diff --git a/cluster/images/etcd/Dockerfile b/cluster/images/etcd/Dockerfile
index ee7886f515a..d7ae7766cea 100644
--- a/cluster/images/etcd/Dockerfile
+++ b/cluster/images/etcd/Dockerfile
@@ -16,6 +16,4 @@ FROM BASEIMAGE
 
 EXPOSE 2379 2380 4001 7001
 COPY etcd* etcdctl* /usr/local/bin/
-RUN chmod +x /usr/local/bin/etcd* /usr/local/bin/etcdctl*
 COPY migrate-if-needed.sh migrate /usr/local/bin/
-RUN chmod +x /usr/local/bin/migrate-if-needed.sh /usr/local/bin/migrate
diff --git a/cluster/images/etcd/Makefile b/cluster/images/etcd/Makefile
index ec49e899805..4ec0e858904 100644
--- a/cluster/images/etcd/Makefile
+++ b/cluster/images/etcd/Makefile
@@ -51,6 +51,9 @@ MANIFEST_IMAGE := $(PUSH_REGISTRY)/etcd
 
 SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0)
 
+# Install binaries matching base distro permissions
+BIN_INSTALL := install -m 0555
+
 ifeq ($(SELINUX_ENABLED),1)
   DOCKER_VOL_OPTS?=:z
 endif
@@ -79,14 +82,15 @@ ifeq ($(ARCH),s390x)
 endif
 
 build:
-	# Copy the content in this dir to the temp dir,
-	# without copying the subdirectories.
-	find ./ -maxdepth 1 -type f | xargs -I {} cp {} $(TEMP_DIR)
+	# Explicitly copy files to the temp directory
+	$(BIN_INSTALL) migrate-if-needed.sh $(TEMP_DIR)
+	install Dockerfile $(TEMP_DIR)
 
 	# Compile migrate
-	docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -v $(TEMP_DIR):/build$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \
-		/bin/bash -c "CGO_ENABLED=0 go build -o /build/migrate k8s.io/kubernetes/cluster/images/etcd/migrate"
-
+	migrate_tmp_dir=$(shell mktemp -d); \
+	docker run --interactive -v $(shell pwd)/../../../:/go/src/k8s.io/kubernetes$(DOCKER_VOL_OPTS) -v $${migrate_tmp_dir}:/build$(DOCKER_VOL_OPTS) -e GOARCH=$(ARCH) golang:$(GOLANG_VERSION) \
+		/bin/bash -c "CGO_ENABLED=0 go build -o /build/migrate k8s.io/kubernetes/cluster/images/etcd/migrate"; \
+	$(BIN_INSTALL) $${migrate_tmp_dir}/migrate $(TEMP_DIR)
 
 ifeq ($(ARCH),amd64)
 
@@ -95,10 +99,9 @@ ifeq ($(ARCH),amd64)
 	for version in $(BUNDLED_ETCD_VERSIONS); do \
 		etcd_release_tmp_dir=$(shell mktemp -d); \
 		curl -sSL --retry 5 https://github.com/coreos/etcd/releases/download/v$$version/etcd-v$$version-linux-amd64.tar.gz | tar -xz -C $$etcd_release_tmp_dir --strip-components=1; \
-		cp $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \
-		cp $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \
-		chmod +x $(TEMP_DIR)/etcd-$$version; \
-		cp $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \
+		$(BIN_INSTALL) $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \
+		$(BIN_INSTALL) $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \
+		$(BIN_INSTALL) $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \
 	done
 else
 
@@ -112,9 +115,9 @@ else
 			&& git checkout v$${version} \
 			&& GOARM=$(GOARM) GOARCH=$(ARCH) ./build \
 			&& cp -f bin/$(ARCH)/etcd* bin/etcd* /etcdbin; echo 'done'"; \
-		cp $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \
-		cp $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \
-		cp $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \
+		$(BIN_INSTALL) $$etcd_release_tmp_dir/etcd $$etcd_release_tmp_dir/etcdctl $(TEMP_DIR)/; \
+		$(BIN_INSTALL) $(TEMP_DIR)/etcd $(TEMP_DIR)/etcd-$$version; \
+		$(BIN_INSTALL) $(TEMP_DIR)/etcdctl $(TEMP_DIR)/etcdctl-$$version; \
 	done
 
 	# Add this ENV variable in order to workaround an unsupported arch blocker