Anthos Service Mesh (ASM) 1.12 now supports deploying a proxy built on the distroless base image.

The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners.

Here is in action how you could leverage the distroless base image while installing ASM:

curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.12 > ~/asmcli
chmod +x ~/asmcli
cat <<EOF > distroless-proxy.yaml
---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    defaultConfig:
      image:
        imageType: distroless
EOF
~/asmcli install \
    --project_id $projectId \
    --cluster_name $clusterName \
    --cluster_location $zone \
    --enable-all \
    --custom_overlay distroless-proxy.yaml

Then when you will inject the istio-proxy sidecar, it will use the distroless image.

If we look a little bit closer to the container images, we could see that we save 82MB with the distroless image:

REPOSITORY                       TAG                       SIZE
gcr.io/gke-release/asm/proxyv2   1.12.0-asm.3-distroless   173MB
gcr.io/gke-release/asm/proxyv2   1.12.0-asm.3              255MB

Furthermore, if we do a container scanning, we could see that the distroless image has only 9 vulnerabilities as opposed to 26 for non-distroless.

Quite good news, isn’t it!?

Note: when deploying your own gateways, you may end up with error envoy config listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied. That’s because the distroless image runs as non root. You need to set explicit targetPort for the gateways’s Service with 8080 or 8443 for example.

Hope you enjoyed that one to improve your security posture, stay safe out there! ;)