Hardened (Wolfi) images in Elastic Cloud on Kubernetes
Elastic has partnered with Chainguard to provide hardened container images based on Wolfi, a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post Reducing CVEs in Elastic container images.
Only images distributed via docker.elastic.co are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support.
Since ECK v2.15.0, the ECK Operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from docker.elastic.co already provides a hardened, Wolfi-based container.
Wolfi-based variants of the Elastic Stack images (Elasticsearch, Kibana, Elastic Agent, Beats) are available from v8.16.0 onwards (v8.15.0 for APM Server and Logstash). However, ECK does not pull Wolfi variants by default for Elastic Stack components — the standard images are used unless explicitly overridden.
To have the operator pull Wolfi-based images natively for the Elastic Stack components it manages, set the container-suffix configuration flag to -wolfi. The operator then appends this suffix to the container images it resolves. This flag cannot be combined with the --ubi-only flag. For more details, refer to ECK configuration flags.
For example, set the suffix in the elastic-operator ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: elastic-operator
namespace: elastic-system
data:
eck.yaml: |-
container-suffix: -wolfi
The container-suffix flag applies to all resources managed by the operator, including Elastic Package Registry and Elastic Maps Server. The images for these two components are already natively based on Wolfi and do not have a -wolfi suffix. With container-suffix: -wolfi set, the operator would try to pull non-existent suffixed images, causing the image pull to fail.
For these resources, explicitly set the container image in the manifest using .spec.image (without the suffix).
For Elastic Package Registry, use:
apiVersion: packageregistry.k8s.elastic.co/v1alpha1
kind: PackageRegistry
metadata:
name: package-registry-sample
namespace: default
spec:
count: 1
version: 9.4.2
image: docker.elastic.co/package-registry/distribution:9.4.2
Other valid tags include lite-<version>, production and lite. For more details, refer to Air-gapped environments.
For Elastic Maps Server, use:
apiVersion: maps.k8s.elastic.co/v1alpha1
kind: ElasticMapsServer
metadata:
name: quickstart
spec:
count: 1
version: 9.4.2
image: docker.elastic.co/elastic-maps-service/elastic-maps-server:9.4.2