docs(eck): add container image support scope note to install page#7056
Open
jeanfabrice wants to merge 4 commits into
Open
docs(eck): add container image support scope note to install page#7056jeanfabrice wants to merge 4 commits into
jeanfabrice wants to merge 4 commits into
Conversation
## Summary Adds a new "Container images" section to the ECK install page clarifying: - The Elastic/Chainguard partnership for Wolfi-based hardened images - That only images from `docker.elastic.co` are officially supported by Elastic - That third-party hardened image sources (e.g. Docker Hardened Images on Docker Hub) are not maintained by Elastic and fall outside the scope of Elastic support Closes #6822 (superseded by this PR — previous PR covered more scope than what has internal consensus). ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8)
Contributor
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
Contributor
🔍 Preview links for changed docs |
Contributor
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
## Summary Updates the "Container images" section added in the previous commit: - Rename section to "Hardened ECK container image" (singular — only the ECK operator image is covered here, not Stack component images) - Add a sentence stating that since ECK 2.15.0, the operator container image is built on Wolfi by default, requiring no additional configuration ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8)
- Use https://wolfi.dev instead of GitHub repo link (consistent with other ECK pages) - "Since ECK 2.15" (not 2.15.0) and "operator image" (not "container image") - Note text: "Only images distributed through docker.elastic.co" (not "via", not "container images") ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes Tool(s) and model(s) used: Claude Code (claude-opus-4-8)
shainaraskas
left a comment
Member
There was a problem hiding this comment.
a couple of comments on placement / compatibility with all install methods
we might also consider adding a little note or sentence saying that the operator is hardened by default on the relevant install pages and link to this new section
|
|
||
| Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://wolfi.dev), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). | ||
|
|
||
| Since ECK 2.15, the ECK operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. |
Member
There was a problem hiding this comment.
prefer not referring to 2.15 because these are the 3.x docs ... we can keep it if you think it will save a lot of support headaches
|
|
||
| For a list of supported Kubernetes versions refer to [](../cloud-on-k8s.md#k8s-supported) | ||
|
|
||
| ## Hardened ECK container image [k8s-installing-eck-container-image] |
Member
There was a problem hiding this comment.
this page is the gate to all of the child pages, so this is too prominent. please move it below installation methods
| Since ECK 2.15, the ECK operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. | ||
|
|
||
| ::::{note} | ||
| Only images distributed through `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support. |
Member
There was a problem hiding this comment.
we distribute images through a couple of other places that we might not want to pretend don't exist, right? the first one is the fips image which is hardened in a different way we might want to acknowledge
cgr.dev/chainguard/glibc-dynamic
registry.access.redhat.com/ubi9/ubi-micro
|
|
||
| Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://wolfi.dev), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images). | ||
|
|
||
| Since ECK 2.15, the ECK operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container. |
Member
There was a problem hiding this comment.
this is not the case for openshift/fips, right? we need to specify that
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new "Container images" section to the ECK install page (
deploy-manage/deploy/cloud-on-k8s/install.md), inserted before the existing "Installation methods" section. This section:docker.elastic.coare officially supported by Elastic.Supersedes #6822 (closed — that PR covered additional scope that does not yet have internal consensus).
Generative AI disclosure
Tool(s) and model(s) used: Claude Code (claude-opus-4-8)