distroless asm proxy
Anthos Service Mesh (ASM) 1.12 now supports deploying a proxy built on the distroless base image.
The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners.
Here is in action how you could leverage the distroless base image while installing ASM:
curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.12 > ~/asmcli chmod +x ~/asmcli cat <<EOF > distroless-proxy.yaml --- apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: defaultConfig: image: imageType: distroless EOF ~/asmcli install \ --project_id $projectId \ --cluster_name $clusterName \ --cluster_location $zone \ --enable-all \ --custom_overlay distroless-proxy.yaml
Then when you will inject the istio-proxy sidecar, it will use the distroless image.
If we look a little bit closer to the container images, we could see that we save 82MB with the distroless image:
REPOSITORY TAG SIZE gcr.io/gke-release/asm/proxyv2 1.12.0-asm.3-distroless 173MB gcr.io/gke-release/asm/proxyv2 1.12.0-asm.3 255MB
Furthermore, if we do a container scanning, we could see that the distroless image has only 9 vulnerabilities as opposed to 26 for non-distroless.
Quite good news, isn’t it!?
Note: when deploying your own gateways, you may end up with
error envoy config listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied. That’s because the distroless image runs as non root. You need to set explicit
targetPort for the gateways’s
8443 for example.
Hope you enjoyed that one to improve your security posture, stay safe out there! ;)