elastic · jeanfabrice · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026 · Jun 23, 2026
@@ -29,6 +29,16 @@ Deleting CRDs will trigger deletion of all custom resources ({{eck_resources_lis
 
 For a list of supported Kubernetes versions refer to [](../cloud-on-k8s.md#k8s-supported)
 
+## Hardened ECK container image [k8s-installing-eck-container-image]
+
+Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://wolfi.dev), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
+
+Since ECK 2.15, the ECK operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container.
+
+::::{note}
+Only images distributed through `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support.
+::::
+
 ## Installation methods
 
 ECK supports multiple installation methods. Choose the one that best fits your infrastructure: