Use Distroless Envoy images

envoyproxy/envoy-distroless images are smaller and have fewer vulnerabilites than the official Envoy images, envoyproxy/envoy . IO's Dockerfile now uses these as the base image for IO. Pros Image size went from ~ 75MB to ~ 55MB. All of the medium vulnerabilties that Docker Hub reported when we built on envoyproxy/envoy are gone now. Both amd64 and arm64 images are available. Cons With no built-in shell, images are harder to debug. This adds a dependency on the Google team that builds the distroless images. Distroless adds a nonroot user, but I've been unable to give that user write access to files in mapped volumes. It's probably a me problem, but for now we've configured IO images to run interally as root .