Docker & KubernetesImage production nên dùng base image nhỏ, pin version, giảm packages thừa, chạy non-root, không chứa secrets, scan vulnerabilities, ký/verify image nếu pipeline yêu cầu và cập nhật dependency đều đặn.
Ví dụ non-root:
RUN addgroup -S app && adduser -S app -G app
USER appDistroless hoặc slim image có thể giảm surface, nhưng cần đảm bảo observability/debug strategy vì image quá tối giản có thể thiếu shell/tools khi xử lý incident.
A production image should use a small base image, pinned versions, fewer unnecessary packages, non-root runtime, no secrets, vulnerability scanning, image signing/verification when required by the pipeline and regular dependency updates.
Non-root example:
RUN addgroup -S app && adduser -S app -G app
USER appDistroless or slim images can reduce surface area, but make sure observability and debugging strategy are ready because very minimal images may lack shells/tools during incidents.