Document how and why to use distroless variant (#4759)

* Document how and why to use distroless variant

Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>

* Fix linting issues

Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Clearify why distroless tag is available for non-distroless images

Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Incorporate feedback.

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

.spelling

@@ -163,6 +163,7 @@ devops
 discuss.istio.io
 distro
 Distroless
+distroless
 Divya
 DNS
 docker-compose's
@@ -181,6 +182,7 @@ env
 etcd
 example.com
 ExecAction
+executables
 Exfiltrating
 ExternalName
 facto

content/about/feature-stages/index.md

@@ -107,7 +107,7 @@ The 'Authorization (RBAC)' runtime is considered Beta.  However, its API is stil
 | [Out of Process Mixer Adapters (gRPC Adapters)](https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Dev-Guide) | Beta
 | [Istio CNI plugin](/docs/setup/kubernetes/additional-setup/cni/) | Alpha
 | IPv6 support for Kubernetes | Alpha
-| Distroless base images for Istio | Alpha
+| [Distroless base images for Istio](/docs/ops/security/harden-docker-images/) | Alpha
 
 {{< idea >}}
 Please get in touch by joining our [community](/about/community/) if there are features you'd like to see in our future releases!

content/docs/ops/security/harden-docker-images/index.md

@@ -0,0 +1,49 @@
+---
+title: Harden Docker Container Images
+description: Use hardened container images to reduce Istio's attack surface.
+weight: 80
+aliases:
+    - /help/ops/security/harden-docker-images
+---
+To ease the process of hardening docker images, Istio provides a set of images based on  [distroless images](https://github.com/GoogleContainerTools/distroless)
+
+{{< warning >}}
+The *distroless images* are work-in-progress.
+The following images haven't been updated to support *distroless*:
+
+- `proxyproxy`
+- `proxy_debug`
+- `kubectl`
+- `app_sidecar`
+
+For ease of the installation, they are available with a `-distroless` suffix.
+{{< /warning >}}
+
+## Install distroless images
+
+You should follow the [Installation Steps](/docs/setup/kubernetes/install/helm/) to setup Istio. You can pass the following parameter to `helm` to use the *distroless images*
+
+For [Option 1](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template) use
+
+{{< text bash >}}
+$ helm template [...] --set global.tag={{< istio_full_version >}}-distroless
+{{< /text >}}
+
+For [Option 2](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install)
+
+{{< text bash >}} use
+$ helm install [...] --set global.tag={{< istio_full_version >}}-distroless
+{{< /text >}}
+
+## Benefits
+
+Non-essential executables and libraries are no longer part of the images when using the distroless variant.
+
+- The attack surface is reduced. Include the smallest possible set of vulnerabilities.
+- The images are smaller, which allows faster start-up.
+
+See also the [Why should I use distroless images?](https://github.com/GoogleContainerTools/distroless#why-should-i-use-distroless-images) section in the official distroless README.
+
+{{< warning >}}
+Be aware that common debugging tools such as `bash`, `curl`, `netcat`, `tcpdump`, etc. are not available on distroless images.
+{{< /warning >}}