Image procurement approach
SDR requires additional enablement and licensing. Contact your Atlan representative for details.
Every SDR deployment has to decide where its container images come from. This is independent of your lifecycle mode and platform—you make the same procurement decision whether you run orchestrator or single-app, on Docker/Podman or Kubernetes. This page gives Atlan's recommendation.
Atlan's recommendation
-
Default to public Atlan Docker Hub. Unless a security or network policy forbids egress to Docker Hub, pull Atlan images directly. It's the least to operate—no replication pipeline, no drift, and you always get the exact published image. You only need the Docker Hub PAT from your Atlan representative.
-
Mirror only if your policy requires it. If your organization blocks public registries or requires images to pass through an internal registry (scanning, approval, golden images), mirror Atlan images into your registry. Match how you already distribute other third-party images internally—reuse that scanning and approval pipeline rather than inventing a new one for SDR.
-
If you mirror, pick the mechanism by how much your registry changes the image:
- Same names and tags (you only change the host/prefix) → use a prefix rewrite (
containerRegistryBase/container_registry.basein orchestrator mode; set the image reference directly in single-app mode). - Rebuilt, renamed, or re-tagged (names, tags, or SHAs differ) → use an image map in object storage (orchestrator mode), or set the exact image reference yourself (single-app mode).
- Same names and tags (you only change the host/prefix) → use a prefix rewrite (
-
Always verify signatures before mirroring. Atlan signs every image with keyless Cosign—verify before pushing into your registry.
Rule of thumb: public Docker Hub unless policy says otherwise → prefix rewrite if your mirror is a faithful copy → image map if your mirror rebuilds or renames images.
Why this is independent of mode and platform
The decision (public / mirrored-prefix / mirrored-rebuilt) is the same everywhere, but the mechanism that consumes the image differs:
| Single-app mode | Orchestrator mode | |
|---|---|---|
| Public Docker Hub | Pull directly (+ pull secret) | Pull directly (default) |
| Mirrored, same names/tags | Set the image reference in your deployment file | containerRegistryBase / base prefix rewrite |
| Rebuilt / renamed | Set the exact reference yourself | Image map in object storage |
In single-app mode you write the image reference directly, so mirrored and rebuilt are handled the same way. In orchestrator mode the orchestrator pulls images dynamically (UI installs, auto update, self-update), so it must be told how to translate Atlan source references to yours—hence the prefix rewrite or image map.
See also
- Verify container images: verify image signatures with Cosign.
- Keep a private registry in sync: the image-map flow for mirrored/rebuilt images.
- Configure network security: outbound connectivity requirements.