What is a distroless container image?

Distroless images are container images that contain only your application and its runtime dependencies — no shell (/bin/sh), no package manager (apt/apk), no general-purpose utilities. They are maintained by Google at gcr.io/distroless/. Available variants: gcr.io/distroless/base — minimal glibc-based, no shell; gcr.io/distroless/nodejs20 — Node.js runtime; gcr.io/distroless/java17; gcr.io/distroless/python3; gcr.io/distroless/static — for Go static binaries (no glibc even). Security benefits: (1) Dramatically smaller attack surface — no shell means exploits requiring shell execution fail; (2) No package manager means attackers cannot easily install tools if they gain code execution; (3) Fewer CVEs — far fewer packages to have vulnerabilities. Example multi-stage with distroless: FROM node:20 AS builder\nWORKDIR /app\nCOPY package*.json ./\nRUN npm ci\nCOPY . .\nRUN npm run build\n\nFROM gcr.io/distroless/nodejs20\nWORKDIR /app\nCOPY --from=builder /app/dist /app/dist\nCOPY --from=builder /app/node_modules /app/node_modules\nCMD ["/app/dist/app.js"]. Debugging: distroless containers have no shell — use docker exec --entrypoint /busybox/sh with distroless debug variants (:debug tag), or use ephemeral debug containers in Kubernetes (kubectl debug).