Beta: distroless images

[howardjohn]

Beta Feature Requirements

This page lists the requirements for promoting a feature to beta. Promotion to beta must meet all requirements for promotion to alpha. Please check off and document the steps as they are completed.

Feature Name: Distroless images

Design Doc: N/A

Alpha Checklist: Not sure? do we need to retroactively do this?

Relevant Documentation: https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/

Related: istio/istio#24857

Requirements:

Design

• Design doc describing the intention of the feature, how it will be
  implemented, and any thoughts on how to test the feature has been approved by
  relevant work group leads
• Feature coverage and test plans written and approved.

Docs

• Documentation on istio.io includes performance expectations; may have caveats. YES - documentation lists it may have faster startup.
• Documentation on istio.io includes samples/tutorials. N/A - I don't think we need samples here. We just need install steps, which we have
• Documentation on istio.io includes appropriate glossary entries. N/A - we don't introduce any vocabulary here. Users may not understand "distroless", but we link to the docs. This phrase is localized to only a single document and doesn't need to be more broad.
• All new documentation containing user actions includes istio.io tests. YES/NA - no user actions other than a single --set tag=1.9.0-distroless
• Release notes have been added. YES - when the feature was merged long ago
• Upgrade notes have been added. YES - none needed

Tests

• Integration tests cover feature edge cases. NO - we only cover basic integration test. We may have gaps in things that depend on internal tools, like istioctl. Probably not, but its not tested.
• End-to-end tests cover samples/tutorials. YES - e2e tests cover the full install
• Fixed issues have tests to prevent regressions
• Stability/stress test suite includes coverage for the feature. NO. Its highly likely overkill to run 2x suite every time when this is extremely unlikely to have any impact. We can likely run it one-off?

Performance

• Feature coverage and test plans written and approved. NA
• Tests exist with the feature enabled that can be integrated with our automated performance testing.

API

• TOC has reviewed the API and determined it to be complete. Like NA, as there is no API, unless we consider the docker tag name an API. Will leave to TOC to decide.

Tooling

• Any necessary tooling to use/debug the feature has been implemented and is complete. NO - we essentially depend on Kubernetes Ephemeral Containers to be in widespread use in order to facilitate debugging of the proxy or control plane once distroless images are in use. This is apparently beta in Kubernetes 1.21.

Bugs

• Feature has no known major issues. NO: https://github.com/istio/istio/issues?q=is%3Aissue+distroless+is%3Aopen

Approvals

• The appropriate work group(s) have reviewed and approved promotion of the feature.
• The supportability review panel has reviewed promotion of the feature.
• The TOC has reviewed and approved promotion of the feature as part of the
  road map for a release.

[brian-avery]

Re: alpha checklist, something that's beta should be able to meet all of the requirements of alpha.

[brian-avery]

Migrated as part of #26 here: https://github.com/brian-avery/enhancements/blob/migrateFeaturesToFiles/features/distroless_images.md