diff --git a/build/lib/release.sh b/build/lib/release.sh
index 58383cede7a..6e8e1ab2453 100644
--- a/build/lib/release.sh
+++ b/build/lib/release.sh
@@ -364,9 +364,14 @@ function kube::release::create_docker_images_for_server() {
       local base_image=${wrappable##*,}
       local binary_file_path="${binary_dir}/${binary_name}"
       local docker_build_path="${binary_file_path}.dockerbuild"
-      local docker_file_path="${KUBE_ROOT}/build/server-image/Dockerfile"
       local docker_image_tag="${docker_registry}/${binary_name}-${arch}:${docker_tag}"
 
+      local docker_file_path="${KUBE_ROOT}/build/server-image/Dockerfile"
+      # If this binary has its own Dockerfile use that else use the generic Dockerfile.
+      if [[ -f "${KUBE_ROOT}/build/server-image/${binary_name}/Dockerfile" ]]; then
+          docker_file_path="${KUBE_ROOT}/build/server-image/${binary_name}/Dockerfile"
+      fi
+
       kube::log::status "Starting docker build for image: ${binary_name}-${arch}"
       (
         rm -rf "${docker_build_path}"
diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile
new file mode 100644
index 00000000000..6bbaf566754
--- /dev/null
+++ b/build/server-image/kube-apiserver/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file create the kube-apiserver image.
+ARG BASEIMAGE
+# we use the hosts platform to apply the capabilities to avoid the need
+# to setup qemu for the builder.
+FROM --platform=linux/$BUILDARCH k8s.gcr.io/build-image/setcap:buster-v1.4.0
+ARG BINARY
+COPY ${BINARY} /${BINARY}
+# We apply cap_net_bind_service so that kube-apiserver can be run as
+# non-root and still listen on port less than 1024
+RUN setcap cap_net_bind_service=+ep /${BINARY}
+
+FROM --platform=linux/$TARGETARCH ${BASEIMAGE}
+ARG BINARY
+COPY --from=0 /${BINARY} /usr/local/bin/${BINARY}