From a29f92fa5c17fa1a22f1ba4354a092a4127a8680 Mon Sep 17 00:00:00 2001
From: Jackson West <jgw@amazon.com>
Date: Mon, 21 Aug 2023 18:36:33 -0500
Subject: [PATCH] Backport kind/capd changes to 0.17 (#2416)

* Bump cluster-api, cert-manager and kind to latest versions (#2402)

* Latest eks-d versions (#2401)

* disable cgroupns in kind/capd (#2405)

* revert runc and containerd in kind image (#2406)

* revert runc and containerd in kind image

* Update CHECKSUMS

* do not lock containerd version (#2412)

* do not lock containerd version

* Update CHECKSUMS

---------

Co-authored-by: Abhay Krishna <arnchlm@amazon.com>
---
 EKSD_LATEST_RELEASES                          |  10 +-
 UPSTREAM_PROJECTS.yaml                        |   6 +-
 projects/brancz/kube-rbac-proxy/README.md     |   2 +-
 .../CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt   |   2 +-
 .../CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt   |   2 +-
 .../CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt   |   2 +-
 .../CERT_MANAGER_CTL_ATTRIBUTION.txt          |   2 +-
 .../CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt      |   2 +-
 projects/cert-manager/cert-manager/CHECKSUMS  |  20 +-
 projects/cert-manager/cert-manager/GIT_TAG    |   2 +-
 projects/cert-manager/cert-manager/README.md  |   2 +-
 .../cert-manager/manifests/cert-manager.yaml  | 104 +++---
 .../cluster-api/ATTRIBUTION.txt               |  10 +-
 .../cluster-api/CAPD_ATTRIBUTION.txt          |  19 +-
 .../kubernetes-sigs/cluster-api/CHECKSUMS     |  20 +-
 projects/kubernetes-sigs/cluster-api/GIT_TAG  |   2 +-
 projects/kubernetes-sigs/cluster-api/Makefile |  13 +-
 .../kubernetes-sigs/cluster-api/README.md     |   2 +-
 ...Adding-capi-support-for-Bottlerocket.patch |  12 +-
 .../0002-Add-unstacked-etcd-support.patch     |  24 +-
 ...tacked-etcd-and-controlplane-upgrade.patch |  10 +-
 ...h-in-kubevip-manifest-for-kubeadm-co.patch |   6 +-
 ...ottlerocket-bootstrap-images-updatab.patch |   6 +-
 ...for-registry-mirror-for-bottlerocket.patch |   6 +-
 ...-template-for-bottlerocket-bootstrap.patch |   6 +-
 ...pdate-core-conversion-spoke-versions.patch |   6 +-
 ...rocket-changes-to-capbk-v1alpha4-api.patch |   6 +-
 ...pdate-capbk-converions-spoke-version.patch |   6 +-
 ...on-to-list-of-fields-to-ignore-for-u.patch |   6 +-
 ...node-labels-support-for-bottlerocket.patch |   6 +-
 .../0013-Support-worker-node-taints.patch     |   6 +-
 ...t-bottle-rocket-control-plane-taints.patch |   6 +-
 ...ing-bottlerocket-control-container-u.patch |   8 +-
 ...mat-for-storing-etcd-machine-address.patch |   6 +-
 ...-provider-id-from-kubelet-extra-args.patch |   6 +-
 ...-control-image-on-nodes-joining-a-ne.patch |   6 +-
 ...pecifiy-additional-host-containers-i.patch |   6 +-
 ...-custom-bootstrap-containers-config-.patch |   6 +-
 ...ing-bottlerocket-admin-container-ima.patch |   6 +-
 ...t-admin-control-custom-bootstrap-con.patch |   6 +-
 ...e-status-to-running-after-etcd-contr.patch |   6 +-
 ...add-support-for-registry-credentials.patch |   6 +-
 ...configuring-NTP-servers-on-bottleroc.patch |   6 +-
 .../0026-set-hostname-for-BR-nodes.patch      |   6 +-
 ...dd-bottlerocket-k8s-settings-support.patch |   8 +-
 .../0028-add-br-kernel.sysctl-settings.patch  |   6 +-
 ...0029-add-boot-kernel-settings-for-BR.patch |   6 +-
 ...-maxconn-value-to-avoid-ulimit-issue.patch |   6 +-
 ...ort-for-custom-cert-bundles-in-BR-21.patch |   6 +-
 .../0032-CAPI-Move-Cluster-Filter.patch       |   6 +-
 ...h-force-move-label-and-no-cluster-te.patch |   6 +-
 ...irror-configurations-to-be-mutable-f.patch |   6 +-
 ...external-etcd-machines-in-Kind-mappe.patch | 189 ++++++++++
 ...-disable-cgroupns-private-to-fix-AL2.patch |  39 ++
 projects/kubernetes-sigs/cri-tools/README.md  |   2 +-
 projects/kubernetes-sigs/kind/ATTRIBUTION.txt |   2 +-
 projects/kubernetes-sigs/kind/CHECKSUMS       |   9 +-
 projects/kubernetes-sigs/kind/GIT_TAG         |   2 +-
 .../kind/KINDNETD_ATTRIBUTION.txt             |   2 +-
 projects/kubernetes-sigs/kind/README.md       |   2 +-
 .../kind/build/node-image-build-args.sh       |  14 +-
 ...tch-to-AL2-base-image-for-node-image.patch | 336 +++++++++++-------
 ...-required-images-since-the-build-rem.patch |  44 +--
 ...-maxconn-value-to-avoid-ulimit-issue.patch |   5 +-
 ...-private-to-fix-cluster-creation-on-.patch |  26 ++
 ...EMP-lock-containerd-and-runc-version.patch |  26 --
 ...EMP-lock-containerd-and-runc-version.patch |  25 ++
 projects/vmware/govmomi/README.md             |   2 +-
 68 files changed, 749 insertions(+), 434 deletions(-)
 create mode 100644 projects/kubernetes-sigs/cluster-api/patches/0035-Add-support-for-external-etcd-machines-in-Kind-mappe.patch
 create mode 100644 projects/kubernetes-sigs/cluster-api/patches/0036-disable-cgroupns-private-to-fix-AL2.patch
 create mode 100644 projects/kubernetes-sigs/kind/patches/0004-Disable-cgroupns-private-to-fix-cluster-creation-on-.patch
 delete mode 100644 projects/kubernetes-sigs/kind/patches/0004-TEMP-lock-containerd-and-runc-version.patch
 create mode 100644 projects/kubernetes-sigs/kind/patches/0005-TEMP-lock-containerd-and-runc-version.patch

