Harden Docker Container Images

To ease the process of hardening docker images, Istio provides a set of images based on distroless images

Install distroless images

You should follow the Installation Steps to setup Istio. You can pass the following parameter to helm to use the distroless images

For Option 1 use

$ helm template [...] --set global.tag=1.3.0-distroless

For Option 2

$ helm install [...] --set global.tag=1.3.0-distroless

Benefits

Non-essential executables and libraries are no longer part of the images when using the distroless variant.

  • The attack surface is reduced. Include the smallest possible set of vulnerabilities.
  • The images are smaller, which allows faster start-up.

See also the Why should I use distroless images? section in the official distroless README.