How to Deploy ClickHouse on Docker Hardened Images and Slip Past Security Blocks
Introduction
You've built a solid ClickHouse setup, your queries are fast, and your team is ready to push to production. But then your security scanner flags three critical CVEs in the base image, and your deployment gets stopped cold. The vulnerabilities aren't even in ClickHouse itself—they're in packages you never touch—but the scanner doesn't care. You need a way to keep security happy without spending days on risk exceptions or rebuilding everything from scratch.
This guide shows you exactly how to use Docker Hardened Images (DHI) to get your ClickHouse container from security-blocked to production-ready. You'll learn step by step how to choose, configure, scan, and deploy a hardened image that satisfies your security team while keeping your analytics stack humming.
What You Need
- A ClickHouse image you want to deploy (official or custom)
- Access to a container registry (e.g., AWS ECR, Docker Hub, or any OCI-compliant registry)
- A Kubernetes cluster (or any container runtime where you'll deploy)
- Familiarity with Docker CLI and basic Dockerfile syntax
- Your security team's scanner (e.g., Trivy, Snyk, Aqua) to verify results
- Docker Hardened Images subscription or access to a trusted DHI repository (like the ones provided by Iron Bank or Chainguard)
Step-by-Step Guide
Step 1: Understand the Block
Your pipeline scanner flagged CVEs in the base image of your ClickHouse container. These vulnerabilities exist in system packages (like glibc or openssl) that ClickHouse doesn't even use at runtime. Your security team isn't being unreasonable—they have policies that say any critical CVE blocks deployment.
What to do: Audit the scanner output. Note which packages are flagged and whether they're actually invoked by ClickHouse. Most of the time, they live in the layer added by the base OS (e.g., Alpine or Ubuntu). This understanding will guide your choice of hardened image in the next step.
Step 2: Choose a Docker Hardened Image for ClickHouse
A hardened image is one where all unnecessary packages have been stripped, and remaining ones are patched or pinned to known-safe versions. For ClickHouse, you have two main paths:
- Use a community-hardened base like chainguard/clickhouse or the CGR (ClickHouse Government-Regulated) images. These are minimal and scanned continuously.
- Build your own from a distroless base (e.g., gcr.io/distroless/cc) and add only ClickHouse binaries.
Tip: If your organization has a preferred hardened base (e.g., Red Hat UBI or Windows Server Core with latest patches), start there. The goal is a base image that reports zero critical CVEs.
Step 3: Construct Your Hardened Dockerfile
You'll layer the ClickHouse binary onto your chosen hardened base. Here's a minimal example using Chainguard's image:
FROM cgr.dev/chainguard/clickhouse:latest
COPY --from=clickhouse/clickhouse-server:latest /usr/bin/clickhouse /usr/bin/
COPY --from=clickhouse/clickhouse-server:latest /etc/clickhouse-server /etc/clickhouse-server
# Add any custom configs here
If you're building from scratch with a distroless base:
FROM gcr.io/distroless/base-debian12
COPY --from=clickhouse/clickhouse-server:latest /usr/bin/clickhouse /usr/bin/
COPY --from=clickhouse/clickhouse-server:latest /etc/clickhouse-server /etc/clickhouse-server
# Add libs if needed
Key point: Do not copy the entire ClickHouse image layers. Only copy the binaries and configuration files you need. This avoids pulling in vulnerable packages from the original base.
Step 4: Build and Tag the Image
Run your Docker build:
docker build -t your-registry/clickhouse-hardened:1.0 .
docker push your-registry/clickhouse-hardened:1.0
Make sure you tag it with a version that will be used in your Kubernetes manifests. Use semantic versioning or a datestamp for clarity.
Step 5: Scan the Hardened Image
Before even telling your security team, run your own scan using the same tool they use. For example, with Trivy:
trivy image your-registry/clickhouse-hardened:1.0
You should see zero critical or high CVEs. If any remain, check that they're in ClickHouse's own binaries (not the base). ClickHouse itself is well-maintained, but occasionally a transitive dependency might have a minor CVE.
Document the results. Save the scan output as evidence for your security team. This saves time when they review your deployment.
Step 6: Deploy to Kubernetes with Hardened Settings
Now that your image is clean, update your Kubernetes Deployment YAML. Make sure to:
- Reference the hardened image (e.g.,
image: your-registry/clickhouse-hardened:1.0) - Set
securityContextto drop capabilities and run as non-root user - Use
readOnlyRootFilesystem: trueif possible (ClickHouse needs write access to/var/lib/clickhousefor data, so mount a writable volume there) - Add resource limits for memory and CPU to prevent noisy neighbor issues
Example snippet:
securityContext:
runAsNonRoot: true
runAsUser: 101
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: false
volumeMounts:
- name: clickhouse-data
mountPath: /var/lib/clickhouse
Step 7: Test and Verify Functionality
Deploy a test pod and run a few simple queries to ensure ClickHouse starts correctly on the hardened image:
kubectl run clickhouse-test --image=your-registry/clickhouse-hardened:1.0 --restart=Never --command -- clickhouse-client --query "SELECT 1"
Check logs for any errors related to missing dependencies or permissions. If you used a distroless base, you might need to add ca-certificates or tzdata if ClickHouse tries to reach external services (like S3).
Tips and Conclusion
Using Docker Hardened Images transforms a security blocker into a quick fix. Here are a few pro tips to keep in mind:
- Maintain your own base image: Once you build a hardened ClickHouse image, automate its rebuild and scanning in your CI/CD pipeline. This ensures you always have a clean artifact ready for production.
- Don't skip the scan step. Even hardened images can accumulate CVEs over time. Run a weekly scan and rebuild if needed.
- Engage your security team early. Show them your hardened Dockerfile and scan results before deployment. They'll appreciate the proactive approach and trust your container more.
- Consider multi-stage builds. If you need to compile ClickHouse extensions or add plugins, use a full builder image and copy only the final binaries into your hardened base.
- Document the architecture. Your team should understand that ClickHouse's MergeTree engine works identically on a hardened image—only the OS layer changes. This reduces FUD during reviews.
By following these steps, you turn a security roadblock into a standard operating procedure. Your ClickHouse deployment becomes not only production-ready but also security-team-approved. The next time a CVE appears in a library you don't use, you'll already have the hardened image playbook ready.