diff --git a/pkg/api/validation/dynakube/image_test.go b/pkg/api/validation/dynakube/image_test.go
index dc74cea41b..badcec42ef 100644
--- a/pkg/api/validation/dynakube/image_test.go
+++ b/pkg/api/validation/dynakube/image_test.go
@@ -50,7 +50,7 @@ func TestImageFieldHasTenantImage(t *testing.T) {
 			Spec: dynakube.DynaKubeSpec{
 				APIURL: testTenantUrl + "/api",
 				OneAgent: oneagent.Spec{
-					ClassicFullStack: &oneagent.HostInjectSpec{
+					HostMonitoring: &oneagent.HostInjectSpec{
 						Image: testRegistryUrl + "/linux/oneagent:latest",
 					},
 				},
@@ -72,7 +72,7 @@ func TestImageFieldHasTenantImage(t *testing.T) {
 			Spec: dynakube.DynaKubeSpec{
 				APIURL: testTenantUrl + "/api",
 				OneAgent: oneagent.Spec{
-					ClassicFullStack: &oneagent.HostInjectSpec{
+					HostMonitoring: &oneagent.HostInjectSpec{
 						Image: testRegistryUrl + "/linux/oneagent:latest",
 					},
 				},
@@ -88,7 +88,7 @@ func TestImageFieldHasTenantImage(t *testing.T) {
 			Spec: dynakube.DynaKubeSpec{
 				APIURL: testTenantUrl + "/api",
 				OneAgent: oneagent.Spec{
-					ClassicFullStack: &oneagent.HostInjectSpec{
+					HostMonitoring: &oneagent.HostInjectSpec{
 						Image: "127.0.0.1:5000/test:tag",
 					},
 				},
diff --git a/pkg/api/validation/dynakube/oneagent.go b/pkg/api/validation/dynakube/oneagent.go
index 8c67f0adfc..dc77d9b94f 100644
--- a/pkg/api/validation/dynakube/oneagent.go
+++ b/pkg/api/validation/dynakube/oneagent.go
@@ -24,6 +24,8 @@ Use a nodeSelector to avoid this conflict. Conflicting DynaKubes: %s`
 
 	errorVolumeStorageReadOnlyModeConflict = `The DynaKube specification specifies a read-only host file system while OneAgent has volume storage enabled.`
 
+	warningPublicImageWithWrongConfig = `Custom OneAgent image is only supported when CSI Driver is used.`
+
 	warningOneAgentInstallerEnvVars = `The environment variables ONEAGENT_INSTALLER_SCRIPT_URL and ONEAGENT_INSTALLER_TOKEN are only relevant for an unsupported image type. Please ensure you are using a supported image.`
 
 	warningHostGroupConflict = `The DynaKube specification sets the host group using the --set-host-group parameter. Instead, specify the new spec.oneagent.hostGroup field. If both settings are used, the new field takes precedence over the parameter.`
@@ -125,6 +127,14 @@ func mapKeysToString(m map[string]bool, sep string) string {
 	return strings.Join(keys, sep)
 }
 
+func publicImageSetWithoutReadOnlyMode(_ context.Context, v *Validator, dk *dynakube.DynaKube) string {
+	if !dk.OneAgent().IsReadOnlyOneAgentsMode() && dk.OneAgent().GetCustomImage() != "" {
+		return warningPublicImageWithWrongConfig
+	}
+
+	return ""
+}
+
 func imageFieldSetWithoutCSIFlag(_ context.Context, v *Validator, dk *dynakube.DynaKube) string {
 	if dk.OneAgent().IsApplicationMonitoringMode() {
 		if len(dk.Spec.OneAgent.ApplicationMonitoring.CodeModulesImage) > 0 && !v.modules.CSIDriver {
diff --git a/pkg/api/validation/dynakube/oneagent_test.go b/pkg/api/validation/dynakube/oneagent_test.go
index 47057cbac2..bfbd05a4b0 100644
--- a/pkg/api/validation/dynakube/oneagent_test.go
+++ b/pkg/api/validation/dynakube/oneagent_test.go
@@ -492,6 +492,50 @@ func TestIsOneAgentVersionValid(t *testing.T) {
 	}
 }
 
+func TestPublicImageSetWithReadOnlyMode(t *testing.T) {
+	t.Run("reject dk with hostMon without csi and custom image", func(t *testing.T) {
+		setupDisabledCSIEnv(t)
+		assertAllowedWithWarnings(t, 1,
+			&dynakube.DynaKube{
+				ObjectMeta: defaultDynakubeObjectMeta,
+				Spec: dynakube.DynaKubeSpec{
+					APIURL: testApiUrl,
+					OneAgent: oneagent.Spec{
+						HostMonitoring: &oneagent.HostInjectSpec{
+							Image: "test/image/test-image:some-tag",
+						},
+					},
+				},
+			})
+	})
+	t.Run("allow dk with hostMon without csi and no custom image", func(t *testing.T) {
+		setupDisabledCSIEnv(t)
+		assertAllowed(t,
+			&dynakube.DynaKube{
+				ObjectMeta: defaultDynakubeObjectMeta,
+				Spec: dynakube.DynaKubeSpec{
+					APIURL: testApiUrl,
+					OneAgent: oneagent.Spec{
+						HostMonitoring: &oneagent.HostInjectSpec{},
+					},
+				},
+			})
+	})
+	t.Run("allow dk with hostMon with csi and custom image", func(t *testing.T) {
+		assertAllowed(t, &dynakube.DynaKube{
+			ObjectMeta: defaultDynakubeObjectMeta,
+			Spec: dynakube.DynaKubeSpec{
+				APIURL: testApiUrl,
+				OneAgent: oneagent.Spec{
+					HostMonitoring: &oneagent.HostInjectSpec{
+						Image: "test/image/test-image:some-tag",
+					},
+				},
+			},
+		})
+	})
+}
+
 func TestOneAgentArguments(t *testing.T) {
 	type oneAgentArgumentTest struct {
 		testName      string
diff --git a/pkg/api/validation/dynakube/validation.go b/pkg/api/validation/dynakube/validation.go
index bd2d3201e0..562c1965af 100644
--- a/pkg/api/validation/dynakube/validation.go
+++ b/pkg/api/validation/dynakube/validation.go
@@ -70,6 +70,7 @@ var (
 		deprecatedFeatureFlag,
 		ignoredLogMonitoringTemplate,
 		conflictingApiUrlForExtensions,
+		publicImageSetWithoutReadOnlyMode,
 	}
 	updateValidatorErrorFuncs = []updateValidatorFunc{
 		IsMutatedApiUrl,