DirectorySecurity AdvisoriesPricing
/
Sign in
Directory
istio-base logo

istio-base

packaged by Chainguard

Last changed
Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Tags
Overview
Comparison
Provenance
Specifications
SBOM
Vulnerabilities
Advisories

Istio

Chainguard's redistribution of the Istio Helm charts, pre-configured with hardened Chainguard Images.

Prerequisites

Authentication is required to access these charts and their images. First, authenticate with Chainguard and configure your environment:

chainctl auth login
chainctl auth configure-docker --pull-token --save
helm registry login cgr.dev

Create an image pull secret for the cluster:

kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-system

Available Charts

ChartDescription

istio-base

Istio base chart (CRDs and cluster resources)

istio-istiod

Istio control plane

istio-gateway

Istio ingress/egress gateway

istio-cni

Istio CNI plugin

istio-ztunnel

Istio ztunnel for ambient mesh

Installation

Sidecar Mode

Install the components in order:

# 1. Base (CRDs and cluster resources)
helm install istio-base oci://cgr.dev/ORGANIZATION/charts/istio-base \
  --namespace istio-system \
  --create-namespace \
  --set defaultRevision=default \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 2. Istiod (control plane)
helm install istiod oci://cgr.dev/ORGANIZATION/charts/istio-istiod \
  --namespace istio-system \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 3. Gateway (optional)
kubectl create namespace istio-ingress
kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-ingress

helm install istio-gateway oci://cgr.dev/ORGANIZATION/charts/istio-gateway \
  --namespace istio-ingress \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

Ambient Mode

For ambient mesh, install CNI and ztunnel:

# 1. Base
helm install istio-base oci://cgr.dev/ORGANIZATION/charts/istio-base \
  --namespace istio-system \
  --create-namespace \
  --set defaultRevision=default \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 2. Istiod with ambient profile
helm install istiod oci://cgr.dev/ORGANIZATION/charts/istio-istiod \
  --namespace istio-system \
  --set profile=ambient \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 3. CNI
helm install istio-cni oci://cgr.dev/ORGANIZATION/charts/istio-cni \
  --namespace istio-system \
  --set profile=ambient \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 4. Ztunnel
helm install ztunnel oci://cgr.dev/ORGANIZATION/charts/istio-ztunnel \
  --namespace istio-system \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 5. Gateway (optional)
kubectl create namespace istio-ingress
kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-ingress

helm install istio-gateway oci://cgr.dev/ORGANIZATION/charts/istio-gateway \
  --namespace istio-ingress \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

About These Charts

These are redistributions of the upstream Istio Helm charts. All upstream configuration options and documentation apply.

For full documentation, see: https://istio.io/latest/docs/setup/install/helm/

Licenses

Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:

  • ( GPL-2.0-or-later

  • Apache-2.0

  • BSD-2-Clause

  • BSD-2-Clause-NetBSD

  • BSD-3-Clause

  • CC-PDDC

  • GCC-exception-3.1

For a complete list of licenses, please refer to this Image's SBOM.

Software license agreement
Compliance

Chainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.

SLSA compliance at Chainguard

This image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.

PCI DSS at Chainguard

A FIPS validated version of this image is available for FedRAMP compliance. STIG is included with FIPS image.

Related images
istio-base-fips logoFIPS
istio-base-fips
Category
Application

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.