docker: Use distroless as base image

This is to improve the security posture of cilium/proxy running in the
deamonset mode. Distroless images come in different variants and the one
being used here is the most basic one that only contains the following:

- ca-certificates
- A /etc/passwd entry for a root, nonroot and nobody users
- A /tmp directory
- tzdata

Relates: cilium/cilium#23217

Dockerfile

@@ -14,6 +14,15 @@ ARG BUILDER_BASE=quay.io/cilium/cilium-envoy-builder:6.1.0-latest
 #
 ARG ARCHIVE_IMAGE=builder-fresh
 
+#
+# BASE_IMAGE is the final image to use for the release stage.
+# The default is a distroless image with a non-root user, and below packages
+#   - ca-certificates
+#   - A /etc/passwd entry for a root, nonroot and nobody users
+#   - A /tmp directory
+#   - tzdata
+ARG BASE_IMAGE=gcr.io/distroless/static-debian11:nonroot@sha256:6a3500b086c2856fbc189f5d11351bdbcf7c4dc5673c2b6070aac9d607da90d7
+
 FROM --platform=$BUILDPLATFORM $BUILDER_BASE as proxylib
 WORKDIR /go/src/github.com/cilium/proxy
 COPY --chown=1337:1337 . ./
@@ -108,12 +117,10 @@ COPY --from=check-format /cilium/proxy/format-output.txt /
 #
 # Extract installed cilium-envoy binaries to an otherwise empty image
 #
-FROM docker.io/library/ubuntu:22.04@sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da
+FROM ${BASE_IMAGE} as release
 LABEL maintainer="maintainer@cilium.io"
-# install ca-certificates package
-RUN apt-get update && apt-get upgrade -y \
-    && apt-get install --no-install-recommends -y ca-certificates \
-    && apt-get autoremove -y && apt-get clean \
-    && rm -rf /tmp/* /var/tmp/* \
-    && rm -rf /var/lib/apt/lists/*
-COPY --from=builder /tmp/install /
+COPY --from=builder /usr/lib/libcilium.so /usr/lib/libcilium.so
+COPY --from=builder /usr/bin/cilium-envoy /usr/bin/cilium-envoy-starter /usr/bin/
+
+# use uid:gid for the nonroot user for compatibility with runAsNonRoot
+USER 1337:1337