diff --git a/EKSD_LATEST_RELEASES b/EKSD_LATEST_RELEASES
index 2a9b727d4a..166bc0dcdb 100644
--- a/EKSD_LATEST_RELEASES
+++ b/EKSD_LATEST_RELEASES
@@ -15,18 +15,18 @@ releases:
   number: 28
   kubeVersion: v1.22.17
 - branch: 1-23
-  number: 28
+  number: 29
   kubeVersion: v1.23.17
 - branch: 1-24
-  number: 23
+  number: 24
   kubeVersion: v1.24.16
 - branch: 1-25
-  number: 19
+  number: 20
   kubeVersion: v1.25.12
 - branch: 1-26
-  number: 15
+  number: 16
   kubeVersion: v1.26.7
 - branch: 1-27
-  number: 9
+  number: 10
   kubeVersion: v1.27.4
 latest: 1-25
diff --git a/UPSTREAM_PROJECTS.yaml b/UPSTREAM_PROJECTS.yaml
index e49c3b87c6..fb20417d69 100644
--- a/UPSTREAM_PROJECTS.yaml
+++ b/UPSTREAM_PROJECTS.yaml
@@ -61,7 +61,7 @@ projects:
     repos:
       - name: cert-manager
         versions:
-          - tag: v1.12.1
+          - tag: v1.12.2
             go_version: "1.20"
   - org: cilium
     repos:
@@ -175,7 +175,7 @@ projects:
     repos:
       - name: cluster-api
         versions:
-          - tag: v1.4.3
+          - tag: v1.4.5
             go_version: "1.19"
       - name: cluster-api-provider-cloudstack
         versions:
@@ -199,7 +199,7 @@ projects:
             go_version: N/A
       - name: kind
         versions:
-          - tag: v0.18.0
+          - tag: v0.20.0
             go_version: "1.20"
   - org: metallb
     repos:
diff --git a/projects/brancz/kube-rbac-proxy/README.md b/projects/brancz/kube-rbac-proxy/README.md
index 5ea264b5f6..7351ca91e4 100644
--- a/projects/brancz/kube-rbac-proxy/README.md
+++ b/projects/brancz/kube-rbac-proxy/README.md
@@ -1,5 +1,5 @@
 ## **Kube RBAC Proxy**
-![Version](https://img.shields.io/badge/version-v0.14.1-blue)
+![Version](https://img.shields.io/badge/version-v0.14.2-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiZUxRMjRTYUl6NEhJWkI1YVh5QVB3UitEY1dCcExLTUxGR21DQ0IySUZUTEI4N3I4NnMwbnIxUW9OZ1dudm9VdTRoaHVzUHhyMjNwek9wYXY3amh3NlFVPSIsIml2UGFyYW1ldGVyU3BlYyI6ImdSc3ZLZmpxM1BMYnd0dGwiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 The [kube-rbac-proxy](https://github.com/brancz/kube-rbac-proxy) is an HTTP proxy for a single upstream endpoint, that can perform RBAC authorization against the Kubernetes API using `SubjectAccessReview`. In Kubernetes clusters without NetworkPolicies, any Pod can perform requests to every other Pod in the cluster. This proxy serves to restrict requests to only those Pods that present a valid and RBAC-authorized token or client TLS certificate.
diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt
index 257f7c4451..07fd491a22 100644
--- a/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt
+++ b/projects/cert-manager/cert-manager/CERT_MANAGER_ACMESOLVER_ATTRIBUTION.txt
@@ -2,7 +2,7 @@
 ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 --
 https://github.com/cert-manager/cert-manager
 
