Looking at Docker Hub Istio provides the option using distroless images since version 1.3.0.
As it is always a good idea on a Kubernetes cluster to reduce the attack surface, especially when running a managed Kubernetes cluster like Azure Kubernetes Service, using distroless images is one option of it.
Per default Istio does not use the distroless image versions. So, you need to opt in for it. I encourage you to do so as a service mesh is one of your critical key components in your AKS cluster. Assuming you use a service mesh implementation like Istio.
The opt-in using distroless images in Istio can be done globally via the IstioOperator API.
Looking at the configurations for Istio 1.6.8 and 1.7.0 there is only a slight difference depending whether or not you enabled the Istio CNI plugin.
1.6.8 configuration example
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
tag: 1.6.8-distroless
...
components:
cni:
enabled: true
tag: 1.6.8
...
1.7.0 configuration example
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: 1.7.0-distroless ...
The Istio CNI plugin first supports distroless images with version 1.7.0. Thus, you use in version 1.6.8 the default image for the CNI plugin.
You find the IstioOperator API templates for Istio 1.6.8 and 1.7.0 in my GitHub repository.
-> https://github.com/neumanndaniel/kubernetes/blob/master/istio/istio-1.6.yaml
-> https://github.com/neumanndaniel/kubernetes/blob/master/istio/istio-1.7.yaml