feat(proxy, proxy-init): Combine proxy and proxy-init and use minimal base image (#14577)

To simplify the docker images we ship, we combine the proxy and proxy-init images into a unified image (named proxy) which includes both the proxy and proxy-init binaries.

To reduce the security surface area of this unified image, we build it on a minimal Wolfi-based runtime image via apko instead of building on `gcr.io/distroless/cc-debian12`. This allows us to avoid including unused packages such as `libssl` which can cause spurious security scan alerts in our images.

In order to build this minimal runtime base image in CI, we start a local temporary registry so that we can push the apko created runtime image and use it as a base image for the proxy image.

We update the Linkerd templates to use this new unified proxy image in the linkerd-init container.

Signed-off-by: Alex Leong <[email protected]>

Author: adleong

.github/actions/docker-build/action.yml

@@ -28,11 +28,15 @@ runs:
     - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124
     - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      with:
+        driver-opts: network=host
     - env:
         DOCKER_REGISTRY: ${{ inputs.docker-registry }}
         DOCKER_TARGET: ${{ inputs.docker-target }}
         DOCKER_PUSH: ${{ inputs.docker-push }}
         TAG: ${{ inputs.tag }}
+        RUNTIME_IMAGE: localhost:5000/linkerd/proxy-runtime:${{ inputs.tag }}
+        PUSH_RUNTIME_IMAGE: true
       shell: bash
       run: bin/docker-build-${{ inputs.component }}
 

.github/workflows/integration.yml

@@ -80,6 +80,11 @@ jobs:
     needs: meta
     if: needs.meta.outputs.changed == 'true'
     runs-on: ${{ vars.LINKERD2_RUNNER || 'ubuntu-24.04' }}
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
     strategy:
       matrix:
         component:

.github/workflows/release.yml

@@ -37,6 +37,11 @@ jobs:
       contents: read
       packages: write # for docker/login-action
       id-token: write # for cosign
+    services:
+      registry:
+        image: registry:3
+        ports:
+          - 5000:5000
     strategy:
       matrix:
         component:

Dockerfile-proxy renamed to Dockerfile.proxy

@@ -1,5 +1,6 @@
-ARG RUNTIME_IMAGE=gcr.io/distroless/cc-debian12
 ARG BUILDPLATFORM=linux/amd64
+ARG RUNTIME_IMAGE="cr.l5d.io/linkerd/proxy-runtime:latest"
+ARG TARGETARCH
 
 # Precompile key slow-to-build dependencies
 FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps
@@ -43,8 +44,33 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...
 COPY proxy-identity proxy-identity
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags "-s -w" ./proxy-identity
 
-FROM $RUNTIME_IMAGE AS runtime
+## build proxy-init
+FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v48-go AS proxy-init
+WORKDIR /build
+ARG PROXY_INIT_REPO="linkerd/linkerd2-proxy-init"
+ARG PROXY_INIT_REF="proxy-init/v2.4.3"
+RUN --mount=type=secret,id=github \
+    export GITHUB_TOKEN_FILE=/run/secrets/github; \
+    git init --initial-branch=main . && \
+    git remote add origin https://github.com/${PROXY_INIT_REPO}.git && \
+    git fetch --depth 1 origin ${PROXY_INIT_REF} && \
+    git checkout --detach FETCH_HEAD
+RUN go mod download
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
+    go build -o /out/linkerd2-proxy-init -mod=readonly -ldflags "-s -w" -v ./proxy-init
+
+FROM $RUNTIME_IMAGE-$TARGETARCH AS runtime
 LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2
+
+COPY --from=proxy-init /out/linkerd2-proxy-init /usr/lib/linkerd/linkerd2-proxy-init
+# Set sys caps for iptables utilities and proxy-init
+USER root
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-legacy-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-nft-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/lib/linkerd/linkerd2-proxy-init"]
+USER 65534
+
 COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE
 COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt
 COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy

bin/docker-build-proxy

@@ -2,6 +2,8 @@
 
 set -eu
 
+apko_version=v0.30.13
+
 if [ $# -ne 0 ]; then
     echo "no arguments allowed for ${0##*/}, given: $*" >&2
     exit 64
@@ -14,8 +16,11 @@ rootdir=$( cd "$bindir"/.. && pwd )
 . "$bindir"/_docker.sh
 # shellcheck source=_tag.sh
 . "$bindir"/_tag.sh
+# shellcheck source=_os.sh
+. "$bindir"/_os.sh
 
-dockerfile=$rootdir/Dockerfile-proxy
+dockerfile=$rootdir/Dockerfile.proxy
+runtime_image="${RUNTIME_IMAGE:-"cr.l5d.io/linkerd/proxy-runtime:${TAG:-$(head_root_tag)}"}"
 
 get_extra_options() {
     options=
@@ -25,9 +30,22 @@ get_extra_options() {
     echo "$options"
 }
 
