diff --git a/pkg/package.mk b/pkg/package.mk
index 58795a5ff..72592319b 100644
--- a/pkg/package.mk
+++ b/pkg/package.mk
@@ -2,6 +2,12 @@
 default: push
 
 ORG?=linuxkit
+SOURCE ?= .
+
+# Hash is of $(CURDIR) not $(CURDIR)$(SOURCE) to allow autogenerated
+# source subdirectories (which would not be covered by ls-tree, but
+# the code which autogenerates should be in $(CURDIR) so that is what
+# we want to use.
 ifeq ($(HASH),)
 HASH_COMMIT?=HEAD # Setting this is only really useful with the show-tag target
 HASH?=$(shell git ls-tree --full-tree $(HASH_COMMIT) -- $(CURDIR) | awk '{print $$3}')
@@ -44,10 +50,10 @@ show-tag:
 	@echo $(TAG)
 
 tag: $(BASE_DEPS) $(DEPS)
-	docker pull $(TAG) || docker build $(LABELS) $(NET_OPT) -t $(TAG) .
+	docker pull $(TAG) || docker build $(LABELS) $(NET_OPT) -t $(TAG) $(SOURCE)
 
 forcetag: $(BASE_DEPS) $(DEPS)
-	docker build $(LABELS) $(NET_OPT) -t $(TAG) .
+	docker build $(LABELS) $(NET_OPT) -t $(TAG) $(SOURCE)
 
 push: tag
 ifneq ($(DIRTY),)
diff --git a/projects/kubernetes/Makefile b/projects/kubernetes/Makefile
index 7c915da0b..9f300d07c 100644
--- a/projects/kubernetes/Makefile
+++ b/projects/kubernetes/Makefile
@@ -1,12 +1,14 @@
-all: build-container-images build-vm-images
+all: tag-container-images build-vm-images
 
-build-container-images:
-	make -C kubernetes tag
+tag-container-images:
+	$(MAKE) -C kubernetes tag
 
-push-container-images: cache-images
-	make -C kubernetes push
-	docker image push linuxkit/kubernetes:latest-image-cache-common
-	docker image push linuxkit/kubernetes:latest-image-cache-control-plane
+tag-cache-images:
+	$(MAKE) -C image-cache tag
+
+push-container-images:
+	$(MAKE) -C kubernetes push
+	$(MAKE) -C image-cache push
 
