diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba9a03670..bbb5385da 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,8 @@ All notable changes to this project will be documented in this file.
 - hive: check for correct permissions and ownerships in /stackable folder via
   `check-permissions-ownership.sh` provided in stackable-base image ([#1040]).
 - spark-connect-client: A new image for Spark connect tests and demos ([#1034])
+- kafka: check for correct permissions and ownerships in /stackable folder via
+  `check-permissions-ownership.sh` provided in stackable-base image ([#1041]).
 - nifi: check for correct permissions and ownerships in /stackable folder via
   `check-permissions-ownership.sh` provided in stackable-base image ([#1027]).
 - opa: check for correct permissions and ownerships in /stackable folder via
@@ -37,6 +39,7 @@ All notable changes to this project will be documented in this file.
 - hadoop: reduce docker image size by removing the recursive chown/chmods in the final image ([#1029]).
 - hbase: reduce docker image size by removing the recursive chown/chmods in the final image ([#1028]).
 - hive: reduce docker image size by removing the recursive chown/chmods in the final image ([#1040]).
+- kafka: reduce docker image size by removing the recursive chown/chmods in the final image ([#1041]).
 - nifi: reduce docker image size by removing the recursive chown/chmods in the final image ([#1027]).
 - opa: reduce docker image size by removing the recursive chown/chmods in the final image ([#1038]).
 - spark-k8s: reduce docker image size by removing the recursive chown/chmods in the final image ([#1042]).
@@ -51,6 +54,7 @@ All notable changes to this project will be documented in this file.
 [#1038]: https://github.com/stackabletech/docker-images/pull/1038
 [#1039]: https://github.com/stackabletech/docker-images/pull/1039
 [#1040]: https://github.com/stackabletech/docker-images/pull/1040
+[#1041]: https://github.com/stackabletech/docker-images/pull/1041
 [#1042]: https://github.com/stackabletech/docker-images/pull/1042
 [#1044]: https://github.com/stackabletech/docker-images/pull/1044
 [#1050]: https://github.com/stackabletech/docker-images/pull/1050
diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 8005550fb..2d0ec6194 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -27,30 +27,35 @@ WORKDIR /stackable
 
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/patches/apply_patches.sh /stackable/kafka-${PRODUCT}-src/patches/apply_patches.sh
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/patches/${PRODUCT} /stackable/kafka-${PRODUCT}-src/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/
 
-RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC . && \
-    cd kafka-${PRODUCT}-src && \
-    ./patches/apply_patches.sh ${PRODUCT} && \
-    # TODO: Try to install gradle via package manager (if possible) instead of fetching it from the internet
-    # We don't specify "-x test" to skip the tests, as we might bump some Kafka internal dependencies in the future and
-    # it's a good idea to run the tests in this case.
-    ./gradlew clean releaseTarGz && \
-    ./gradlew cyclonedxBom && \
-    tar -xf core/build/distributions/kafka_${SCALA}-${PRODUCT}.tgz -C /stackable && \
-    cp build/reports/bom.json /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json && \
-    rm -rf /stackable/kafka_${SCALA}-${PRODUCT}/site-docs/ && \
-    rm -rf /stackable/kafka-${PRODUCT}-src
+RUN <<EOF
+curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC .
+cd kafka-${PRODUCT}-src
+./patches/apply_patches.sh ${PRODUCT}
+# TODO: Try to install gradle via package manager (if possible) instead of fetching it from the internet
+# We don't specify "-x test" to skip the tests, as we might bump some Kafka internal dependencies in the future and
+# it's a good idea to run the tests in this case.
+./gradlew clean releaseTarGz
+./gradlew cyclonedxBom
+tar -xf core/build/distributions/kafka_${SCALA}-${PRODUCT}.tgz -C /stackable
+cp build/reports/bom.json /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json
+rm -rf /stackable/kafka_${SCALA}-${PRODUCT}/site-docs/
+rm -rf /stackable/kafka-${PRODUCT}-src
 
 # TODO (@NickLarsenNZ): Compile from source: https://github.com/StyraInc/opa-kafka-plugin
-RUN curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
-    -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar
+curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
+  -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar
 
-COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/
-RUN curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
-    -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
-    chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
-    ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
+# JMX exporter
+curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
+  -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
 
