linkerd · adleong · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -1,5 +1,6 @@
-ARG RUNTIME_IMAGE=gcr.io/distroless/cc-debian12
 ARG BUILDPLATFORM=linux/amd64
+ARG RUNTIME_IMAGE=proxy-runtime:latest
+ARG TARGETARCH
 
 # Precompile key slow-to-build dependencies
 FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS go-deps
@@ -43,8 +44,33 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -mod=readonly ./pkg/...
 COPY proxy-identity proxy-identity
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /out/proxy-identity -mod=readonly -ldflags "-s -w" ./proxy-identity
 
-FROM $RUNTIME_IMAGE AS runtime
+## build proxy-init
+FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v48-go AS proxy-init
+WORKDIR /build
+ARG PROXY_INIT_REPO="linkerd/linkerd2-proxy-init"
+ARG PROXY_INIT_REF="proxy-init/v2.4.3"
+RUN --mount=type=secret,id=github \
+    export GITHUB_TOKEN_FILE=/run/secrets/github; \
+    git init --initial-branch=main . && \
+    git remote add origin https://github.com/${PROXY_INIT_REPO}.git && \
+    git fetch --depth 1 origin ${PROXY_INIT_REF} && \
+    git checkout --detach FETCH_HEAD
+RUN go mod download
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
+    go build -o /out/linkerd2-proxy-init -mod=readonly -ldflags "-s -w" -v ./proxy-init
+
+FROM $RUNTIME_IMAGE-$TARGETARCH AS runtime
 LABEL org.opencontainers.image.source=https://github.com/linkerd/linkerd2
+
+COPY --from=proxy-init /out/linkerd2-proxy-init /usr/lib/linkerd/linkerd2-proxy-init
+# Set sys caps for iptables utilities and proxy-init
+USER root
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-legacy-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-nft-multi"]
+RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/lib/linkerd/linkerd2-proxy-init"]
+USER 65534
+
 COPY --from=fetch /build/target/proxy/LICENSE /usr/lib/linkerd/LICENSE
 COPY --from=fetch /build/proxy-version /usr/lib/linkerd/linkerd2-proxy-version.txt
 COPY --from=fetch /build/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy

@@ -2,6 +2,8 @@
 
 set -eu
 
+apko_version=v0.30.13
+
 if [ $# -ne 0 ]; then
     echo "no arguments allowed for ${0##*/}, given: $*" >&2
     exit 64
@@ -14,8 +16,11 @@ rootdir=$( cd "$bindir"/.. && pwd )
 . "$bindir"/_docker.sh
 # shellcheck source=_tag.sh
 . "$bindir"/_tag.sh
+# shellcheck source=_os.sh
+. "$bindir"/_os.sh
 
-dockerfile=$rootdir/Dockerfile-proxy
+dockerfile=$rootdir/Dockerfile.proxy
+runtime_image="proxy-runtime:${TAG:-$(head_root_tag)}"
 
 get_extra_options() {
     options=
@@ -25,9 +30,16 @@ get_extra_options() {
     echo "$options"
 }
 
+# Build proxy base image with apko
+go install chainguard.dev/apko@$apko_version
+export PATH=$PATH:$(go env GOPATH)/bin
+apko build "$rootdir/proxy-runtime.yml" "$runtime_image" "$rootdir/proxy-runtime.tar"
+docker load < "$rootdir/proxy-runtime.tar"
+
 # We want wordsplit for the extra options here:
 # shellcheck disable=SC2046
 docker_build proxy "${TAG:-$(head_root_tag)}" "$dockerfile" \
+  --build-arg RUNTIME_IMAGE="$runtime_image" \
   --build-arg LINKERD_VERSION="${TAG:-$(head_root_tag)}" \
   --build-arg LINKERD2_PROXY_REPO="${LINKERD2_PROXY_REPO:-linkerd/linkerd2-proxy}" \
   --build-arg LINKERD2_PROXY_VERSION="${LINKERD2_PROXY_VERSION:-$(cat .proxy-version)}" \

@@ -46,8 +46,9 @@ args:
 - --subnets-to-ignore
 - {{ .Values.proxyInit.skipSubnets | quote }}
 {{- end }}
-image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}}
-imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}}
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}}
+command: ["/usr/lib/linkerd/linkerd2-proxy-init"]
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
 name: linkerd-init
 {{ include "partials.resources" .Values.proxy.resources }}
 securityContext:

@@ -0,0 +1,31 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  packages:
+    - ca-certificates-bundle
+    - glibc
+    - iptables
+    - ip6tables
+    - libnetfilter_conntrack
+    - libnfnetlink
+    - libmnl
+    - libgcc
+    - nftables-slim
+    - libcap-utils
+archs:
+  - x86_64
+  - aarch64
+paths:
+- path: /run
+  type: directory
+  permissions: 0o755
+accounts:
+  users:
+    - username: nonroot
+      uid: 65532
+    - username: nobody
+      uid: 65534
+  run-as: 65532
+work-dir: /home/nonroot