Typically, decK is installed on a developer machine or CICD pipeline runner and manages the state of Kong Gateway remotely. If you add decK inside the docker image, then you are coupling the availability of the tools as well as their versions. I’d recommend running them as individual docker containers or running the gateway as a docker container and decK on your developer machine.
Generally speaking, IMHO deck is used to apply/alter a Kong Gateway configuration. Kong deck need to read the configuration that can contain secrets or other reserved information so I think is not a good idea having and using deck deployed within the same container of the Kong Gateway.
I agree with @rick it sould be run externally in a CI/CD pipeline runner or outside Kong Gateway and the communication between deck and Kong Gateway should be secured with HTTPS and related authentication (via RBAC token).