The Envoy image packages the Envoy proxy binary, runtime libraries, default filter chain (HTTP/gRPC/TCP filters), xDS client for dynamic configuration, admin and health endpoints, and the minimal OS userspace and entrypoint scripts needed to run in a container. In containerized and production deployments it is commonly run as a sidecar or gateway for L7/L4 proxying, TLS termination and mTLS, high-throughput gRPC/HTTP/HTTP2 routing, TCP proxying, observability (metrics/tracing), and rate‑limiting workloads.
Teams evaluate an Envoy hardened image when regulated or security-sensitive environments require reduced attack surface, reproducible signed artifacts, CVE‑patched libraries, constrained runtime privileges (least privileges, seccomp, capability removal), and crypto stacks or build options aligned with compliance requirements.
The Minimus Envoy image differs from typical Envoy container images by being built from scratch with only the essential components, eliminating extra packages, shells, and userland tooling that increase risk and complexity. This results in a significantly reduced attack surface: a smaller runtime footprint that is faster to start, lighter to distribute, and easier to maintain and patch compared with full-distribution images that bundle development and debugging utilities.
The Minimus hardened Envoy image goes further by applying hardening and configuration controls aligned with industry standards such as NIST SP 800-190 and relevant CIS Benchmarks, including reduced capabilities, minimal user and process privileges, immutable filesystem layout where appropriate, and removal of package managers and extraneous binaries. For engineers and security teams this means a predictable, auditable Envoy runtime that is easier to secure, monitor, and certify in production environments.
Envoy is a high-performance open-source edge and service proxy designed for cloud-native architectures. It runs as a sidecar or standalone proxy to route, secure, observe, and control traffic between services. It provides L7 HTTP/2/gRPC routing, L4 load balancing, TLS termination, retries, circuit breakers, rate limiting, and distributed tracing. In microservices and service mesh setups, Envoy serves as the data plane for service-to-service communication and can be used as an ingress/edge proxy or API gateway.
For deployment, use a container image of the Envoy proxy in your cluster.
For production, use a hardened Envoy image with minimal privileges, reduced attack surface, and up-to-date security patches.
There are two common ways to download Envoy: binary or container image.
Docker users can pull the official image with:
docker pull envoyproxy/envoy:latestAlternatively, fetch a prebuilt binary from the releases page and extract it:
wget https://github.com/envoyproxy/envoy/releases/download/v1.26.0/envoy-linux-v1.26.0.tar.gz
tar -xzf envoy-linux-v1.26.0.tar.gzFor hardened deployments, use a hardened Envoy image from trusted sources.
Use the Envoy image as a high-performance proxy for service-to-service (East-West) traffic, edge ingress, and API gateway use cases.
In a service mesh, Envoy serves as a sidecar to provide load balancing, retries, circuit breaking, tracing, and dynamic configuration via xDS.
Key capabilities include TLS termination, mTLS, HTTP/2 and gRPC support, advanced routing, rate limiting, and observability.
For production, opt for a hardened Envoy image and keep it updated with security patches, from trusted sources and with ongoing vulnerability scanning.