+# change groups
+chmod -R g=u /stackable
+EOF
 
 FROM stackable/image/java-base AS final
 
@@ -60,21 +65,23 @@ ARG SCALA
 ARG KCAT
 ARG STACKABLE_USER_UID
 
-LABEL name="Apache Kafka" \
-      maintainer="info@stackable.tech" \
-      vendor="Stackable GmbH" \
-      version="${PRODUCT}" \
-      release="${RELEASE}" \
-      summary="The Stackable image for Apache Kafka." \
-      description="This image is deployed by the Stackable Operator for Apache Kafka."
+LABEL \
+  name="Apache Kafka" \
+  maintainer="info@stackable.tech" \
+  vendor="Stackable GmbH" \
+  version="${PRODUCT}" \
+  release="${RELEASE}" \
+  summary="The Stackable image for Apache Kafka." \
+  description="This image is deployed by the Stackable Operator for Apache Kafka."
 
-COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT}
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json /stackable/kafka_${SCALA}-${PRODUCT}/kafka_${SCALA}-${PRODUCT}.cdx.json
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/jmx/ /stackable/jmx/
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT}
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses
 
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses
+
 WORKDIR /stackable
 
 RUN <<EOF
@@ -85,24 +92,39 @@ microdnf install \
 
 microdnf clean all
 rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
+chown ${STACKABLE_USER_UID}:0 /stackable/package_manifest.txt
+chmod g=u /stackable/package_manifest.txt
 rm -rf /var/cache/yum
 
 ln -s /stackable/bin/kcat-${KCAT} /stackable/bin/kcat
+chown -h ${STACKABLE_USER_UID}:0 /stackable/bin/kcat
 # kcat was located in /stackable/kcat - legacy
 ln -s /stackable/bin/kcat /stackable/kcat
+chown -h ${STACKABLE_USER_UID}:0 /stackable/kcat
 ln -s /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka
+chown -h ${STACKABLE_USER_UID}:0 /stackable/kafka
 
-# All files and folders owned by root group to support running as arbitrary users.
-# This is best practice as all container users will belong to the root group (0).
-chown -R ${STACKABLE_USER_UID}:0 /stackable
-chmod -R g=u /stackable
+# fix missing permissions
+chmod g=u /stackable/bin
+chmod g=u /stackable/jmx
+chmod g=u /stackable/kafka_${SCALA}-${PRODUCT}
+EOF
+
+# ----------------------------------------
+# Checks
+# This section is to run final checks to ensure the created final images
+# adhere to several minimal requirements like:
+# - check file permissions and ownerships
+# ----------------------------------------
+
+# Check that permissions and ownership in /stackable are set correctly
+# This will fail and stop the build if any mismatches are found.
+RUN <<EOF
+/bin/check-permissions-ownership.sh /stackable ${STACKABLE_USER_UID} 0
 EOF
 
 # ----------------------------------------
-# Attention: We are changing the group of all files in /stackable directly above
-# If you do any file based actions (copying / creating etc.) below this comment you
-# absolutely need to make sure that the correct permissions are applied!
-# chown ${STACKABLE_USER_UID}:0
+# Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
 # ----------------------------------------
 
 USER ${STACKABLE_USER_UID}
diff --git a/kcat/Dockerfile b/kcat/Dockerfile
index 5cd2ecf2e..0542a00f7 100644
--- a/kcat/Dockerfile
+++ b/kcat/Dockerfile
@@ -9,8 +9,9 @@ FROM stackable/image/java-base AS builder
 ARG PRODUCT
 ARG STACKABLE_USER_UID
 
-RUN microdnf update \
-    && microdnf install \
+RUN <<EOF
+microdnf update
+microdnf install \
     cmake \
     cyrus-sasl-devel \
     gcc-c++ \
@@ -22,16 +23,21 @@ RUN microdnf update \
     wget \
     which \
     zlib \
-    zlib-devel && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum
+    zlib-devel
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
 
 WORKDIR /stackable
 
-RUN curl -O https://repo.stackable.tech/repository/packages/kcat/kcat-${PRODUCT}.tar.gz \
-    && tar xvfz kcat-${PRODUCT}.tar.gz \
-    && cd kcat-${PRODUCT} \
-    && ./bootstrap.sh
+RUN <<EOF
+curl -O https://repo.stackable.tech/repository/packages/kcat/kcat-${PRODUCT}.tar.gz
+tar xvfz kcat-${PRODUCT}.tar.gz
+cd kcat-${PRODUCT}
+./bootstrap.sh
+# set correct permissions
+chmod --recursive g=u /stackable/kcat-${PRODUCT}
+EOF
 
 COPY --chown=${STACKABLE_USER_UID}:0 kcat/licenses /licenses