-** github.com/cert-manager/cert-manager/acmesolver-binary; version v1.12.1 --
+** github.com/cert-manager/cert-manager/acmesolver-binary; version v1.12.2 --
 https://github.com/cert-manager/cert-manager/acmesolver-binary
 
 ** github.com/go-logr/logr; version v1.2.4 --
diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt
index ff20e70d2b..97795c577c 100644
--- a/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt
+++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CAINJECTOR_ATTRIBUTION.txt
@@ -2,7 +2,7 @@
 ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 --
 https://github.com/cert-manager/cert-manager
 
-** github.com/cert-manager/cert-manager/cainjector-binary; version v1.12.1 --
+** github.com/cert-manager/cert-manager/cainjector-binary; version v1.12.2 --
 https://github.com/cert-manager/cert-manager/cainjector-binary
 
 ** github.com/go-logr/logr; version v1.2.4 --
diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt
index 249a5e2dd6..730d61b501 100644
--- a/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt
+++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CONTROLLER_ATTRIBUTION.txt
@@ -32,7 +32,7 @@ https://github.com/Azure/go-autorest/tracing
 ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 --
 https://github.com/cert-manager/cert-manager
 
-** github.com/cert-manager/cert-manager/controller-binary; version v1.12.1 --
+** github.com/cert-manager/cert-manager/controller-binary; version v1.12.2 --
 https://github.com/cert-manager/cert-manager/controller-binary
 
 ** github.com/coreos/go-semver/semver; version v0.3.0 --
diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt
index d0d3176a71..06907c8932 100644
--- a/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt
+++ b/projects/cert-manager/cert-manager/CERT_MANAGER_CTL_ATTRIBUTION.txt
@@ -2,7 +2,7 @@
 ** github.com/cert-manager/cert-manager; version v1.12.1-0.20230524130037-7ea113504de2 --
 https://github.com/cert-manager/cert-manager
 
-** github.com/cert-manager/cert-manager/cmd/ctl; version v1.12.1 --
+** github.com/cert-manager/cert-manager/cmd/ctl; version v1.12.2 --
 https://github.com/cert-manager/cert-manager/cmd/ctl
 
 ** github.com/containerd/containerd; version v1.7.0 --
diff --git a/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt b/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt
index 499d5de691..b954a09a01 100644
--- a/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt
+++ b/projects/cert-manager/cert-manager/CERT_MANAGER_WEBHOOK_ATTRIBUTION.txt
@@ -2,7 +2,7 @@
 ** github.com/cert-manager/cert-manager; version v0.0.0-00010101000000-000000000000 --
 https://github.com/cert-manager/cert-manager
 
-** github.com/cert-manager/cert-manager/webhook-binary; version v1.12.1 --
+** github.com/cert-manager/cert-manager/webhook-binary; version v1.12.2 --
 https://github.com/cert-manager/cert-manager/webhook-binary
 