+# Build proxy base image with apko
+go install chainguard.dev/apko@$apko_version
+export PATH=$PATH:$(go env GOPATH)/bin
+# Add --local flag unless PUSH_RUNTIME_IMAGE is set
+apko build "$rootdir/proxy-runtime.yml" "$runtime_image" "$rootdir/proxy-runtime.tar"
+docker load < "$rootdir/proxy-runtime.tar"
+if [[ -n "${PUSH_RUNTIME_IMAGE:-}" ]]; then
+    for arch in "arm64" "amd64"; do
+        docker push "$runtime_image-$arch"
+    done
+fi
+
 # We want wordsplit for the extra options here:
 # shellcheck disable=SC2046
 docker_build proxy "${TAG:-$(head_root_tag)}" "$dockerfile" \
+  --build-arg RUNTIME_IMAGE="$runtime_image" \
   --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}" \
   --build-arg LINKERD2_PROXY_REPO="${LINKERD2_PROXY_REPO:-linkerd/linkerd2-proxy}" \
   --build-arg LINKERD2_PROXY_VERSION="${LINKERD2_PROXY_VERSION:-$(cat .proxy-version)}" \

charts/linkerd-control-plane/values.yaml

@@ -349,14 +349,6 @@ proxyInit:
   # -- Log format (`plain` or `json`) for the proxy-init
   # @default -- plain
   logFormat: ""
-  image:
-    # -- Docker image for the proxy-init container
-    name: cr.l5d.io/linkerd/proxy-init
-    # -- Pull policy for the proxy-init container image
-    # @default -- imagePullPolicy
-    pullPolicy: ""
-    # -- Tag for the proxy-init container image
-    version: v2.4.3
   # -- Changes the default value for the nf_conntrack_tcp_timeout_close_wait
   # kernel parameter. If used, runAsRoot needs to be true.
   closeWaitTimeoutSecs: 0

charts/partials/templates/_proxy-init.tpl

@@ -46,8 +46,9 @@ args:
 - --subnets-to-ignore
 - {{ .Values.proxyInit.skipSubnets | quote }}
 {{- end }}
-image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}}
-imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}}
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}}
+command: ["/usr/lib/linkerd/linkerd2-proxy-init"]
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
 name: linkerd-init
 {{ include "partials.resources" .Values.proxy.resources }}
 securityContext:

cli/cmd/doc.go

@@ -128,14 +128,6 @@ func generateAnnotationsDocs() []annotationDoc {
 			Name:        k8s.ProxyImagePullPolicyAnnotation,
 			Description: "Docker image pull policy",
 		},
-		{
-			Name:        k8s.ProxyInitImageAnnotation,
-			Description: "Linkerd init container image name",
-		},
-		{
-			Name:        k8s.ProxyInitImageVersionAnnotation,
-			Description: "Linkerd init container image version",
-		},
 		{
 			Name:        k8s.DebugImageAnnotation,
 			Description: "Linkerd debug container image name",

cli/cmd/inject.go

@@ -417,17 +417,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[
 	if proxy.Image.Name != baseProxy.Image.Name {
 		overrideAnnotations[k8s.ProxyImageAnnotation] = proxy.Image.Name
 	}
-	if values.ProxyInit.Image.Name != base.ProxyInit.Image.Name {
-		overrideAnnotations[k8s.ProxyInitImageAnnotation] = values.ProxyInit.Image.Name
-	}
 	if values.DebugContainer.Image.Name != base.DebugContainer.Image.Name {
 		overrideAnnotations[k8s.DebugImageAnnotation] = values.DebugContainer.Image.Name
 	}
 
-	if values.ProxyInit.Image.Version != base.ProxyInit.Image.Version {
-		overrideAnnotations[k8s.ProxyInitImageVersionAnnotation] = values.ProxyInit.Image.Version
-	}
-
 	if values.DebugContainer.Image.Version != base.DebugContainer.Image.Version {
 		overrideAnnotations[k8s.DebugImageVersionAnnotation] = values.DebugContainer.Image.Version
 	}

cli/cmd/inject_test.go

@@ -782,30 +782,6 @@ func TestProxyImageAnnotations(t *testing.T) {
 	diffOverrides(t, expectedOverrides, overrides)
 }
 
-func TestProxyInitImageAnnotations(t *testing.T) {
-	baseValues, err := linkerd2.NewValues()
-	if err != nil {
-		t.Fatal(err)
-	}
-	values, err := baseValues.DeepCopy()
-	if err != nil {
-		t.Fatal(err)
-	}
-	values.ProxyInit.Image = &linkerd2.Image{
-		Name:    "my.registry/linkerd/proxy-init",
-		Version: "test-proxy-init-version",
-	}
-
-	expectedOverrides := map[string]string{
-		k8s.ProxyInitImageAnnotation:        "my.registry/linkerd/proxy-init",
-		k8s.ProxyInitImageVersionAnnotation: "test-proxy-init-version",
-	}
-
-	overrides := getOverrideAnnotations(values, baseValues)
-
-	diffOverrides(t, expectedOverrides, overrides)
-}
-
 func TestNoAnnotations(t *testing.T) {
 	baseValues, err := linkerd2.NewValues()
 	if err != nil {