manage/deploy/cloud-on-k8s/install.md index 9f27de0b8d..2ecaec23a0 100644 --- a/deploy-manage/deploy/cloud-on-k8s/install.md +++ b/deploy-manage/deploy/cloud-on-k8s/install.md @@ -29,10 +29,12 @@ Deleting CRDs will trigger deletion of all custom resources ({{eck_resources_lis For a list of supported Kubernetes versions refer to [](../cloud-on-k8s.md#k8s-supported) -## Container images [k8s-installing-eck-container-images] +## Hardened ECK container image [k8s-installing-eck-container-image] Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://github.com/wolfi-dev/os), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). +Since ECK 2.15.0, the ECK operator container image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. + ::::{note} Only container images distributed via `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support. :::: From 9af80bbfe0fb53732c936254555b196783f2b7a9 Mon Sep 17 00:00:00 2001 From: Jean-Fabrice Bobo Date: Mon, 22 Jun 2026 11:31:50 +0200 Subject: [PATCH 3/3] docs(eck): apply shainaraskas review recommendations - Use https://wolfi.dev instead of GitHub repo link (consistent with other ECK pages) - "Since ECK 2.15" (not 2.15.0) and "operator image" (not "container image") - Note text: "Only images distributed through docker.elastic.co" (not "via", not "container images") ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8) --- deploy-manage/deploy/cloud-on-k8s/install.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/install.md b/deploy-manage/deploy/cloud-on-k8s/install.md index 2ecaec23a0..79f9381b6d 100644 --- a/deploy-manage/deploy/cloud-on-k8s/install.md +++ b/deploy-manage/deploy/cloud-on-k8s/install.md @@ -31,12 +31,12 @@ For a list of supported Kubernetes versions refer to [](../cloud-on-k8s.md#k8s-s ## Hardened ECK container image [k8s-installing-eck-container-image] -Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://github.com/wolfi-dev/os), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). +Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://wolfi.dev), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). -Since ECK 2.15.0, the ECK operator container image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. +Since ECK 2.15, the ECK operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. ::::{note} -Only container images distributed via `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support. +Only images distributed through `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support. :::: ## Installation methods