diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..cf59b98
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,8 @@
+**
+
+!Dockerfile
+!k8s/**
+
+!build/
+!build/libs/
+!build/libs/*.jar
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 6ce4595..1ddda08 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -86,6 +86,9 @@ jobs:
 
           echo "KUBECONFIG=$PWD/kubeconfig" >> $GITHUB_ENV
 
+      - name: Install envsubst
+        run: sudo apt-get update && sudo apt-get install -y gettext-base
+
       - name: Deploy (apply manifest with GITHUB_SHA substitution)
         shell: bash
         run: |
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..129efc5
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,28 @@
+# syntax=docker/dockerfile:1
+
+FROM eclipse-temurin:21-jre-jammy
+
+WORKDIR /app
+
+# 비루트 실행(쿠버네티스 securityContext와도 정합성 좋음)
+RUN useradd -r -u 10001 -g root appuser \
+  && mkdir -p /app \
+  && chown -R 10001:0 /app
+
+# GitHub Actions에서 ./gradlew clean test build 로 생성된 산출물 사용
+# (주의) build/libs 에 plain.jar 와 bootJar가 같이 생길 수 있어 bootJar를 선택하도록 처리
+COPY build/libs/*.jar /app/
+
+RUN set -eux; \
+  JAR="$(ls /app/*.jar | grep -v -- '-plain\.jar$' | head -n 1)"; \
+  mv "$JAR" /app/app.jar; \
+  rm -f /app/*-plain.jar || true; \
+  chown 10001:0 /app/app.jar
+
+USER 10001
+
+# Spring Boot 기본 포트가 8080인 경우가 많아 문서화 목적(EXPOSE는 필수 아님)
+EXPOSE 8080
+
+# JVM 옵션은 Kubernetes 매니페스트에서 JAVA_TOOL_OPTIONS로 주입 권장
+ENTRYPOINT ["java","-jar","/app/app.jar"]
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 67d3371..3ca8ce6 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -23,6 +23,8 @@ spec:
       labels:
         app: pinit-auth
     spec:
+      imagePullSecrets:
+        - name: ghcr-pull-secret
       terminationGracePeriodSeconds: 30
       volumes:
         - name: keys