InformatikLeistungsZentrum (ILZ) operates in the public sector, serving as the central backbone and trusted technology partner for two cantons in Switzerland. ILZ provides critical infrastructure, platforms, and software services to municipalities, schools, police, and other public-sector organizations, supporting systems where security, reliability, and availability are non-negotiable.

ILZ operates multiple data centers, runs hundreds of software products, and supports thousands of customers, all within a highly regulated environment.

The challenge

ILZ’s infrastructure plays a critical role in ensuring secure, reliable, and continuously available digital services that support essential public operations and citizen-facing systems.

Like many organizations running large Kubernetes platforms, ILZ relies heavily on open source software. However, existing container image options introduced significant challenges, including high CVE exposure, rising costs, and long-term vendor risk. These issues were especially concerning given ILZ’s public-sector obligations and the critical infrastructure hosted in its data centers. Javier García, Enterprise Information Technology Architect at ILZ, identified this trend early and set a goal of transitioning to 0-CVE images for container-based deployments.

With Kubernetes as the backbone of its platform, hosting core services for observability, monitoring, and messaging, ILZ needed a way to dramatically reduce supply chain risk without disrupting workloads, rearchitecting applications, or building and maintaining container images in-house. This included core platform components such as Prometheus, Grafana, Thanos, and Node Exporter, which are foundational to ILZ’s operational visibility and reliability.

The solution

To address these challenges, ILZ partnered with Puzzle ITC, a technology partner with deep expertise in Kubernetes, open source, and enterprise public-sector environments. Puzzle worked closely with Raffael Hertle, Senior Systems Architect at ILZ and Lead Architect of the Kubernetes platform, to evaluate secure container image options and define a low-risk path forward.

Puzzle recommended Chainguard based on its strong alignment with ILZ’s requirements: enterprise-grade SLAs, credibility in the open source ecosystem, and a broad catalog of hardened images that closely track upstream projects. To support a platform-wide approach, ILZ adopted Chainguard’s full catalog subscription model, giving the team access to the complete range of hardened container images as its Kubernetes platform continues to evolve.

For Raffael, the decision to adopt Chainguard came down to trust in Chainguard’s open source leadership and long-term viability. “The commitment of Chainguard’s founders to open source, especially in creating Cosign and helping build the Sigstore ecosystem, is hugely important to us,” he said.

With so much public infrastructure relying on ILZ, the team also needed guarantees beyond best-effort support. Chainguard’s enterprise SLAs provided the safety net ILZ required to meet its regulatory and operational responsibilities.

From Puzzle’s perspective, the partnership enabled a repeatable, low-risk migration approach for public-sector customers. “The close collaboration with Chainguard, combined with their excellent training courses and resources, has been a game-changer,” said Christoph Raaflaub, Platform Architect at Puzzle. “It empowers us to confidently present the solution and provide high-level support to our customers during their migration journey.”

Working together, ILZ and Puzzle implemented Chainguard Containers across ILZ’s Kubernetes platform, which runs on VMware vSphere Kubernetes Services. By deploying core platform services using Chainguard Helm charts, the rollout focused on replacing existing image references with Chainguard equivalents, requiring minimal configuration changes and no architectural overhaul.

The results

The implementation happened quickly. Puzzle’s Christoph and ILZ’s Raffael collaborated on the rollout of Chainguard Containers across its Kubernetes clusters while keeping existing workloads fully operational. In total, more than 20 container images were updated within the first 24 hours. Christoph explained, "Thanks to Chainguard's excellent documentation, Raffael was able to handle the migration very independently with only light support from my side. Chainguard's promise of a seamless drop-in replacement was absolutely validated in practice."

The best part? “Nothing changed—everything was up within minutes,” Raffael said. “My security brain can rest.”

From Javier Garcia’s perspective, the results were remarkable: ILZ reduced its container-related CVE count from more than 10,000 to zero. This measurable improvement gave the team confidence that its Kubernetes backbone now meets the strict security and compliance expectations required for public-sector infrastructure.

With both Chainguard and a reliable partnership with Puzzle in place, ILZ now operates with greater peace of mind, knowing its container supply chain is backed by enterprise SLAs and supported by vendors aligned with open source best practices. The result is a more secure, stable platform that allows ILZ to focus on reliably supporting the critical services their customers depend on.