I'm working on some "common sense" hardening of one of my docker containers and my line of thinking suggests that I could attempt to uninstall APK and PIP from the Alpine linux image after I finish installing all of my dependencies.
I'm having a hard time finding any information on doing so. My line of thinking is that the container is ephemeral so there would never be a need to install anything to a running container.
You should be able to remove pip by uninstalling the py-pip package:
apk del py-pip
Followed by deleting pip's cache:
# rm -rf /<HOME_DIR>/.cache/pip
Then, for removing apk, delete the apk binary and folders:
# rm -f /sbin/apk
# rm -rf /etc/apk
# rm -rf /lib/apk
# rm -rf /usr/share/apk
# rm -rf /var/lib/apk
I haven't done Docker hardening/jailing myself, but removing the package manager seems like a common practice for reducing the possible attack surface. Here's an interesting post taking a similar approach: