envoy
Secure by Design, Built for Speed, Hardened Container Images on a minimal base CleanStart OS.
10K+
Container Documentation for Envoy Documentation The CleanStart Envoy image provides a production-ready, security-hardened container optimized for enterprise environments. Built on a minimal base OS with comprehensive security hardening, this image delivers reliable application execution with advanced security features.
📌 Base Foundation: Production-ready container from cleanstart.
Image Path: cleanstart/envoy:latest
Registry: cleanstart Registry
Key Features Core capabilities and strengths of this container
Common Use Cases Typical scenarios where this container excels
Pull Latest Image Download the container image from the registry
docker pull cleanstart/envoy:latest
docker pull cleanstart/envoy:latest-dev
A minimal configuration to get Envoy running on port 8080 with an admin interface on port 9901:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
direct_response:
status: 200
body:
inline_string: "Envoy is running\n"
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
admin:
address:
socket_address:
address: 0.0.0.0
port_value: 9901
# Note: check port availability
Basic Run Run the container with basic configuration
docker run -it --name envoy \
-v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
cleanstart/envoy:latest \
envoy -c /etc/envoy/envoy.yaml
Production Deployment Deploy with production security settings
docker run -d --name envoy-prod \
--security-opt=no-new-privileges \
--user 1000:1000 \
--restart unless-stopped \
-p 8080:8080 \
-p 9901:9901 \
-v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
cleanstart/envoy:latest \
envoy -c /etc/envoy/envoy.yaml
Volume Mount Mount local directory for persistent data
docker run \
-v /app:/app \
-v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
cleanstart/envoy:latest \
envoy -c /etc/envoy/envoy.yaml
Port Forwarding Run with custom port mappings
docker run \
-p 8080:8080 \
-p 9901:9901 \
-v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
cleanstart/envoy:latest \
envoy -c /etc/envoy/envoy.yaml
curl http://localhost:8080
curl http://localhost:9901/ready
Environment Variables Configuration options available through environment variables
| Variable | Default | Description |
|---|---|---|
| ENV | production | Environment mode |
| LOG_LEVEL | info | Logging level |
Security Best Practices Recommended security configurations and practices
Kubernetes Security Context Recommended security context for Kubernetes deployments
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
Essential links and resources for further information
CleanStart Images: https://images.cleanstart.com/
Community Images:
Docker Hub: https://hub.docker.com/u/cleanstart
GitHub: https://github.com/cleanstart-containers
AWS ECR Public Gallery: https://gallery.ecr.aws/cleanstart/
Presence on Social Media:
Community: https://www.linkedin.com/groups/18324021/
YouTube: https://www.youtube.com/@CleanStartOfficial
Contribute to Container Use Cases: https://github.com/cleanstart-dev/cleanstart-use-cases/
Vulnerability Disclaimer CleanStart offers Docker images that include third-party open-source libraries and packages maintained by independent contributors. While CleanStart maintains these images and applies industry-standard security practices, it cannot guarantee the security or integrity of upstream components beyond its control.
Users acknowledge and agree that open-source software may contain undiscovered vulnerabilities or introduce new risks through updates. CleanStart shall not be liable for security issues originating from third-party libraries, including but not limited to zero-day exploits, supply chain attacks, or contributor-introduced risks.
Security remains a shared responsibility: CleanStart provides updated images and guidance where possible, while users are responsible for evaluating deployments and implementing appropriate controls.
Content type
Image
Digest
sha256:6635a1738…
Size
106.7 MB
Last updated
2 days ago
docker pull cleanstart/envoy:1.38.3-arm64