Skip to main content
KloudEasy
BankingPlatform EngineeringDevSecOpsContainer Security

Migrating to Distroless Images Enhances Security by Adopting Minimal, Zero-CVE Container Images

Client: Major Australian Bank

Challenge

The client operated bank services based on CentOS 7 for all their microservices. Due to inactive support, they had to accept nearly 300 CVEs in their production environment, which was risky to their compliance requirements. They also faced the challenge of the end of life of CentOS 7.

Our approach

KloudEasy designed and led a phased migration to distroless container images to significantly reduce the runtime attack surface. Distroless base runtime images for JRE, Node.js and Python were built, each with integrated SBOM generation to improve software supply chain transparency and vulnerability management. Golden path pipelines, debugging tooling, and developer enablement practices were established, enabling engineering teams to efficiently transition to distroless images.

Outcomes

  • Reduced OS-level vulnerabilities from 300 to 0
  • Accelerated CA certificate migration from 3-6 months to 2-3 weeks
  • Achieved compliance with security standards through minimal container images
  • Enabled smooth adoption of distroless images across engineering teams

Background

Our client is a major Australian bank with a comprehensive suite of digital banking services. Their microservices architecture was built on CentOS 7, but as support ended, they faced significant security and compliance challenges that threatened their production environment stability.

The Challenge

The bank's microservices ran on CentOS 7, which had reached end-of-life. This left them with:

  1. Nearly 300 known CVEs in production environments
  2. Compliance risks due to unpatched vulnerabilities
  3. The impending end-of-life deadline for CentOS 7
  4. Complex CA certificate migration processes taking 3-6 months

These issues posed significant risks to their regulatory compliance and operational security.

Our Approach

KloudEasy partnered with the bank for a 16-week engagement to implement a comprehensive distroless migration strategy:

Phase 1 — Requirements Analysis (Weeks 1–2)

We ran targeted workshops with architecture, security, and platform teams to:

  • Inventory existing CentOS 7 microservice runtimes and dependency graphs
  • Quantify the 300+ CVEs and map them to service boundaries
  • Capture CA certificate lifecycle requirements and migration risks
  • Define regulatory compliance gates (PCI DSS, APRA CPS 234) for the container platform

Phase 2 — Solution Design (Weeks 3–4)

We designed an end-to-end distroless migration blueprint covering:

  • Distroless base image strategy for Java, Node.js, and Python workloads
  • SBOM generation and ingestion into security scanning pipelines
  • Golden-path CI/CD design with validation, canary rollout, and rollback paths
  • Debug tooling and human-in-the-loop patterns for distroless issue triage
  • CA certificate migration workflow with automated trust chain validation

Phase 3 — Distroless Image Development (Weeks 5–8)

We built custom distroless base images including:

  • Base runtime images for JRE, Node.js, and Python
  • Integration of Software Bill of Materials (SBOM) for transparency
  • Security-hardened configurations with zero OS-level vulnerabilities

Phase 4 — Golden Path Pipelines (Weeks 9–12)

We developed:

  • CI/CD pipelines optimised for distroless image builds
  • Debugging tools and images for troubleshooting distroless environments
  • Automated testing frameworks for distroless compatibility
  • Documentation and training materials for engineering teams

Phase 5 — Migration and Certificate Management (Weeks 13–16)

We executed:

  • Phased rollout of distroless images across microservices
  • Streamlined CA certificate migration processes
  • Parallel testing environments for validation
  • Go-live support and monitoring

Outcomes

The migration was completed successfully, transforming the bank's container security posture:

  • Vulnerabilities: Reduced OS-level CVEs from 300 to 0 across all microservices
  • Certificate Migration: Accelerated from 3-6 months to 2-3 weeks within engineering teams
  • Compliance: Achieved full compliance with banking security standards
  • Adoption: Smooth transition for engineering teams with comprehensive tooling support
  • Security: Established foundation for zero-trust container deployments
Back to all projects