Harden Docker Container Images

Istio’s default images are based on ubuntu with some extra tools added. An alternative image based on distroless images is also available.

These images strip all non-essential executables and libraries, offering the following benefits:

  • The attack surface is reduced as they include the smallest possible set of vulnerabilities.
  • The images are smaller, which allows faster start-up.

See also the Why should I use distroless images? section in the official distroless README.

Install distroless images

Follow the Installation Steps to set up Istio. Add the variant option to use the distroless images.

  1. $ istioctl install --set values.global.variant=distroless

If you are only interested in using distroless images for injected proxy images, you can also use the proxyImage field in Proxy Config. Note the above variant flag will automatically set this for you.

Debugging

Distroless images are missing all debugging tools (including a shell!). While great for security, this limits the ability to do ad-hoc debugging using kubectl exec into the proxy container.

Fortunately, Ephemeral Containers can help here. kubectl debug can attach a temporary container to a pod. By using an image with extra tools, we can debug as we used to:

  1. $ kubectl debug --image istio/base --target istio-proxy -it app-65c6749c9d-t549t
  2. Defaulting debug container name to debugger-cdftc.
  3. If you don't see a command prompt, try pressing enter.
  4. root@app-65c6749c9d-t549t:/# curl example.com

This deploys a new ephemeral container using the istio/base. This is the same base image used in non-distroless Istio images, and contains a variety of tools useful to debug Istio. However, any image will work. The container is also attached to the process namespace of the sidecar proxy (--target istio-proxy) and the network namespace of the pod.