 build-vm-images: kube-master-initrd.img kube-node-initrd.img
 
@@ -18,35 +20,5 @@ kube-node-initrd.img: kube-node.yml
 
 clean:
 	rm -f -r \
-	  kube-*-bzImage kube-*-cmdline kube-*-disk.img kube-*-initrd.img \
-	  image-cache/common image-cache/control-plane
-
-COMMON_IMAGES := \
-  kube-proxy-amd64:v1.6.1 \
-  k8s-dns-sidecar-amd64:1.14.1 \
-  k8s-dns-kube-dns-amd64:1.14.1 \
-  k8s-dns-dnsmasq-nanny-amd64:1.14.1 \
-  pause-amd64:3.0
-
-CONTROL_PLANE_IMAGES := \
-  kube-apiserver-amd64:v1.6.1 \
-  kube-controller-manager-amd64:v1.6.1 \
-  kube-scheduler-amd64:v1.6.1 \
-  etcd-amd64:3.0.17
-
-image-cache/%.tar:
-	mkdir -p $(dir $@)
-	docker image pull gcr.io/google_containers/$(shell basename $@ .tar)
-	docker image save -o $@ gcr.io/google_containers/$(shell basename $@ .tar)
-
-cache-images:
-	for image in $(COMMON_IMAGES) ; \
-	  do $(MAKE) "image-cache/common/$${image}.tar" \
-	  ; done
-	cp image-cache/Dockerfile image-cache/.dockerignore image-cache/common
-	docker image build -t linuxkit/kubernetes:latest-image-cache-common image-cache/common
-	for image in $(CONTROL_PLANE_IMAGES) ; \
-	  do $(MAKE) "image-cache/control-plane/$${image}.tar" \
-	  ; done
-	cp image-cache/Dockerfile image-cache/.dockerignore image-cache/control-plane
-	docker image build -t linuxkit/kubernetes:latest-image-cache-control-plane image-cache/control-plane
+	  kube-*-kernel kube-*-cmdline kube-*-state kube-*-initrd.img
+	$(MAKE) -C image-cache clean
diff --git a/projects/kubernetes/image-cache/.dockerignore b/projects/kubernetes/image-cache/.dockerignore
deleted file mode 100644
index 94143827e..000000000
--- a/projects/kubernetes/image-cache/.dockerignore
+++ /dev/null
@@ -1 +0,0 @@
-Dockerfile
diff --git a/projects/kubernetes/image-cache/.gitignore b/projects/kubernetes/image-cache/.gitignore
new file mode 100644
index 000000000..d2e0e9b02
--- /dev/null
+++ b/projects/kubernetes/image-cache/.gitignore
@@ -0,0 +1 @@
+dl/
diff --git a/projects/kubernetes/image-cache/Dockerfile b/projects/kubernetes/image-cache/Dockerfile
index b94c8710d..39e68d3e2 100644
--- a/projects/kubernetes/image-cache/Dockerfile
+++ b/projects/kubernetes/image-cache/Dockerfile
@@ -1,5 +1,22 @@
-FROM docker:17.06.0-ce-dind
-ADD . /images
+FROM docker:17.06.0-ce AS docker
+
+# Nothing to do in here, just for COPY --from=docker below
+
+FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS build
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    alpine-baselayout \
+    busybox
+
+# Remove apk residuals. We have a read-only rootfs, so apk is of no use.
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+WORKDIR /
+COPY --from=build /out /
+COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
+COPY *.tar /images/
 ENTRYPOINT [ "/bin/sh", "-c" ]
 CMD [ "for image in /images/*.tar ; do docker image load -i $image && rm -f $image ; done" ]
 LABEL org.mobyproject.config='{"binds": ["/var/run:/var/run"]}'
diff --git a/projects/kubernetes/image-cache/Makefile b/projects/kubernetes/image-cache/Makefile
new file mode 100644
index 000000000..3f2c459af
--- /dev/null
+++ b/projects/kubernetes/image-cache/Makefile
@@ -0,0 +1,46 @@
+default: push
+
+COMMON_IMAGES := \
+  kube-proxy-amd64\:v1.6.1@sha256\:243f2120171330a26c2418a4367fb0f3cc3e92683b00d16e3cf8c7f92e25bf14 \
+  k8s-dns-sidecar-amd64\:1.14.1@sha256\:d33a91a5d65c223f410891001cd379ac734d036429e033865d700a4176e944b0 \
+  k8s-dns-kube-dns-amd64\:1.14.1@sha256\:33914315e600dfb756e550828307dfa2b21fb6db24fe3fe495e33d1022f9245d \
