Harden Docker Container Images
To ease the process of hardening docker images, Istio provides a set of images based on distroless images
Install distroless images
You should follow the Installation Steps to setup Istio. You can pass the following parameter to
helm to use the distroless images
For Option 1 use
$ helm template [...] --set global.tag=1.4.0-distroless
For Option 2
$ helm install [...] --set global.tag=1.4.0-distroless
Non-essential executables and libraries are no longer part of the images when using the distroless variant.
- The attack surface is reduced. Include the smallest possible set of vulnerabilities.
- The images are smaller, which allows faster start-up.
See also the Why should I use distroless images? section in the official distroless README.