---
title: Hardened (Wolfi) images in Elastic Cloud on Kubernetes
description: Learn how ECK uses Wolfi-based hardened images to reduce CVE exposure, and how to configure Wolfi images for Elastic Stack components.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6822/deploy-manage/deploy/cloud-on-k8s/hardened-images
products:
  - APM
  - Beats
  - Elastic Agent
  - Elastic Cloud on Kubernetes
  - Elasticsearch
  - Kibana
  - Logstash
applies_to:
  - Elastic Cloud on Kubernetes: Generally available
---

# Hardened (Wolfi) images in Elastic Cloud on Kubernetes
Elastic has partnered with [Chainguard](https://www.chainguard.dev/) to provide hardened container images based on [Wolfi](https://github.com/wolfi-dev/os), a minimal, security-focused Linux distribution designed for containerized environments. These images significantly reduce the CVE footprint of Elastic containers by including only the application and its necessary runtime dependencies. For background on this initiative, refer to the blog post [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images).
<note>
  Only images distributed via `docker.elastic.co` are officially supported by Elastic. Third-party hardened image sources, such as Docker Hardened Images (DHI) on Docker Hub, are not maintained by Elastic and fall outside the scope of Elastic support.
</note>


## The ECK Operator image

Since ECK **v2.15.0**, the ECK Operator image is built on Wolfi by default. No additional configuration is required — pulling the standard operator image from `docker.elastic.co` already provides a hardened, Wolfi-based container.

## Elastic Stack images managed by Elastic Cloud on Kubernetes

Wolfi-based variants of the Elastic Stack images (Elasticsearch, Kibana, Elastic Agent, Beats) are available from v8.16.0 onwards (v8.15.0 for APM Server and Logstash). However, ECK does not pull Wolfi variants by default for Elastic Stack components — the standard images are used unless explicitly overridden.
To have the operator pull Wolfi-based images natively for the Elastic Stack components it manages, set the `container-suffix` configuration flag to `-wolfi`. The operator then appends this suffix to the container images it resolves. This flag cannot be combined with the `--ubi-only` flag. For more details, refer to [ECK configuration flags](https://docs-v3-preview.elastic.dev/elastic/cloud-on-k8s/tree/main/reference/eck-configuration-flags).
For example, set the suffix in the `elastic-operator` ConfigMap:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: elastic-operator
  namespace: elastic-system
data:
  eck.yaml: |-
    container-suffix: -wolfi
```

<warning>
  The `container-suffix` flag applies to **all** resources managed by the operator, including [Elastic Package Registry](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6822/deploy-manage/deploy/cloud-on-k8s/package-registry) and [Elastic Maps Server](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6822/deploy-manage/deploy/cloud-on-k8s/elastic-maps-server). The images for these two components are **already natively based on Wolfi** and do not have a `-wolfi` suffix. With `container-suffix: -wolfi` set, the operator would try to pull non-existent suffixed images, causing the image pull to fail.For these resources, explicitly set the container image in the manifest using `.spec.image` (without the suffix).For [Elastic Package Registry](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6822/deploy-manage/deploy/cloud-on-k8s/package-registry), use:
  ```yaml
  apiVersion: packageregistry.k8s.elastic.co/v1alpha1
  kind: PackageRegistry
  metadata:
    name: package-registry-sample
    namespace: default
  spec:
    count: 1
    version: 9.4.2
    image: docker.elastic.co/package-registry/distribution:9.4.2
  ```
  Other valid tags include `lite-<version>`, `production` and `lite`. For more details, refer to [Air-gapped environments](/elastic/docs-content/pull/6822/reference/fleet/air-gapped#air-gapped-diy-epr).For [Elastic Maps Server](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6822/deploy-manage/deploy/cloud-on-k8s/elastic-maps-server), use:
  ```yaml
  apiVersion: maps.k8s.elastic.co/v1alpha1
  kind: ElasticMapsServer
  metadata:
    name: quickstart
  spec:
    count: 1
    version: 9.4.2
    image: docker.elastic.co/elastic-maps-service/elastic-maps-server:9.4.2
  ```
</warning>


## Further reading

- [Reducing CVEs in Elastic container images](https://www.elastic.co/blog/reducing-cves-in-elastic-container-images)