 ** github.com/go-logr/logr; version v1.2.4 --
diff --git a/projects/cert-manager/cert-manager/CHECKSUMS b/projects/cert-manager/cert-manager/CHECKSUMS
index e8c6be4352..b4f7528e09 100644
--- a/projects/cert-manager/cert-manager/CHECKSUMS
+++ b/projects/cert-manager/cert-manager/CHECKSUMS
@@ -1,10 +1,10 @@
-b27e0f8fdde56522342b15531b586f1a1658d79f62c0b4dbb30e8f8cb72b1d7f  _output/bin/cert-manager/linux-amd64/cert-manager-acmesolver
-ec50b30c6650eb43f353b2c2012f83a9f9141dc7ace18c372c5b840ff0df1df9  _output/bin/cert-manager/linux-amd64/cert-manager-cainjector
-868f0e629002bd69d91c388f8fadd8563d28a7af4dd149c2cb76ada5fe4624f3  _output/bin/cert-manager/linux-amd64/cert-manager-controller
-a9e25f38de1f72c6438c488f199f95a59e37b91e987ce659612911ec0cd8d6f5  _output/bin/cert-manager/linux-amd64/cert-manager-ctl
-c61c06716d578cede28ffa1b85f21110dd47564adf95125d27999a100be579b5  _output/bin/cert-manager/linux-amd64/cert-manager-webhook
-ec169a43ebc6830c935dff29536c2d2dc799a4c34e2dfc6a1c5af7a9dc76b82a  _output/bin/cert-manager/linux-arm64/cert-manager-acmesolver
-58bdda035d98549df3829c085cc32ca8a7d141130fd3195e01c1bc8f69e4a47d  _output/bin/cert-manager/linux-arm64/cert-manager-cainjector
-33800139795ef5d4762092c57dcd5e32a0ca8fac4bd4ff1105f621b3ea46cd67  _output/bin/cert-manager/linux-arm64/cert-manager-controller
-9d1c1ae65ade567d3340d5b8b0f8f54ba852978af6b892d11505342d38d1df32  _output/bin/cert-manager/linux-arm64/cert-manager-ctl
-b9387c69c37ba6ab93cab8681b933e61493c60a9ee13842af19627358ee444e2  _output/bin/cert-manager/linux-arm64/cert-manager-webhook
+55bb3ab64e1b7800f5a44edd0b217dfad9f7eddb962bbf6f110c838c858595dd  _output/bin/cert-manager/linux-amd64/cert-manager-acmesolver
+e34ca2b8c8c47f2f05e2ea041695e8c7422b31e5ebfeba6241410453b0ebdc86  _output/bin/cert-manager/linux-amd64/cert-manager-cainjector
+a9e6a4c4a0ba8fc6d1d93f1a96832470023f31038e8b30e4c3628a0eeac9c7bd  _output/bin/cert-manager/linux-amd64/cert-manager-controller
+5ef1243565f0224ad4af2fcfb5c05a442435745db2faecd4bb044a675c72477e  _output/bin/cert-manager/linux-amd64/cert-manager-ctl
+788d265ec23993384d2a8cb77a724ba87fa66b7a39450a3a3d71e42f1f05f9af  _output/bin/cert-manager/linux-amd64/cert-manager-webhook
+b105c8f3e6cd7d844522f97ad27d21778b54b7554d30d849a15ce73cc33bb2de  _output/bin/cert-manager/linux-arm64/cert-manager-acmesolver
+d9e13b63b4a6e08009cd6e5512a3a514d89e5ac873a84acf3e97bba35bd75450  _output/bin/cert-manager/linux-arm64/cert-manager-cainjector
+f20795a19580f2a083f90d3abd9ac83a1b734b91a6b37412471e6962d9f0b915  _output/bin/cert-manager/linux-arm64/cert-manager-controller
+ba802dc58d3764b09384c0df28c6115d7afbd41e0e434b976603cfd8de16f96b  _output/bin/cert-manager/linux-arm64/cert-manager-ctl
+43db2e15a508b0fd47e8956cd437ef96605e01f9341a6702268d309db11fd227  _output/bin/cert-manager/linux-arm64/cert-manager-webhook
diff --git a/projects/cert-manager/cert-manager/GIT_TAG b/projects/cert-manager/cert-manager/GIT_TAG
index 51b86ba24b..41de27dfab 100644
--- a/projects/cert-manager/cert-manager/GIT_TAG
+++ b/projects/cert-manager/cert-manager/GIT_TAG
@@ -1 +1 @@
-v1.12.1
+v1.12.2
diff --git a/projects/cert-manager/cert-manager/README.md b/projects/cert-manager/cert-manager/README.md
index 8d99b86d3d..df991b0943 100644
--- a/projects/cert-manager/cert-manager/README.md
+++ b/projects/cert-manager/cert-manager/README.md
@@ -1,5 +1,5 @@
 ## **cert-manager**
-![Version](https://img.shields.io/badge/version-v1.12.1-blue)
+![Version](https://img.shields.io/badge/version-v1.12.2-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiUkphQkhWTUpOOVE1OFVLU0dHQmVFUXZJV0dJaGVLYmtEZHp0aGtDRnJBQUxtaHVqOWp3S0l6d0NlTytqNWpwc2tNTmF6RnNhMTZ3d1J1RXErR0lWcldZPSIsIml2UGFyYW1ldGVyU3BlYyI6IlQyU2lIcVVtU3ozZVZSVTgiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 [cert-manager](https://github.com/cert-manager/cert-manager) is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources, such as [Let’s Encrypt](https://letsencrypt.org), [HashiCorp Vault](https://www.vaultproject.io), [Venafi](https://www.venafi.com/), a simple signing key pair, or self signed. It periodically ensures that certificates are valid and up-to-date, and attempts to renew certificates at an appropriate time before expiry.
diff --git a/projects/cert-manager/cert-manager/manifests/cert-manager.yaml b/projects/cert-manager/cert-manager/manifests/cert-manager.yaml
index 235dc1c4ef..44b817fd80 100644
--- a/projects/cert-manager/cert-manager/manifests/cert-manager.yaml
+++ b/projects/cert-manager/cert-manager/manifests/cert-manager.yaml
@@ -27,7 +27,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: cert-manager.io
   names:
@@ -227,7 +227,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: cert-manager.io
   names:
@@ -600,7 +600,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: acme.cert-manager.io
   names:
@@ -1678,7 +1678,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: "cert-manager"
