Minimal Base Images and Distroless Containers

A default debian:bookworm image ships with over 100 known CVEs before you write a single line of application code. Shells, package managers, coreutils, network tools: none of it is needed to run your binary, but all of it expands your attack surface. Your base image choice is your first security decision, and most teams get it wrong by defaulting to whatever their language's official image provides.

The CKS exam tests this under the Supply Chain Security domain (20%). Minimizing base image footprint, choosing between distroless and scratch, and using Trivy to compare CVE counts are all fair game. Kubernetes itself migrated every core component to distroless starting in v1.15, and understanding why tells you everything about the security model.