Replace Alpine with Google's distroless static image for enhanced sec…#993
Merged
collin-lee merged 2 commits intoenvoyproxy:mainfrom Oct 28, 2025
Merged
Replace Alpine with Google's distroless static image for enhanced sec…#993collin-lee merged 2 commits intoenvoyproxy:mainfrom
collin-lee merged 2 commits intoenvoyproxy:mainfrom
Conversation
…urity and simplified maintenance. Includes CA certificates automatically and provides debug variant for troubleshooting.
collin-lee
force-pushed
the
scratch_distroless
branch
from
02bcdb6 to
ebc035e
Compare
morepork
approved these changes
Oct 27, 2025
morepork
left a comment
morepork
left a comment
There was a problem hiding this comment.
Thanks, this looks good to me. Cleaner than copying the certs from the alpine image.
|
|
||
| FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS final | ||
| RUN apk --no-cache add ca-certificates && apk --no-cache update | ||
| FROM gcr.io/distroless/static-debian12 |
There was a problem hiding this comment.
what do you think about pinning this to a particular SHA to make builds deterministic?
Also, I think it may as well use the nonroot tag, similar to the envoy build:
https://github.com/envoyproxy/envoy/blob/main/distribution/docker/Dockerfile-envoy#L62
Contributor
Author
- Pin gcr.io/distroless/static-debian12:nonroot to specific SHA digest - Ensures deterministic builds and prevents supply chain attacks - Use nonroot variant for enhanced security (runs as UID 65532) - Follows same pattern as Envoy proxy for consistency - Update documentation to reflect security improvements
morepork
approved these changes
Oct 27, 2025
arkodg
approved these changes
Oct 28, 2025
psbrar99
approved these changes
Oct 28, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…urity
and simplified maintenance. Includes CA certificates automatically and provides debug variant for troubleshooting.