diff --git a/build/BUILD b/build/BUILD
index 7befe252243..7512eef2590 100644
--- a/build/BUILD
+++ b/build/BUILD
@@ -3,7 +3,7 @@ package(default_visibility = ["//visibility:public"])
 load("@io_bazel_rules_docker//container:container.bzl", "container_bundle", "container_image")
 load("@io_k8s_repo_infra//defs:build.bzl", "release_filegroup")
 load(":code_generation_test.bzl", "code_generation_test_suite")
-load(":platforms.bzl", "for_platforms")
+load(":platforms.bzl", "SERVER_PLATFORMS", "for_platforms")
 
 code_generation_test_suite(
     name = "code_generation_tests",
@@ -67,27 +67,63 @@ DOCKERIZED_BINARIES = {
     },
 }
 
-[container_image(
-    name = binary + "-internal",
+[[container_image(
+    name = "%s-internal-%s" % (binary, arch),
     base = meta["base"],
     cmd = ["/usr/bin/" + binary],
-    debs = select(for_platforms(
-        for_node = ["//build/debs:%s-{ARCH}.deb" % binary],
-        only_os = "linux",
-    )),
+    debs = ["//build/debs:%s-%s.deb" % (binary, arch)],
     stamp = True,
     symlinks = {
         # Some cluster startup scripts expect to find the binaries in /usr/local/bin,
         # but the debs install the binaries into /usr/bin.
         "/usr/local/bin/" + binary: "/usr/bin/" + binary,
     },
-) for binary, meta in DOCKERIZED_BINARIES.items()]
+    visibility = ["//visibility:private"],
+) for binary, meta in DOCKERIZED_BINARIES.items()] for arch in SERVER_PLATFORMS["linux"]]
+
+# Also create aliases for the arch-specific images defined above.
+# The alias doesn't create a new file (like a genrule would);
+# instead, we are using it with a select() conditional to
+# be able to refer to the correct architecture in a consistent way.
+# (Notably, container_bundle does not seem to support using a select()
+# in the images attribute, so we defer that selection to this rule.)
+[alias(
+    name = "%s-internal" % binary,
+    actual = select(for_platforms(
+        for_server = ":%s-internal-{ARCH}" % binary,
+        only_os = "linux",
+    )),
+    visibility = ["//visibility:private"],
+) for binary in DOCKERIZED_BINARIES.keys()]
+
+# We create two container bundles with the desired tags; one with an architecture in the name
+# and one without.
+# In the bash-based build (build/lib/release.sh), the images built for amd64 do not use
+# an arch in their name (but other arches do), and the GCE cluster scripts
+# (which sideload the images via tarfiles) expect there not to be an arch.
+# When pushing to gcr.io, we want to use an arch, since the archless name is now used for a
+# manifest list. Bazel doesn't support manifest lists (yet), so we can't do that either.
+# Instead, for now, we use the archless name for the image tars saved in the server tarball,
+# to satisfy GCE and other similar providers. (If one were to pull the images via the manifest
+# list, the arch wouldn't appear in the name either.)
+# The bundle with the arch isn't used currently, but might be at some point for pushing to gcr.io
+# and to then create a manifest list (possibly outside of bazel).
+[[container_bundle(
+    name = "%s-%s" % (binary, arch),
+    images = {
+        "k8s.gcr.io/%s-%s:{STABLE_DOCKER_TAG}" % (binary, arch): "%s-internal-%s" % (binary, arch),
+    },
+    tags = ["manual"],
+    visibility = ["//visibility:public"],
+) for binary in DOCKERIZED_BINARIES.keys()] for arch in SERVER_PLATFORMS["linux"]]
 
 [container_bundle(
     name = binary,
     images = {
         "k8s.gcr.io/%s:{STABLE_DOCKER_TAG}" % binary: binary + "-internal",
     },
+    tags = ["manual"],
+    visibility = ["//visibility:private"],
 ) for binary in DOCKERIZED_BINARIES.keys()]
 
 [genrule(