Install Kong Gateway using the distroless image

Uses: Kong Gateway
TL;DR

Pull kong/kong-gateway:3.15.0.0-distroless and run it with configuration passed via environment variables. The distroless image has no shell, so you must configure Kong Gateway at container startup.

Prerequisites

This guide requires Docker installed on your system.

Set your Kong Gateway license as an environment variable:

export KONG_LICENSE_DATA='<your-license-json>'

Pull the distroless image

Pull the Kong Gateway distroless image from Docker Hub:

docker pull kong/kong-gateway:3.15.0.0-distroless

The distroless image is available for linux/amd64 and linux/arm64. Docker pulls the correct variant automatically based on your host architecture.

Create a Docker network

Create a dedicated network for Kong Gateway:

docker network create kong-net

Create a declarative configuration file

In DB-less mode, you provide your Gateway configuration in a YAML file at startup.

Create a directory for your Kong configuration:

mkdir -p declarative

Then, create a kong.yml file with your entire Gateway configuration. For example, the following file creates a Service and a Route:

cat <<EOF > declarative/kong.yml
_format_version: "3.0"
services:
- name: example-service
  url: http://httpbin.konghq.com
  routes:
  - name: example-route
    paths:
    - /anything
    protocols:
    - http
    - https
EOF

Start Kong Gateway

Run the distroless container, mounting the declarative configuration file and passing all settings via environment variables:

docker run -d \
  --name kong-distroless \
  --network kong-net \
  -v "$(pwd)/declarative:/kong/declarative" \
  -e KONG_DATABASE=off \
  -e KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml \
  -e KONG_PROXY_ACCESS_LOG=/dev/stdout \
  -e KONG_PROXY_ERROR_LOG=/dev/stderr \
  -e KONG_ADMIN_ACCESS_LOG=/dev/stdout \
  -e KONG_ADMIN_ERROR_LOG=/dev/stderr \
  -e KONG_ADMIN_LISTEN="0.0.0.0:8001" \
  -e KONG_LICENSE_DATA="$KONG_LICENSE_DATA" \
  -p 8000:8000 \
  -p 8001:8001 \
  kong/kong-gateway:3.15.0.0-distroless

Because the distroless image has no shell, all Kong Gateway configuration must be passed as environment variables (KONG_*) or in a mounted kong.conf file. You cannot run kong commands inside the container after it starts.

Validate

First, check that Kong Gateway is running by checking port 8000:

curl -X GET "$KONNECT_CONTROL_PLANE_URL/services" \
     --no-progress-meter --fail-with-body 
curl -X GET "http://localhost:8001/services" \
     --no-progress-meter --fail-with-body 

You should get a 200 response with a list of Gateway Services.

Then, access a configured Route through the proxy URL on port 8001:

curl "$KONNECT_PROXY_URL/anything" \
     --no-progress-meter --fail-with-body 
curl "http://localhost:8000/anything" \
     --no-progress-meter --fail-with-body 

This should return an 200 response, this time with the results from your Route.

FAQs

The distroless image contains only the Kong Gateway runtime and its dependencies. It has no shell, package manager, or OS tooling, which reduces the image’s attack surface and can simplify security scanning.

No. The distroless image has no shell. Use environment variables or mounted config files to configure Kong Gateway instead of running commands inside the container.

Yes. Pull kong/kong-gateway:3.15.0.0-distroless-fips and set KONG_FIPS=on. See FIPS support for additional configuration requirements.

Yes. The distroless image supports the same deployment modes as other Kong Gateway images. This guide uses DB-less mode, which requires no separate database container.

If you need a database-backed deployment, start a Postgres container first and run kong migrations bootstrap before starting the Gateway. See Install Kong Gateway using Docker Compose for a database-backed example.

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!