curl "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body Install Kong Gateway using the distroless image
Pull kong/kong-gateway:3.15.0.0-distroless and run it with configuration passed via environment variables.
The distroless image has no shell, so you must configure Kong Gateway at container startup.
Prerequisites
Kong license
Set your Kong Gateway license as an environment variable:
export KONG_LICENSE_DATA='<your-license-json>'Pull the distroless image
Pull the Kong Gateway distroless image from Docker Hub:
docker pull kong/kong-gateway:3.15.0.0-distrolessThe distroless image is available for linux/amd64 and linux/arm64.
Docker pulls the correct variant automatically based on your host architecture.
Create a Docker network
Create a dedicated network for Kong Gateway:
docker network create kong-netCreate a declarative configuration file
In DB-less mode, you provide your Gateway configuration in a YAML file at startup.
Create a directory for your Kong configuration:
mkdir -p declarativeThen, create a kong.yml file with your entire Gateway configuration. For example, the following file creates a Service and a Route:
cat <<EOF > declarative/kong.yml
_format_version: "3.0"
services:
- name: example-service
url: http://httpbin.konghq.com
routes:
- name: example-route
paths:
- /anything
protocols:
- http
- https
EOFStart Kong Gateway
Run the distroless container, mounting the declarative configuration file and passing all settings via environment variables:
docker run -d \
--name kong-distroless \
--network kong-net \
-v "$(pwd)/declarative:/kong/declarative" \
-e KONG_DATABASE=off \
-e KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml \
-e KONG_PROXY_ACCESS_LOG=/dev/stdout \
-e KONG_PROXY_ERROR_LOG=/dev/stderr \
-e KONG_ADMIN_ACCESS_LOG=/dev/stdout \
-e KONG_ADMIN_ERROR_LOG=/dev/stderr \
-e KONG_ADMIN_LISTEN="0.0.0.0:8001" \
-e KONG_LICENSE_DATA="$KONG_LICENSE_DATA" \
-p 8000:8000 \
-p 8001:8001 \
kong/kong-gateway:3.15.0.0-distrolessBecause the distroless image has no shell, all Kong Gateway configuration must be passed as environment variables (
KONG_*) or in a mountedkong.conffile. You cannot runkongcommands inside the container after it starts.
Validate
First, check that Kong Gateway is running by checking port 8000:
curl -X GET "$KONNECT_CONTROL_PLANE_URL/services" \
--no-progress-meter --fail-with-body curl -X GET "http://localhost:8001/services" \
--no-progress-meter --fail-with-body You should get a 200 response with a list of Gateway Services.
Then, access a configured Route through the proxy URL on port 8001:
curl "http://localhost:8000/anything" \
--no-progress-meter --fail-with-body This should return an 200 response, this time with the results from your Route.
FAQs
Why use the distroless image?
The distroless image contains only the Kong Gateway runtime and its dependencies. It has no shell, package manager, or OS tooling, which reduces the image’s attack surface and can simplify security scanning.
Can I get a shell inside the distroless container?
No. The distroless image has no shell. Use environment variables or mounted config files to configure Kong Gateway instead of running commands inside the container.
Is there a FIPS-compliant distroless image?
Yes. Pull kong/kong-gateway:3.15.0.0-distroless-fips and set KONG_FIPS=on.
See FIPS support for additional configuration requirements.
Can I run the distroless image with a database?
Yes. The distroless image supports the same deployment modes as other Kong Gateway images. This guide uses DB-less mode, which requires no separate database container.
If you need a database-backed deployment, start a Postgres container first and run kong migrations bootstrap before starting the Gateway.
See Install Kong Gateway using Docker Compose for a database-backed example.