Use gcr.io/distroless and self-built Envoys to have more control and to reduce dependencies, vulnerabilites, and image size.
This replaces Use Distroless Envoy images with a new decision to build IO container images directly using Google’s distroless images and Envoy binaries that we build ourselves.
Pros#
- IO can use the latest features in Envoy, including prerelease versions.
- We can use a Debian 13 image, which is reportedly faster and has observably fewer security vulnerabilities.
Cons#
- We have to build our own Envoys, and Envoy builds are OMG so effing slow.