Distroless Docker image, not any more?

heavenly · January 20, 2026, 3:15pm

I remember a couple of months ago, the Docker image was distroless, meaning `FROM scratch`. More or less just a `/traefik` binary and that’s it. I remember even an official blog post bragging about it in the name of safety etc.

Today, I noticed now the Docker image is a full-blown Alpine. I suspect it happened via commit 39b0aa6650d94dd4c8320d23fae4e69986930cb9.

Why the change? Is it intentional?

I liked the safety-first approach that was taken. I’m running my image read-only (except `/tmp`) and take away all capabilities from its root user except `NET_BIND_SERVICE`:

read_only: true
cap_drop:
  - ALL
cap_add:
  - NET_BIND_SERVICE
security_opt:
  - "no-new-privileges"

bluepuma77 · January 20, 2026, 3:20pm

Quickly checked Docker hardened image for Traefik, they use Debian.

The mentioned commit as link. But it seems the change happened already 2 years ago (link).

heavenly · January 20, 2026, 3:59pm

Yes, the change was a while ago. But I don’t code review every version.

I was more interested into why traefik stepped back?

bluepuma77 · January 20, 2026, 8:43pm

That's probably a question for the devs. You can try your luck at Traefik Github.

Topic		Replies	Views
Is Treafik's Docker Image Distroless? Traefik v2 docker	2	519	June 2, 2021
Traefik as non-root should be default Traefik v2 docker	4	2414	November 25, 2022
Traefik docker hub image missing some arches Traefik v2 docker	3	633	October 2, 2021
Latest Docker image Traefik v2 docker	3	579	February 5, 2021
Traefik and Docker: A Discussion with Docker Captain, Bret Fisher Blog	0	490	January 18, 2020

Distroless Docker image, not any more?

Related topics