Skip to content

Replace Alpine with Google's distroless static image for enhanced sec… #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
collin-lee merged 2 commits into from
Oct 28, 2025
Merged

Replace Alpine with Google's distroless static image for enhanced sec… #993

collin-lee merged 2 commits into from
Oct 28, 2025

Conversation

@collin-lee
Copy link
Contributor

@collin-lee collin-lee commented Oct 27, 2025

…urity

and simplified maintenance. Includes CA certificates automatically and provides debug variant for troubleshooting.

@collin-lee collin-lee mentioned this pull request Oct 27, 2025
Closed
@collin-lee
Replace Alpine with Google's distroless static image for enhanced sec…
ebc035e 
…urity

and simplified maintenance. Includes CA certificates automatically and
provides debug variant for troubleshooting.
morepork
morepork approved these changes Oct 27, 2025
View reviewed changes
Copy link

@morepork morepork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks good to me. Cleaner than copying the certs from the alpine image.

Dockerfile Outdated

FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS final
RUN apk --no-cache add ca-certificates && apk --no-cache update
FROM gcr.io/distroless/static-debian12
Copy link

@morepork morepork Oct 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about pinning this to a particular SHA to make builds deterministic?

Also, I think it may as well use the nonroot tag, similar to the envoy build:
https://github.com/envoyproxy/envoy/blob/main/distribution/docker/Dockerfile-envoy#L62

@collin-lee
Copy link
Contributor Author

collin-lee commented Oct 27, 2025

@arkodg

@collin-lee
security: pin distroless image to SHA and use nonroot variant
5009d93 
- Pin gcr.io/distroless/static-debian12:nonroot to specific SHA digest
- Ensures deterministic builds and prevents supply chain attacks
- Use nonroot variant for enhanced security (runs as UID 65532)
- Follows same pattern as Envoy proxy for consistency
- Update documentation to reflect security improvements
@psbrar99 psbrar99 self-requested a review October 28, 2025 18:14
@collin-lee collin-lee merged commit 99d8551 into envoyproxy:main Oct 28, 2025
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@psbrar99 psbrar99 psbrar99 approved these changes

+2 more reviewers

@morepork morepork morepork approved these changes

@arkodg arkodg arkodg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@collin-lee @morepork @arkodg @psbrar99