diff --git a/hack/verify-e2e-images.sh b/hack/verify-e2e-images.sh
new file mode 100755
index 00000000000..024c1e347f8
--- /dev/null
+++ b/hack/verify-e2e-images.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+cd "${KUBE_ROOT}"
+
+source hack/lib/init.sh
+
+# NOTE: Please do NOT add any to this list!!
+#
+# We are aiming to consolidate on: registry.k8s.io/e2e-test-images/agnhost
+# The sources for which are in test/images/agnhost.
+# If agnhost is missing functionality for your tests, please reach out to SIG Testing.
+kube::util::read-array PERMITTED_IMAGES < <(sed '/^#/d' ./test/images/.permitted-images)
+
+# get current list of images, ignoring tags
+echo "Getting e2e image list ..."
+make WHAT=test/e2e/e2e.test
+e2e_test="$(kube::util::find-binary e2e.test)"
+kube::util::read-array IMAGES < <("${e2e_test}" --list-images | sed -E 's/^(.+):[^:]+$/\1/' | LC_ALL=C sort -u)
+
+# diff versus known permitted images
+ret=0
+>&2 echo "Diffing e2e image list ..."
+diff -Naupr <(printf '%s\n' "${IMAGES[@]}") <(printf '%s\n' "${PERMITTED_IMAGES[@]}") || ret=$?
+if [[ $ret -eq 0 ]]; then
+  >&2 echo "PASS: e2e images used are OK."
+else
+  >&2 echo "FAIL: e2e images do not match the approved list!"
+  >&2 echo ""
+  >&2 echo "Please use registry.k8s.io/e2e-test-images/agnhost wherever possible, we are consolidating test images."
+  >&2 echo "See: test/images/agnhost/README.md"
+  >&2 echo ""
+  >&2 echo "You can reach out to https://git.k8s.io/community/sig-testing for help."
+  exit 1
+fi
diff --git a/test/images/.permitted-images b/test/images/.permitted-images
new file mode 100644
index 00000000000..15fa51288dd
--- /dev/null
+++ b/test/images/.permitted-images
@@ -0,0 +1,49 @@
+# NOTE: Please do NOT add any to this list!!
+#
+# We are aiming to consolidate on: registry.k8s.io/e2e-test-images/agnhost
+# The sources for which are in test/images/agnhost.
+# If agnhost is missing functionality for your tests, please reach out to SIG Testing.
+gcr.io/authenticated-image-pulling/alpine
+gcr.io/authenticated-image-pulling/windows-nanoserver
+gcr.io/k8s-authenticated-test/agnhost
+invalid.registry.k8s.io/invalid/alpine
+registry.k8s.io/build-image/distroless-iptables
+registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver
+registry.k8s.io/e2e-test-images/agnhost
+registry.k8s.io/e2e-test-images/apparmor-loader
+registry.k8s.io/e2e-test-images/busybox
+registry.k8s.io/e2e-test-images/cuda-vector-add
+registry.k8s.io/e2e-test-images/httpd
+registry.k8s.io/e2e-test-images/ipc-utils
+registry.k8s.io/e2e-test-images/jessie-dnsutils
+registry.k8s.io/e2e-test-images/kitten
+registry.k8s.io/e2e-test-images/nautilus
+registry.k8s.io/e2e-test-images/nginx
+registry.k8s.io/e2e-test-images/node-perf/npb-ep
+registry.k8s.io/e2e-test-images/node-perf/npb-is
+registry.k8s.io/e2e-test-images/node-perf/tf-wide-deep
+registry.k8s.io/e2e-test-images/nonewprivs
+registry.k8s.io/e2e-test-images/nonroot
+registry.k8s.io/e2e-test-images/perl
+registry.k8s.io/e2e-test-images/redis
+registry.k8s.io/e2e-test-images/regression-issue-74839
+registry.k8s.io/e2e-test-images/resource-consumer
+registry.k8s.io/e2e-test-images/sample-apiserver
+registry.k8s.io/e2e-test-images/volume/iscsi
+registry.k8s.io/e2e-test-images/volume/nfs
+registry.k8s.io/etcd
+registry.k8s.io/pause
+registry.k8s.io/prometheus-dummy-exporter
+registry.k8s.io/prometheus-to-sd
+registry.k8s.io/sd-dummy-exporter
+registry.k8s.io/sig-storage/csi-attacher
+registry.k8s.io/sig-storage/csi-external-health-monitor-controller
+registry.k8s.io/sig-storage/csi-node-driver-registrar
+registry.k8s.io/sig-storage/csi-provisioner
+registry.k8s.io/sig-storage/csi-resizer
+registry.k8s.io/sig-storage/csi-snapshotter
+registry.k8s.io/sig-storage/hello-populator
+registry.k8s.io/sig-storage/hostpathplugin
+registry.k8s.io/sig-storage/livenessprobe
+registry.k8s.io/sig-storage/nfs-provisioner
+registry.k8s.io/sig-storage/volume-data-source-validator