IMPORTANT: Starting in August 2025, the Official Postgres Image, maintained by the PostgreSQL Docker Community, has discontinued support for Debian
bullseye. In response, the CloudNativePG project has completed the transition to the newbake-based build process for allsystemimages. We now build directly on top of the official Debian slim images, fully detaching from the official Postgres image. Additional changes are planned as part of epic #287.
This repository provides maintenance scripts for generating immutable application containers for all supported PostgreSQL versions (13 to 17), as well as for PostgreSQL 18 beta.
These containers are designed to serve as operands for the CloudNativePG (CNPG) operator within Kubernetes environments.
CloudNativePG PostgreSQL container images:
- Are built on top of Debian Linux (
stableandoldstable). - Provide multi-architecture support, including
linux/amd64andlinux/arm64. - Ship with build attestations, such as Software Bills of Materials (SBOMs) and provenance metadata.
- Are published in the CloudNativePG GitHub Container Registry.
- Are automatically rebuilt every week (on Mondays) to remain up to date with the latest upstream security and bug fixes.
CloudNativePG PostgreSQL container images are based on the official stable
and oldstable Debian releases, maintained and supported by the
Debian Project.
The table below summarises the support lifecycle of relevant Debian versions, including End-of-Life (EOL) and Long-Term Support (LTS) dates.
| Name | Version | Release Date | EOL | LTS | Status |
|---|---|---|---|---|---|
Trixie (stable) |
13 | 2025-08-09 | 2028-08-09 | 2030-06-30 | Supported |
Bookworm (oldstable) |
12 | 2023-06-10 | 2026-06-10 | 2028-06-30 | Supported |
Bullseye (oldoldstable) |
11 | 2021-08-14 | 2024-08-14 | 2026-08-31 | Deprecated |
IMPORTANT: The CloudNativePG project provides full support for Debian-based images until each release reaches its official End-of-Life (EOL). After EOL and until the start of Long-Term Support (LTS), images for the deprecated releases, such as
oldoldstable, are maintained on a best-effort basis. If discontinuation becomes necessary before the LTS date, a minimum three-month advance notice will be posted on this page.
We currently provide and maintain three main types of PostgreSQL images:
Both minimal and standard images are designed to work with backup plugins
such as Barman Cloud.
The system images, built on top of the standard ones, also include the
Barman Cloud binaries.
Minimal images are lightweight and built on top of the official Debian images. They use the APT PostgreSQL packages maintained by the PostgreSQL Global Development Group (PGDG).
These images are identified by the inclusion of minimal in their tag names,
for example: 17.6-minimal-trixie.
Standard images are an extension of the minimal images, enhanced with the
following additional features:
- PGAudit
- Postgres Failover Slots
- pgvector
- All Locales
Standard images are identifiable by the standard tag in their names, such as:
17.6-standard-trixie.
Note: Standard images are designed to offer functionality equivalent to the legacy
systemimages when used with CloudNativePG. To achieve parity, you must use the Barman Cloud Plugin as a replacement for the native Barman Cloud support insystemimages.
Starting from September 2025, system images are based on the standard image
and include Barman Cloud binaries.
IMPORTANT: The
systemimages are deprecated and will be removed once in-core support for Barman Cloud in CloudNativePG is phased out. While you can still use them as long as in-core Barman Cloud remains available, you should plan to migrate to either aminimalorstandardimage together with the Barman Cloud plugin—or adopt another supported backup solution.
CNPG PostgreSQL Container Images are built with the following attestations to ensure transparency and traceability:
-
Software Bill of Materials (SBOM): A comprehensive list of software artifacts included in the image or used during its build process, formatted using the in-toto SPDX predicate standard.
-
Provenance: Metadata detailing how the image was built, following the SLSA Provenance framework.
For example, you can retrieve the SBOM for a specific image using the following command:
docker buildx imagetools inspect <IMAGE> --format "{{ json .SBOM.SPDX }}"This command outputs the SBOM in JSON format, providing a detailed view of the software components and build dependencies.
The minimal and standard CloudNativePG container images are securely signed using
cosign, a tool within the
Sigstore ecosystem.
This signing process is automated via GitHub Actions and leverages
short-lived tokens issued through OpenID Connect.
The token issuer is https://token.actions.githubusercontent.com, and the
signing identity corresponds to a GitHub workflow executed under the
cloudnative-pg/postgres-containers repository. This workflow uses the
cosign-installer action
to facilitate the signing process.
To verify the authenticity of an image using its digest, you can run the
following cosign command:
cosign verify IMAGE \
--certificate-identity-regexp="^https://github.com/cloudnative-pg/postgres-containers/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"For detailed instructions on building PostgreSQL container images, refer to the BUILD.md file.
This software is available under Apache License 2.0.
Copyright The CloudNativePG Contributors.
Barman Cloud is distributed by EnterpriseDB under the GNU GPL 3 License.
PGAudit is distributed under the PostgreSQL License.
Postgres Failover Slots is distributed by EnterpriseDB under the PostgreSQL License.
pgvector is distributed under the PostgreSQL License.
Postgres, PostgreSQL and the Slonik Logo are trademarks or registered trademarks of the PostgreSQL Community Association of Canada, and used with their permission.
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
