LB2865: Container Hardening: Zero to Hero with Red Hat Hardened Images

Welcome to Container Hardening: Zero to Hero

Welcome to the Container Hardening lab! This workshop is designed to help you master the skills needed to build, deploy, and manage minimal, hardened container environments using Red Hat Hardened Images.

Red Hat Hardened Images represents Red Hat’s strategic approach to delivering distroless, "zero-CVE" container base images built from upstream components. These images address critical challenges in modern software supply chains by providing micro-sized, hardened runtime images with complete transparency through SBOMs (Software Bill of Materials).

Workshop Duration

  • Total Time: 90 minutes

  • Web Module: 20 minutes

  • RHEL Module: 20 minutes

  • OCP Module: 30 minutes

Why Hardened Images Matter

Traditional container base images, even minimal variants like UBI Minimal, include packages that aren’t needed at runtime. These unnecessary components create:

  • Larger attack surfaces with more CVEs to patch

  • Slower deployments due to image size

  • Compliance challenges for supply chain security

  • Higher infrastructure costs from bloated images

Red Hat’s Solution:

  • Zero-CVE at Ship Time: Images delivered free of known vulnerabilities

  • Micro-Sized: JRE runtime ~185MB, Node.js < 100MB, Go < 25MB (vs ~400MB+ for full UBI)

  • Enterprise Grade: Built on a SLSA3 pipeline with Red Hat support available

  • Complete Transparency: Every image ships with SBOMs for compliance

  • Production Ready: Runtime images for .NET, Go, Java, Node.js, Python, databases, and web servers

What You’ll Learn

Module 1: Information Gathering for Hardened Images

This module will introduce the new web application.

Module 2: Container Development Environment with Hummingbird

In this hands-on module, you’ll build and secure container images using a pre-configured developer environment:

  • Multi-Stage Builds: Build production images using various different types of harnded images

  • Security Tools: Use cosign, syft, and grype for image signing and scanning

  • Size Optimization: Compare image sizes and vulnerability counts

  • Security Workflow: Scan for CVEs, generate SBOMs, sign and verify images

  • SELinux Hardening: Generate custom SELinux policies with udica

Module 3: Building Hardened Images with Shipwright on OpenShift

This module focuses on platform-level image building and deployment:

  • Cloud Native Buildpacks: Implement source-to-image builds without Dockerfiles

  • Hummingbird Integration: Configure Buildpacks to use Hummingbird runtime images

  • Custom Strategies: Create multi-language BuildStrategy patterns for development teams

  • Security Pipeline: Integrate SBOM generation, scanning, and signing into builds

  • Production Deployment: Deploy built images to OpenShift namespaces

  • SELinux CI/CD: Automate udica policy generation with Tekton and distribute via MachineConfig

Expected Outcomes

You’ll have working Shipwright builds deploying Hummingbird-based applications with automated security controls and SELinux policies.

Lab Environment Access

Your RHEL Virtual Machine (Module 1)

You will execute the first module in a Red Hat Enterprise Linux Virtual Machine running on Red Hat OpenShift Container Platform.

  1. In the terminal window on your right log into OpenShift:

    oc login -u {user} -p {password} {openshift_api_url} --insecure-skip-tls-verify

  2. Switch to your OpenShift project:

    oc project {user}-rhel

  3. Connect to your RHEL Virtual Machine:

    virtctl ssh rhel@vm/rhel

  4. Log into the VM using the rhel user’s password (type yes at the prompt Are you sure you want to continue connecting (yes/no/[fingerprint])?):

    Password:
    {password}

OpenShift Console (Module 2)

Your OpenShift console is available in a tab on the right or if you prefer a separate window at: {openshift_console_url}[window=blank].

Credentials:

Username:
{user}
Password:
{password}

Quay Registry Credentials

For pushing images to registries Red Hat Quay is available in a tab on your right or if you prefer a separate window at {quay_url}[window=blank].

Username:
{quay_user}
Password:
{quay_password}

Key Technologies Covered

Container Tools:

  • Podman 5.7.1 (rootless container runtime)

  • Buildah (container image building)

  • Skopeo (image inspection and distribution)

Security Tools:

  • cosign (image signing and verification)

  • syft (SBOM generation)

  • grype (pipeline vulnerability scanning)

Platform Technologies:

  • OpenShift 4.21

  • Builds for Red Hat OpenShift

  • Red Hat Quay (on-cluster container registry)

  • Cloud Native Buildpacks

  • Tekton Pipelines

Registries:

  • Workshop Registry (on-cluster Quay): {quay_console_url}

  • Hummingbird Source Registry: quay.io/hummingbird

  • UBI Registry: registry.access.redhat.com/ubi9

Additional Resources

Red Hat Hardened Images

Shipwright and Buildpacks:

Container Tools:

Support and Feedback

If you encounter issues during the workshop:

  1. Review the verification sections in each module

  2. Check the troubleshooting tips in lab steps

  3. Consult the additional resources listed above

  4. Reach out to workshop facilitators (if in instructor-led session)

Let’s get started building secure, minimal container images with Red Hat Hardened Images!