Production Readiness: Health and Secrets
A hardened image still needs to be operationally ready. In this final lesson we focus on one theme: production readiness. We add a HEALTHCHECK — a command the platform runs periodically, and when it fails the orchestrator knows the container is unhealthy and can restart it or stop routing traffic to
Put a heartbeat monitor on the door (healthcheck) so they know the app is alive, and don't tape the password to the wall inside the box (secrets) — hand it over only once the box is already running.
- healthcheck
- The HEALTHCHECK instruction defines a command that tests whether the app is healthy. The platform runs it periodically and, from the result, knows whether the container is alive or needs a restart.
- runtime secrets
- Passwords and keys injected into the container when it runs — via environment variables or a secret manager — rather than baked into the image. This keeps the secret out of the layers stored in the registry.
- image layers in the registry
- An image is built from immutable layers stored in the registry. Each layer is kept separately, so if one layer added a secret, deleting it in a later layer does not remove it from the history — it can still be extracted.