Reduce dependencies, vulnerabilites, and image size.
envoyproxy/envoy-distroless images are smaller and have fewer vulnerabilites than the official Envoy images, envoyproxy/envoy.
IO’s Dockerfile now uses these as the base image for IO.
Pros#
- Image size went from ~75MB to ~55MB.
- All of the medium vulnerabilties that Docker Hub reported when we built on
envoyproxy/envoyare gone now. - Both amd64 and arm64 images are available.
Cons#
- With no built-in shell, images are harder to debug.
- This adds a dependency on the Google team that builds the distroless images.
- Distroless adds a
nonrootuser, but I’ve been unable to give that user write access to files in mapped volumes. It’s probably a me problem, but for now we’ve configured IO images to run interally asroot.