When deploying ClickHouse in enterprise environments, security scanners often block deployments due to CVEs in the Ubuntu base image rather than ClickHouse itself. Docker Hardened Images (DHI) solve this by shipping only what ClickHouse actually needs, removing unnecessary packages like wget, curl, and apt entirely. The result is zero medium-severity CVEs (down from 8), SLSA Level 3 provenance, non-root execution by default, and CIS/NIST/FedRAMP alignment. The post covers getting started with DHI ClickHouse, production Docker and Kubernetes configurations, custom config mounting, Prometheus metrics exporter, debugging strategies using docker debug, and a migration checklist. Volume mounts, ports, and XML configs carry over unchanged.
Table of contents
A Quick Word on ClickHouseThe Real Problem: It’s Not ClickHouse, It’s the PackagingWhat DHI Actually ChangesGetting StartedRunning DHI ClickHouse on KubernetesDebugging without the usual toolsClickHouse: Non-hardened Image vs. Hardened Image ComparedThe Security Team ConversationMigration ChecklistResourcesSort: