diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md
index 9fbd1050f..c8d3b202c 100644
--- a/kbs/config/kubernetes/README.md
+++ b/kbs/config/kubernetes/README.md
@@ -44,6 +44,19 @@ kustomize edit add resource ingress.yaml
 popd
 ```
 
+## Optional: Use non-release images
+
+Sometimes it may be desirable to deploy KBS with an image that is not what is set in the repo (typically
+the latest release image). To change the deployment to use a staging build, set the image using `kustomize`:
+
+```bash
+pushd base
+kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:65ee7e1acccd13dcb515058e71c5f8bfb4281e35
+popd
+```
+
+The available image tags can be found in the [CoCo packages listing](https://github.com/orgs/confidential-containers/packages?repo_name=trustee).
+
 ## Optional: Expose KBS using Nodeport
 
 If you would like to expose KBS service using Nodeport then export the following environment variable:
@@ -58,6 +71,16 @@ Once you deploy the KBS, you can use the services' nodeport and the Kubernetes n
 echo $(kubectl get nodes -o jsonpath='{.items[0].status.addresses[0].address}'):$(kubectl get svc kbs -n coco-tenant -o jsonpath='{.spec.ports[0].nodePort}')
 ```
 
+## Optional: Use custom Intel DCAP configuration
+
+If you would like to override the default `sgx_default_qcnl.conf` in the KBS/AS images, copy/configure one into `custom_pccs/` directory and deploy using:
+
+```bash
+export DEPLOYMENT_DIR=custom_pccs
+```
+
+NB: this currently builds on `nodeport` kustomization.
+
 ## Deploy KBS
 
 Deploy KBS by running the following command:
diff --git a/kbs/config/kubernetes/custom_pccs/kustomization.yaml b/kbs/config/kubernetes/custom_pccs/kustomization.yaml
new file mode 100644
index 000000000..07c08c3cb
--- /dev/null
+++ b/kbs/config/kubernetes/custom_pccs/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../nodeport
+
+patches:
+- path: set_custom_pccs.yaml
+  target:
+    kind: Deployment
+    name: kbs
+
+configMapGenerator:
+- files:
+  - sgx_default_qcnl.conf
+  name: dcap-attestation-conf
diff --git a/kbs/config/kubernetes/custom_pccs/set_custom_pccs.yaml b/kbs/config/kubernetes/custom_pccs/set_custom_pccs.yaml
new file mode 100644
index 000000000..3b260def1
--- /dev/null
+++ b/kbs/config/kubernetes/custom_pccs/set_custom_pccs.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kbs
+spec:
+  template:
+    spec:
+      containers:
+      - name: kbs
+        volumeMounts:
+        - name: qplconf
+          mountPath: /etc/sgx_default_qcnl.conf
+          subPath: sgx_default_qcnl.conf
+      volumes:
+      - name: qplconf
+        configMap:
+          name: dcap-attestation-conf
+          items:
+          - key: sgx_default_qcnl.conf
+            path: sgx_default_qcnl.conf
diff --git a/kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf b/kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf
new file mode 100644
index 000000000..a00ff81b8
--- /dev/null
+++ b/kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf
@@ -0,0 +1 @@
+{"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"}