I have a .NET application running in DOCKER and need to configure container health checks. Currently I see a few options:

Option 1

Install curl in the runtime image.

Use Docker HEALTHCHECK with a command such as:

HEALTHCHECK CMD curl -f http://localhost:8080/health/ready || exit 1
Option 2

Use an image such as aspnet:10.0-alpine that already contains wget.

Use wget for the health check.

Option 3

Create a custom executable or .NET program that calls the application’s health endpoint and returns an appropriate exit code.

Use that executable in the Docker HEALTHCHECK.

My concern is that installing additional tools such as curl or wget increases the image surface area and may introduce additional security considerations.

Is there a recommended or more idiomatic approach for health checks in .NET containers that avoids adding extra packages while still working well with Docker and orchestrators such as Kubernetes?

How are others handling health checks in production .NET containers?

Option 3 is the recommended approach. Make sure neither curl or wget are actually included in the image. If the language you are using compiles binaries or at least bytecode, then use it to create a custom healtcheck call and use in the HEALTHCHECK instruction of your Dockerfile (which Kubernetes ignores btw).

Option 2 and.1 are the same for me, with the slight difference that you might need to install an additional OS package for curl. Those options make sense for those that have no idea how to develop a custom healthcheck bin (or know how to make an AI coding agent create it for them).

Furthermore, I can only recommend to create your image in a way, that it allows running containers with read-only filesystem (=persisting data in volumes is still working of course) and runs as unprivileged container with an unprivileged user.