cleanstart/envoy

Verified Publisher

By CleanStart

Updated 2 days ago

Secure by Design, Built for Speed, Hardened Container Images on a minimal base CleanStart OS.

Image
Networking
Security
Monitoring & observability
0

10K+

cleanstart/envoy repository overview

Container Documentation for Envoy Documentation The CleanStart Envoy image provides a production-ready, security-hardened container optimized for enterprise environments. Built on a minimal base OS with comprehensive security hardening, this image delivers reliable application execution with advanced security features.

📌 Base Foundation: Production-ready container from cleanstart.

Image Path: cleanstart/envoy:latest

Registry: cleanstart Registry

Key Features Core capabilities and strengths of this container

Common Use Cases Typical scenarios where this container excels

Pull Latest Image Download the container image from the registry

docker pull cleanstart/envoy:latest
docker pull cleanstart/envoy:latest-dev

Minimal envoy.yaml Example

A minimal configuration to get Envoy running on port 8080 with an admin interface on port 9901:

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 8080
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                direct_response:
                  status: 200
                  body:
                    inline_string: "Envoy is running\n"
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

admin:
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9901

# Note: check port availability

Basic Run Run the container with basic configuration

docker run -it --name envoy \
  -v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
  cleanstart/envoy:latest \
  envoy -c /etc/envoy/envoy.yaml

Production Deployment Deploy with production security settings

docker run -d --name envoy-prod \
  --security-opt=no-new-privileges \
  --user 1000:1000 \
  --restart unless-stopped \
  -p 8080:8080 \
  -p 9901:9901 \
  -v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
  cleanstart/envoy:latest \
  envoy -c /etc/envoy/envoy.yaml

Volume Mount Mount local directory for persistent data

docker run \
  -v /app:/app \
  -v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
  cleanstart/envoy:latest \
  envoy -c /etc/envoy/envoy.yaml

Port Forwarding Run with custom port mappings

docker run \
  -p 8080:8080 \
  -p 9901:9901 \
  -v ~/envoy.yaml:/etc/envoy/envoy.yaml:ro \
  cleanstart/envoy:latest \
  envoy -c /etc/envoy/envoy.yaml

Verify the Container

curl http://localhost:8080
Expected output: Envoy is running

Check the admin endpoint health

curl http://localhost:9901/ready
Expected output: LIVE

Environment Variables Configuration options available through environment variables

VariableDefaultDescription
ENVproductionEnvironment mode
LOG_LEVELinfoLogging level

Security Best Practices Recommended security configurations and practices

Kubernetes Security Context Recommended security context for Kubernetes deployments

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsUser: 1000
  runAsGroup: 1000

Documentation Resources

Essential links and resources for further information

CleanStart Images: https://images.cleanstart.com/

Community Images:
Docker Hub: https://hub.docker.com/u/cleanstart
GitHub: https://github.com/cleanstart-containers
AWS ECR Public Gallery: https://gallery.ecr.aws/cleanstart/

Presence on Social Media:
Community: https://www.linkedin.com/groups/18324021/
YouTube: https://www.youtube.com/@CleanStartOfficial

Contribute to Container Use Cases: https://github.com/cleanstart-dev/cleanstart-use-cases/


Vulnerability Disclaimer CleanStart offers Docker images that include third-party open-source libraries and packages maintained by independent contributors. While CleanStart maintains these images and applies industry-standard security practices, it cannot guarantee the security or integrity of upstream components beyond its control.

Users acknowledge and agree that open-source software may contain undiscovered vulnerabilities or introduce new risks through updates. CleanStart shall not be liable for security issues originating from third-party libraries, including but not limited to zero-day exploits, supply chain attacks, or contributor-introduced risks.

Security remains a shared responsibility: CleanStart provides updated images and guidance where possible, while users are responsible for evaluating deployments and implementing appropriate controls.

Tag summary

Content type

Image

Digest

sha256:6635a1738

Size

106.7 MB

Last updated

2 days ago

docker pull cleanstart/envoy:1.38.3-arm64