PodArmor docs
Image catalog

Java images

Hardened JRE + JDK runtimes built on Eclipse Temurin.

PodArmor's Java family is built on Eclipse Temurin (the LF-stewarded open-source OpenJDK distribution) extracted from Adoptium's sha256-verified tarballs. The same JDK every reputable hardened-image vendor uses.

Variants

Two flavours per Java major version:

  • -deploy — runtime-only. Distroless Debian 13 base, non-root (UID 65532), no shell, no package manager, no SUID binaries. Bundles only the Temurin JRE. Use as the final stage of a multi-stage Dockerfile.
  • -build — full build environment. Debian 13 trixie-slim base with an aggressive dpkg --force-all purge of every package Maven doesn't actually exercise (no apt, no systemd, no util-linux, no sqlite). Bundles Temurin JDK + Maven. Use as a CI build image.

Pin to immutable epoch tags

Every image follows the Chainguard-style {upstream-version}-r{epoch} scheme:

VariantPin to (immutable)Rolling alias
Java 17 JRE (deploy):17.0.19-r0:17.0.19, :latest
Java 25 JRE (deploy):25.0.3-r0:25.0.3, :latest
Maven 3.8.3 + JDK 17 (build):3.8.3-r1:3.8.3, :latest
Maven 3.9.11 + JDK 25 (build):25.0.3-r1:25.0.3, :latest

The r{epoch} is PodArmor's rebuild counter. Same upstream Temurin/Maven version, different image content (Debian patches absorbed, packages re-purged, base image bumped). r0 is the original; each rebuild increments.

How they compose

The expected pattern in your Dockerfile:

# Stage 1: build with the heavier build image
FROM <your-registry>/maven-jdk17:3.8.3-r1 AS build
COPY . /workspace
WORKDIR /workspace
RUN mvn package -DskipTests

# Stage 2: deploy with the distroless runtime
FROM <your-registry>/java17-deploy:17.0.19-r0
COPY --from=build /workspace/target/app.jar /app/app.jar
ENTRYPOINT ["/opt/java/openjdk/bin/java", "-jar", "/app/app.jar"]

The build image vanishes from the final layer — only the JRE + your compiled artifact ship to production.

<your-registry> is one of:

  • public.ecr.aws/e8w9b9r7/podarmor for public images
  • <your-account-id>.dkr.ecr.<your-region>.amazonaws.com/podarmor for the private per-account catalog (if your account has one)

Customer overlay pattern

If your deploy image needs additional runtime dependencies (e.g. a MongoDB cryptd binary, an OpenTelemetry agent, custom certs), the right place to add them is a customer-owned overlay image that uses our deploy image as its FROM. The deploy image stays distroless and minimal; your overlay layers in only what your application needs.

See Custom images for the full overlay pattern.

On this page