+  k8s-dns-dnsmasq-nanny-amd64\:1.14.1@sha256\:89c9a1d3cfbf370a9c1a949f39f92c1dc2dbe8c3e6cc1802b7f2b48e4dfe9a9e \
+  pause-amd64\:3.0@sha256\:163ac025575b775d1c0f9bf0bdd0f086883171eb475b5068e7defa4ca9e76516
+
+CONTROL_PLANE_IMAGES := \
+  kube-apiserver-amd64\:v1.6.1@sha256\:d4387dff51b1f9c94cd1cfac3a4694347970b90e911159ac6fe2d090c96a6184 \
+  kube-controller-manager-amd64\:v1.6.1@sha256\:4bb17ede2e012898169d988facd08d5039d2dcb31532661d4dcdeb161d097d69 \
+  kube-scheduler-amd64\:v1.6.1@sha256\:d3e661bf7bcfb10753e32e1a41615e60fbcddff63232f914e9326a2d1665ce33 \
+  etcd-amd64\:3.0.17@sha256\:d83d3545e06fb035db8512e33bd44afb55dea007a3abd7b17742d3ac6d235940
+
+dl/%.tar:
+	mkdir -p $(dir $@)
+	docker image pull gcr.io/google_containers/$(shell basename $@ .tar)
+	docker image save -o $@ gcr.io/google_containers/$(shell basename $@ .tar)
+
+%-pkg:
+	@set -e ; \
+	builddir=$$(mktemp -d $(CACHE).XXXXXX) ; \
+	trap 'rm -rf $${builddir}' EXIT ; \
+	ln $(IMAGES) $${builddir} ; \
+	$(MAKE) -f Makefile.pkg BUILDDIR=$${builddir} CACHE=$(CACHE) $*
+
+.PHONY: tag-common push-common show-tag-common
+tag-common push-common show-tag-common: %-common: $(patsubst %,dl/%.tar,$(COMMON_IMAGES))
+	@$(MAKE) CACHE=common IMAGES="$^" $*-pkg
+
+.PHONY: tag-control-plane push-control-plane show-tag-control-plane
+tag-control-plane push-control-plane show-tag-control-plane: %-control-plane: $(patsubst %,dl/%.tar,$(CONTROL_PLANE_IMAGES))
+	@$(MAKE) CACHE=control-plane IMAGES="$^" $*-pkg
+
+.PHONY: tag push show-tags
+tag: tag-common tag-control-plane
+push: push-common push-control-plane
+show-tags: show-tag-common show-tag-control-plane
+
+.PHONY: dl
+dl: $(patsubst %,dl/%.tar,$(COMMON_IMAGES) $(CONTROL_PLANE_IMAGES))
+
+.PHONY: clean
+clean:
+	rm -rf dl
diff --git a/projects/kubernetes/image-cache/Makefile.pkg b/projects/kubernetes/image-cache/Makefile.pkg
new file mode 100644
index 000000000..8661ca319
--- /dev/null
+++ b/projects/kubernetes/image-cache/Makefile.pkg
@@ -0,0 +1,10 @@
+ORG?=linuxkitprojects
+IMAGE=kubernetes-image-cache-$(CACHE)
+NOTRUST=1
+SOURCE=$(BUILDDIR)
+DEPS=$(BUILDDIR)/Dockerfile
+
+$(BUILDDIR)/Dockerfile: Dockerfile
+	cp $< $@
+
+include ../../../pkg/package.mk
diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml
index b9241127d..6ef31353d 100644
--- a/projects/kubernetes/kube-master.yml
+++ b/projects/kubernetes/kube-master.yml
@@ -56,9 +56,9 @@ services:
     rootfsPropagation: shared
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: kubernetes-image-cache-common
-    image: linuxkit/kubernetes:latest-image-cache-common
+    image: linuxkitprojects/kubernetes-image-cache-common:d49a861bde872e6e975153a98a2c482834a30ef9
   - name: kubernetes-image-cache-control-plane
-    image: linuxkit/kubernetes:latest-image-cache-control-plane
+    image: linuxkitprojects/kubernetes-image-cache-control-plane:d49a861bde872e6e975153a98a2c482834a30ef9
   - name: kubelet
     image: linuxkitprojects/kubernetes:4f8c61254ff6243e93d5bb6315386ac66e94ed14
 files:
diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml
index 23ef4345e..5a0d4a124 100644
--- a/projects/kubernetes/kube-node.yml
+++ b/projects/kubernetes/kube-node.yml
@@ -56,7 +56,7 @@ services:
     rootfsPropagation: shared
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: kubernetes-image-cache-common
-    image: linuxkit/kubernetes:latest-image-cache-common
+    image: linuxkitprojects/kubernetes-image-cache-common:d49a861bde872e6e975153a98a2c482834a30ef9
   - name: kubelet
     image: linuxkitprojects/kubernetes:4f8c61254ff6243e93d5bb6315386ac66e94ed14
 files: