LB2865: Container Hardening: Zero to Hero with Red Hat Hardened Images

Welcome to Container Hardening: Zero to Hero

Welcome to the Container Hardening lab! This workshop is designed to help you master the skills needed to build, deploy, and manage minimal, hardened container environments using Red Hat Hardened Images.

Red Hat Hardened Images represents Red Hat’s strategic approach to delivering distroless, "zero-CVE" container base images built from upstream components. These images address critical challenges in modern software supply chains by providing micro-sized, hardened runtime images with complete transparency through SBOMs (Software Bill of Materials).

Workshop Duration

  • Total Time: 90 minutes

  • Web Module: 15 minutes

  • RHEL Module: 30 minutes

  • OCP Module: 40 minutes

Why Hardened Images Matter

Traditional container base images, even minimal variants like UBI Minimal, include packages that aren’t needed at runtime. These unnecessary components create:

  • Larger attack surfaces with more CVEs to patch

  • Slower deployments due to image size

  • Compliance challenges for supply chain security

  • Higher infrastructure costs from bloated images

Red Hat’s Solution:

  • Zero-CVE at Ship Time: Images delivered free of known vulnerabilities

  • Micro-Sized: JRE runtime ~185MB, Node.js < 100MB, Go < 25MB (vs ~400MB+ for full UBI)

  • Enterprise Grade: Built on a SLSA3 pipeline with Red Hat support available

  • Complete Transparency: Every image ships with SBOMs for compliance

  • Production Ready: Runtime images for .NET, Go, Java, Node.js, Python, databases, and web servers

What You’ll Learn

Introduction: Information Gathering for Hardened Images

This module will introduce the new web application.

Module 1: Container Development Environment with Hummingbird

In this hands-on module, you’ll build and secure container images using a pre-configured developer environment:

  • Multi-Stage Builds: Build production images using various different types of hardened images

  • Size Optimization: Compare image sizes and vulnerability counts

  • Security Tools: Use cosign, syft, and grype for image signing and scanning

  • Security Workflow: Scan for CVEs, generate SBOMs, sign and verify images

Module 2: Building Hardened Images with Shipwright on OpenShift

This module focuses on platform-level image building and deployment:

  • Cloud Native Buildpacks: Implement source-to-image builds without Dockerfiles

  • Hummingbird Integration: Configure Buildpacks to use Hummingbird runtime images

  • Custom Strategies: Create multi-language BuildStrategy patterns for development teams

  • Security Pipeline: Integrate SBOM generation, scanning, and signing into builds

  • Production Deployment: Deploy built images to OpenShift namespaces

  • SELinux CI/CD: Automate udica policy generation with Tekton and distribute via MachineConfig

Expected Outcomes

You’ll have working Shipwright builds deploying Hummingbird-based applications with automated security controls and SELinux policies.

Lab Environment Access

You will execute the steps for this lab in the various tabs on the right:

  • Terminal: for executing command line tasks - for example connecting to your Red Hat Enterprise Linux virtual machine.

  • Red Hat OpenShift Console: for any tasks requiring the OpenShift user interface

  • Red Hat Quay Registry: to manage your container images

  • Red Hat Hardened Images: reference documentation

Go ahead and log into the various tabs:

  1. In the terminal window on your right log into OpenShift:

    oc login -u {user} -p {password} https://api.cluster-PROVIDE-GUID.example.com:6443 --insecure-skip-tls-verify

  2. Log into your OpenShift Console tab using the following credentials:

    Username:
    {user}
    Password:
    {password}
    The OpenShift console is also availabe in a separate window if you prefer

    https://console-openshift-console.apps.cluster-PROVIDE-GUID.example.com.

    Click Skip tour if the windows appears.

  3. For pushing images to registries Red Hat Quay is available in a tab on your right or if you prefer a separate window at {quay_url}[window=blank].

    Username:
    {quay_user}
    Password:
    {quay_password}

OpenShift Console (Module 2)

Key Technologies Covered

Container Tools:

  • Podman (rootless container runtime)

  • Buildah (container image building)

  • Skopeo (image inspection and distribution)

Security Tools:

  • cosign (image signing and verification)

  • syft (SBOM generation)

  • grype (pipeline vulnerability scanning)

Platform Technologies:

  • OpenShift 4.21

  • Builds for Red Hat OpenShift

  • Red Hat Quay (on-cluster container registry)

  • Cloud Native Buildpacks

  • Tekton Pipelines

Registries:

  • Workshop Registry (on-cluster Quay): {quay_console_url}

  • Hummingbird Source Registry: registry.access.redhat.com/hi

  • UBI Registry: registry.access.redhat.com/ubi9

Additional Resources

Red Hat Hardened Images

Shipwright and Buildpacks:

Container Tools:

Support and Feedback

If you encounter issues during the workshop:

  1. Check available troubleshooting tips in lab steps

  2. Reach out to workshop facilitators (if in instructor-led session)

Let’s get started building secure, minimal container images with Red Hat Hardened Images!