How to Deploy ClickHouse on Docker Hardened Images and Slip Past Security Blocks

Introduction

You've built a solid ClickHouse setup, your queries are fast, and your team is ready to push to production. But then your security scanner flags three critical CVEs in the base image, and your deployment gets stopped cold. The vulnerabilities aren't even in ClickHouse itself—they're in packages you never touch—but the scanner doesn't care. You need a way to keep security happy without spending days on risk exceptions or rebuilding everything from scratch.

How to Deploy ClickHouse on Docker Hardened Images and Slip Past Security Blocks — Source: www.docker.com

This guide shows you exactly how to use Docker Hardened Images (DHI) to get your ClickHouse container from security-blocked to production-ready. You'll learn step by step how to choose, configure, scan, and deploy a hardened image that satisfies your security team while keeping your analytics stack humming.

What You Need

A ClickHouse image you want to deploy (official or custom)
Access to a container registry (e.g., AWS ECR, Docker Hub, or any OCI-compliant registry)
A Kubernetes cluster (or any container runtime where you'll deploy)
Familiarity with Docker CLI and basic Dockerfile syntax
Your security team's scanner (e.g., Trivy, Snyk, Aqua) to verify results
Docker Hardened Images subscription or access to a trusted DHI repository (like the ones provided by Iron Bank or Chainguard)

Step-by-Step Guide

Step 1: Understand the Block

Your pipeline scanner flagged CVEs in the base image of your ClickHouse container. These vulnerabilities exist in system packages (like glibc or openssl) that ClickHouse doesn't even use at runtime. Your security team isn't being unreasonable—they have policies that say any critical CVE blocks deployment.

What to do: Audit the scanner output. Note which packages are flagged and whether they're actually invoked by ClickHouse. Most of the time, they live in the layer added by the base OS (e.g., Alpine or Ubuntu). This understanding will guide your choice of hardened image in the next step.

Step 2: Choose a Docker Hardened Image for ClickHouse

A hardened image is one where all unnecessary packages have been stripped, and remaining ones are patched or pinned to known-safe versions. For ClickHouse, you have two main paths:

Use a community-hardened base like chainguard/clickhouse or the CGR (ClickHouse Government-Regulated) images. These are minimal and scanned continuously.
Build your own from a distroless base (e.g., gcr.io/distroless/cc) and add only ClickHouse binaries.

Tip: If your organization has a preferred hardened base (e.g., Red Hat UBI or Windows Server Core with latest patches), start there. The goal is a base image that reports zero critical CVEs.

Step 3: Construct Your Hardened Dockerfile

You'll layer the ClickHouse binary onto your chosen hardened base. Here's a minimal example using Chainguard's image:

FROM cgr.dev/chainguard/clickhouse:latest
COPY --from=clickhouse/clickhouse-server:latest /usr/bin/clickhouse /usr/bin/
COPY --from=clickhouse/clickhouse-server:latest /etc/clickhouse-server /etc/clickhouse-server
# Add any custom configs here

If you're building from scratch with a distroless base:

FROM gcr.io/distroless/base-debian12
COPY --from=clickhouse/clickhouse-server:latest /usr/bin/clickhouse /usr/bin/
COPY --from=clickhouse/clickhouse-server:latest /etc/clickhouse-server /etc/clickhouse-server
# Add libs if needed

Key point: Do not copy the entire ClickHouse image layers. Only copy the binaries and configuration files you need. This avoids pulling in vulnerable packages from the original base.

Step 4: Build and Tag the Image

Run your Docker build:

docker build -t your-registry/clickhouse-hardened:1.0 .
docker push your-registry/clickhouse-hardened:1.0

Make sure you tag it with a version that will be used in your Kubernetes manifests. Use semantic versioning or a datestamp for clarity.

Step 5: Scan the Hardened Image

Before even telling your security team, run your own scan using the same tool they use. For example, with Trivy:

trivy image your-registry/clickhouse-hardened:1.0

You should see zero critical or high CVEs. If any remain, check that they're in ClickHouse's own binaries (not the base). ClickHouse itself is well-maintained, but occasionally a transitive dependency might have a minor CVE.

Document the results. Save the scan output as evidence for your security team. This saves time when they review your deployment.

Step 6: Deploy to Kubernetes with Hardened Settings

Now that your image is clean, update your Kubernetes Deployment YAML. Make sure to:

Reference the hardened image (e.g., image: your-registry/clickhouse-hardened:1.0)
Set securityContext to drop capabilities and run as non-root user
Use readOnlyRootFilesystem: true if possible (ClickHouse needs write access to /var/lib/clickhouse for data, so mount a writable volume there)
Add resource limits for memory and CPU to prevent noisy neighbor issues

Example snippet:

securityContext:
  runAsNonRoot: true
  runAsUser: 101
  capabilities:
    drop: ["ALL"]
  readOnlyRootFilesystem: false
volumeMounts:
- name: clickhouse-data
  mountPath: /var/lib/clickhouse

Step 7: Test and Verify Functionality

Deploy a test pod and run a few simple queries to ensure ClickHouse starts correctly on the hardened image:

kubectl run clickhouse-test --image=your-registry/clickhouse-hardened:1.0 --restart=Never --command -- clickhouse-client --query "SELECT 1"

Check logs for any errors related to missing dependencies or permissions. If you used a distroless base, you might need to add ca-certificates or tzdata if ClickHouse tries to reach external services (like S3).

Tips and Conclusion

Using Docker Hardened Images transforms a security blocker into a quick fix. Here are a few pro tips to keep in mind:

Maintain your own base image: Once you build a hardened ClickHouse image, automate its rebuild and scanning in your CI/CD pipeline. This ensures you always have a clean artifact ready for production.
Don't skip the scan step. Even hardened images can accumulate CVEs over time. Run a weekly scan and rebuild if needed.
Engage your security team early. Show them your hardened Dockerfile and scan results before deployment. They'll appreciate the proactive approach and trust your container more.
Consider multi-stage builds. If you need to compile ClickHouse extensions or add plugins, use a full builder image and copy only the final binaries into your hardened base.
Document the architecture. Your team should understand that ClickHouse's MergeTree engine works identically on a hardened image—only the OS layer changes. This reduces FUD during reviews.

By following these steps, you turn a security roadblock into a standard operating procedure. Your ClickHouse deployment becomes not only production-ready but also security-team-approved. The next time a CVE appears in a library you don't use, you'll already have the hardened image playbook ready.