AI Docs Bundle
Join Our Community Slack Contact
Getting Started with Chainguard Containers

Getting Started with the Chainguard Istio Containers

Learn how to deploy Istio service mesh using Chainguard's security-hardened Istio images with reduced vulnerabilities and minimal attack surface
  4 min read
Chainguard Containers

Chainguard’s Istio container images provide a security-hardened foundation for service mesh deployments with significantly reduced vulnerabilities compared to standard Istio images. Istio extends Kubernetes to establish a programmable, application-aware network using the Envoy service proxy, bringing traffic management, telemetry, and security to complex deployments. Built on Wolfi OS, Chainguard’s minimal Istio images maintain full compatibility while enhancing security posture.

We will demonstrate how to get started with the Chainguard Istio container images on an example kind cluster. To get started, you’ll need Docker, kind, kubectl, and istioctl installed. If you are missing any, you can follow the relevant link to get started.

Note: In November 2024, after this article was first written, Chainguard made changes to its free tier of container images. In order to access the non-free container images used in this guide, you will need to be part of an organization that has access to them. For a full list of container images that will remain in Chainguard's free tier, please refer to this support page.

What is Wolfi Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.
Chainguard Images Chainguard Containers are a mix of distroless and development container images based on Wolfi. Daily builds make sure images are up-to-date with the latest package versions and patches from upstream Wolfi.

Start up a kind cluster

First, we’ll start up a kind cluster to install Istio.

kind create cluster

This will return output similar to the following:

Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.27.3) đŸ–ŧ 
 ✓ Preparing nodes đŸ“Ļ  
 ✓ Writing configuration 📜 
 ✓ Starting control-plane 🕹ī¸ 
 ✓ Installing CNI 🔌 
 ✓ Installing StorageClass 💾 
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Thanks for using kind! 😊

Following that, you can install the Istio Chainguard Containers with istioctl.

Install Istio using Chainguard Containers

We will be using the istioctl command to install Istio. In order to use the Chainguard Containers, we will need to set these following values:

  • hub = cgr.dev/$ORGANIZATION

Note: Be aware that you will need to change cgr.dev/$ORGANIZATION to reflect the name of your organization’s repository within Chainguard’s registry.

  • tag = latest
  • values.pilot.image = istio-pilot
  • values.global.proxy.image = istio-proxy
  • values.global.proxy_init.image = istio-proxy

We can set these values with the following istioctl command:

istioctl install --set tag=latest --set hub=cgr.dev/$ORGANIZATION \
  --set values.pilot.image=istio-pilot \
  --set values.global.proxy.image=istio-proxy \
  --set values.global.proxy_init.image=istio-proxy

The Istio Chainguard Container is now running on the kind cluster you created previously. In the next section, you’ll set up an Istio gateway and a VirtualService to test out this container.

Stand up a Gateway and a VirtualService

To see the Istio installation in action, we will create two Istio resources:

  • An Istio gateway serving the “http://hello.example.com” domain
  • A VirtualService to always reply with “Hello, world!” to requests to the “http://hello.example.com” domain

Create a YAML manifest file with the following contents to define the Istio resources:

cat > example.yaml <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: sample-gateway
spec:
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "hello.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sample-virtual-service
spec:
  gateways:
  - sample-gateway
  hosts:
  - "hello.example.com"
  http:
  - directResponse:
      status: 200
      body:
        string: "Hello, world!\n"
EOF

Apply the YAML file to the cluster:

kubectl apply -f example.yaml

Now, in one terminal, start a port-forward to the Istio Ingress Gateway:

kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80

In another terminal, send a request to the Istio Ingress Gateway:

curl -H "Host: hello.example.com" localhost:8080

This will return Hello, world! to the terminal output.

Clean up your kind cluster

Once you are done, you can delete your kind cluster:

kind delete cluster

This will delete the default cluster context, kind.

Advanced Usage

If your project requires a more specific set of packages that aren't included within the general-purpose Istio Chainguard Container, you'll first need to check if the package you want is already available on the wolfi-os repository.

Note: If you're building on top of a container image other than the wolfi-base container image, the image will run as a non-root user. Because of this, if you need to install packages with apk add you need to use the USER root directive.

If the package is available, you can use the wolfi-base image in a Dockerfile and install what you need with apk, then use the resulting image as base for your app. Check the "Using the wolfi-base Container" section of our images quickstart guide for more information.

If the packages you need are not available, you can build your own apks using melange. Please refer to this guide for more information.

Related Articles

Last updated: 2025-07-23 15:09

Getting Started with the Go Chainguard Container Prev   Getting Started with the Laravel Chainguard Container   Next