iptables-only image or maintainable way to build custom images

[howardjohn]

Istio currently maintains a small fork to build a custom image that is basically base + iptables.

This is a bit painful, as maintaining a fork is not easy to keep up with and the bazel and .deb fetching experience is rough.

To ease this, it would help to either have:

1. An official iptables image, that has exactly the packages we have and nothing more (I realize this is very demanding/picky, but want to be upfront on what would be required for us to adopt a different image - in particular, there must be no openssl).
2. An easier way to build our own custom images. for example, building the same(ish) image with apko is pretty trivial:

contents:
  repositories:
    - https://packages.wolfi.dev/os
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
  packages:
    - ca-certificates-bundle
    - glibc
    - iptables
    - wolfi-baselayout
archs:
  - x86_64
  - aarch64
paths:
- path: /run
  type: directory
  permissions: 0o755
accounts:
  users:
    - username: nobody
      uid: 65532
    - username: nobody
      uid: 65534
  run-as: 65532
work-dir: /home/nonroot

[howardjohn]

Actually a lower effort middle ground may just be to add the packages to https://github.com/GoogleContainerTools/distroless/blob/main/debian_packages.yaml (and maybe similar files, not sure just that one is sufficient). I think that would allow us to just import the repo and use our BUILD file without forking. Still a bit painful dealing with bazel but not as bad as a fork

[loosebazooka]

Yeah I think someone was interested in moving the necessary items into rules_distroless, I need to followup on that.