Java images
Hardened JRE + JDK runtimes built on Eclipse Temurin.
PodArmor's Java family is built on Eclipse Temurin (the LF-stewarded open-source OpenJDK distribution) extracted from Adoptium's sha256-verified tarballs. The same JDK every reputable hardened-image vendor uses.
Variants
Two flavours per Java major version:
-deploy— runtime-only. Distroless Debian 13 base, non-root (UID 65532), no shell, no package manager, no SUID binaries. Bundles only the Temurin JRE. Use as the final stage of a multi-stage Dockerfile.-build— full build environment. Debian 13 trixie-slim base with an aggressivedpkg --force-allpurge of every package Maven doesn't actually exercise (no apt, no systemd, no util-linux, no sqlite). Bundles Temurin JDK + Maven. Use as a CI build image.
Pin to immutable epoch tags
Every image follows the Chainguard-style {upstream-version}-r{epoch} scheme:
| Variant | Pin to (immutable) | Rolling alias |
|---|---|---|
| Java 17 JRE (deploy) | :17.0.19-r0 | :17.0.19, :latest |
| Java 25 JRE (deploy) | :25.0.3-r0 | :25.0.3, :latest |
| Maven 3.8.3 + JDK 17 (build) | :3.8.3-r1 | :3.8.3, :latest |
| Maven 3.9.11 + JDK 25 (build) | :25.0.3-r1 | :25.0.3, :latest |
The r{epoch} is PodArmor's rebuild counter. Same upstream Temurin/Maven version, different image content (Debian patches absorbed, packages re-purged, base image bumped). r0 is the original; each rebuild increments.
How they compose
The expected pattern in your Dockerfile:
# Stage 1: build with the heavier build image
FROM <your-registry>/maven-jdk17:3.8.3-r1 AS build
COPY . /workspace
WORKDIR /workspace
RUN mvn package -DskipTests
# Stage 2: deploy with the distroless runtime
FROM <your-registry>/java17-deploy:17.0.19-r0
COPY --from=build /workspace/target/app.jar /app/app.jar
ENTRYPOINT ["/opt/java/openjdk/bin/java", "-jar", "/app/app.jar"]The build image vanishes from the final layer — only the JRE + your compiled artifact ship to production.
<your-registry> is one of:
public.ecr.aws/e8w9b9r7/podarmorfor public images<your-account-id>.dkr.ecr.<your-region>.amazonaws.com/podarmorfor the private per-account catalog (if your account has one)
Customer overlay pattern
If your deploy image needs additional runtime dependencies (e.g. a MongoDB cryptd binary, an OpenTelemetry agent, custom certs), the right place to add them is a customer-owned overlay image that uses our deploy image as its FROM. The deploy image stays distroless and minimal; your overlay layers in only what your application needs.
See Custom images for the full overlay pattern.