Custom / private images
Per-customer image catalogs, the overlay pattern, and how to request additions.
If your stack needs a hardened image we don't already publish, we'll build it for you and host it either in our public ECR (if it's broadly useful) or in a private per-customer ECR.
The overlay pattern
For most customer-specific needs (a particular agent JAR, a sidecar binary, a runtime config), the right structure is a thin customer-owned overlay image on top of our hardened base:
# Multi-stage extract — the heavy work happens in a throwaway builder
FROM debian:trixie-slim AS extract
RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates \
&& curl -fsSL <agent-url> -o /tmp/agent.deb \
&& dpkg-deb -x /tmp/agent.deb /extract
# Final stage — our distroless deploy image + just the binaries you need
FROM <your-registry>/java17-deploy:17.0.19-r0
COPY --from=extract /extract/usr/bin/<binary> /usr/bin/<binary>
COPY --from=extract /extract/etc/<config> /etc/<config>
USER nonroot
ENTRYPOINT ["/opt/java/openjdk/bin/java", "-javaagent:/usr/bin/<binary>.jar", "-jar", "/app/your-app.jar"]This pattern preserves the distroless property of our deploy image while letting you add exactly what you need on top.
Requesting a new image
If overlay isn't enough — for example, you need a hardened image of a runtime we don't carry today — file a feature request through the portal:
- Click the PodArmor logo or your user-menu avatar
- Choose "Send feedback / request"
- Pick "Feature request" as the type
- Describe the use case (what upstream image you're trying to replace, what your runtime looks like, any specific constraints like FIPS or arch requirements)
The PodArmor team triages every request in the admin inbox and replies by email. If multiple customers need the same image, it ships as a first-class catalog entry; if it's unique to your account, it ships as a private image in your ECR.
Per-customer access controls
Private catalogs are isolated by the standard portal access matrix:
- Tenant scope: which images your organisation can see at all
- User scope: within an organisation, which images individual users can pull
- Role scope: admin / user / viewer (see Access management)
The matrix is editable from the portal's Access page (admin-only).