# Getting Started with the Chainguard Istio Containers

URL: https://deploy-preview-3420--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/getting-started/istio.md
Last Modified: July 23, 2025
Tags: Chainguard Containers

Learn how to deploy Istio service mesh using Chainguard's security-hardened Istio images with reduced vulnerabilities and minimal attack surface

Chainguard&rsquo;s Istio container images provide a security-hardened foundation for service mesh deployments with significantly reduced vulnerabilities compared to standard Istio images. Istio extends Kubernetes to establish a programmable, application-aware network using the Envoy service proxy, bringing traffic management, telemetry, and security to complex deployments. Built on Wolfi OS, Chainguard&rsquo;s minimal Istio images maintain full compatibility while enhancing security posture.
We will demonstrate how to get started with the Chainguard Istio container images on an example kind cluster. To get started, you&rsquo;ll need Docker, kind, kubectl, and istioctl installed. If you are missing any, you can follow the relevant link to get started.
Docker kind kubectl istioctl Note: In November 2024, after this article was first written, Chainguard made changes to its free tier of container images. In order to access the non-free container images used in this guide, you will need to be part of an organization that has access to them. For a full list of container images that will remain in Chainguard's free tier, please refer to this support page.
What is Wolfi?Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes. Chainguard ContainersChainguard Containers are a mix of distroless and development container images based on Wolfi. Daily builds make sure images are up-to-date with the latest package versions and patches from upstream Wolfi. Start up a kind cluster First, we&rsquo;ll start up a kind cluster to install Istio.
kind create clusterThis will return output similar to the following:
Creating cluster &#34;kind&#34; ... ✓ Ensuring node image (kindest/node:v1.27.3) 🖼 ✓ Preparing nodes 📦 ✓ Writing configuration 📜 ✓ Starting control-plane 🕹️ ✓ Installing CNI 🔌 ✓ Installing StorageClass 💾 Set kubectl context to &#34;kind-kind&#34; You can now use your cluster with: kubectl cluster-info --context kind-kind Thanks for using kind! 😊Following that, you can install the Istio Chainguard Containers with istioctl.
Install Istio using Chainguard Containers We will be using the istioctl command to install Istio. In order to use the Chainguard Containers, we will need to set these following values:
hub = cgr.dev/$ORGANIZATION Note: Be aware that you will need to change cgr.dev/$ORGANIZATION to reflect the name of your organization&rsquo;s repository within Chainguard&rsquo;s registry.
tag = latest values.pilot.image = istio-pilot values.global.proxy.image = istio-proxy values.global.proxy_init.image = istio-proxy We can set these values with the following istioctl command:
istioctl install --set tag=latest --set hub=cgr.dev/$ORGANIZATION \ --set values.pilot.image=istio-pilot \ --set values.global.proxy.image=istio-proxy \ --set values.global.proxy_init.image=istio-proxyThe Istio Chainguard Container is now running on the kind cluster you created previously. In the next section, you&rsquo;ll set up an Istio gateway and a VirtualService to test out this container.
Stand up a Gateway and a VirtualService To see the Istio installation in action, we will create two Istio resources:
An Istio gateway serving the &ldquo;http://hello.example.com&rdquo; domain A VirtualService to always reply with &ldquo;Hello, world!&rdquo; to requests to the &ldquo;http://hello.example.com&rdquo; domain Create a YAML manifest file with the following contents to define the Istio resources:
cat &gt; example.yaml &lt;&lt;EOF apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: sample-gateway spec: servers: - port: number: 80 name: http protocol: HTTP hosts: - &#34;hello.example.com&#34; --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: sample-virtual-service spec: gateways: - sample-gateway hosts: - &#34;hello.example.com&#34; http: - directResponse: status: 200 body: string: &#34;Hello, world!\n&#34; EOFApply the YAML file to the cluster:
kubectl apply -f example.yamlNow, in one terminal, start a port-forward to the Istio Ingress Gateway:
kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80In another terminal, send a request to the Istio Ingress Gateway:
curl -H &#34;Host: hello.example.com&#34; localhost:8080This will return Hello, world! to the terminal output.
Clean up your kind cluster Once you are done, you can delete your kind cluster:
kind delete clusterThis will delete the default cluster context, kind.
Advanced Usage If your project requires a more specific set of packages that aren't included within the general-purpose Istio Chainguard Container, you'll first need to check if the package you want is already available on the wolfi-os repository. Note: If you're building on top of a container image other than the wolfi-base container image, the image will run as a non-root user. Because of this, if you need to install packages with apk add you need to use the USER root directive.
If the package is available, you can use the wolfi-base image in a Dockerfile and install what you need with apk, then use the resulting image as base for your app. Check the "Using the wolfi-base Container" section of our images quickstart guide for more information. If the packages you need are not available, you can build your own apks using melange. Please refer to this guide for more information.