iptables-only image or maintainable way to build custom images

[howardjohn]

Istio currently maintains a small fork to build a custom image that is basically base + iptables.

This is a bit painful, as maintaining a fork is not easy to keep up with and the bazel and .deb fetching experience is rough.

To ease this, it would help to either have:

1. An official iptables image, that has exactly the packages we have and nothing more (I realize this is very demanding/picky, but want to be upfront on what would be required for us to adopt a different image - in particular, there must be no openssl).
2. An easier way to build our own custom images. for example, building the same(ish) image with apko is pretty trivial:

   contents:
   repositories:
   - https://packages.wolfi.dev/os
   keyring:
   - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
   packages:
   - ca-certificates-bundle
   - glibc
   - iptables
   - wolfi-baselayout
   archs:
   - x86_64
   - aarch64
   paths:
   - path: /run
   type: directory
   permissions: 0o755
   accounts:
   users:
   - username: nobody
     uid: 65532
   - username: nobody
     uid: 65534
   run-as: 65532
   work-dir: /home/nonroot

[howardjohn]

Actually a lower effort middle ground may just be to add the packages to https://github.com/GoogleContainerTools/distroless/blob/main/debian_packages.yaml (and maybe similar files, not sure just that one is sufficient). I think that would allow us to just import the repo and use our BUILD file without forking. Still a bit painful dealing with bazel but not as bad as a fork

[loosebazooka]

Yeah I think someone was interested in moving the necessary items into rules_distroless, I need to followup on that.