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: cert-manager.io
   names:
@@ -2998,7 +2998,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: "cert-manager"
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: cert-manager.io
   names:
@@ -4318,7 +4318,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   group: acme.cert-manager.io
   names:
@@ -4502,7 +4502,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 ---
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
@@ -4516,7 +4516,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 ---
 # Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
@@ -4530,7 +4530,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 ---
 # Source: cert-manager/templates/webhook-config.yaml
 apiVersion: v1
@@ -4543,7 +4543,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 data:
 ---
 # Source: cert-manager/templates/cainjector-rbac.yaml
@@ -4556,7 +4556,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates"]
@@ -4588,7 +4588,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["issuers", "issuers/status"]
@@ -4614,7 +4614,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["clusterissuers", "clusterissuers/status"]
@@ -4640,7 +4640,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
@@ -4675,7 +4675,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["orders", "orders/status"]
@@ -4713,7 +4713,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   # Use to update challenge resource status
   - apiGroups: ["acme.cert-manager.io"]
@@ -4773,7 +4773,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificaterequests"]
@@ -4810,7 +4810,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -4832,7 +4832,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
@@ -4857,7 +4857,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
@@ -4877,7 +4877,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["certificates.k8s.io"]
     resources: ["certificatesigningrequests"]
@@ -4903,7 +4903,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
@@ -4919,7 +4919,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4939,7 +4939,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4959,7 +4959,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4979,7 +4979,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4999,7 +4999,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5019,7 +5019,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5039,7 +5039,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5059,7 +5059,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5079,7 +5079,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5099,7 +5099,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5122,7 +5122,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   # Used for leader election by the controller
   # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
@@ -5148,7 +5148,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
@@ -5169,7 +5169,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
@@ -5194,7 +5194,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5217,7 +5217,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5239,7 +5239,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5261,7 +5261,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   type: ClusterIP
   ports:
@@ -5285,7 +5285,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   type: ClusterIP
   ports:
@@ -5309,7 +5309,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   replicas: 1
   selector:
@@ -5324,7 +5324,7 @@ spec:
         app.kubernetes.io/name: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "cainjector"
-        app.kubernetes.io/version: "v1.12.1"
+        app.kubernetes.io/version: "v1.12.2"
     spec:
       serviceAccountName: cert-manager-cainjector
       securityContext:
@@ -5333,7 +5333,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: cert-manager-cainjector
-          image: "quay.io/jetstack/cert-manager-cainjector:v1.12.1"
+          image: "quay.io/jetstack/cert-manager-cainjector:v1.12.2"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
@@ -5362,7 +5362,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   replicas: 1
   selector:
@@ -5377,7 +5377,7 @@ spec:
         app.kubernetes.io/name: cert-manager
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "controller"
-        app.kubernetes.io/version: "v1.12.1"
+        app.kubernetes.io/version: "v1.12.2"
       annotations:
         prometheus.io/path: "/metrics"
         prometheus.io/scrape: 'true'
@@ -5390,13 +5390,13 @@ spec:
           type: RuntimeDefault
       containers:
         - name: cert-manager-controller
-          image: "quay.io/jetstack/cert-manager-controller:v1.12.1"
+          image: "quay.io/jetstack/cert-manager-controller:v1.12.2"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
           - --cluster-resource-namespace=$(POD_NAMESPACE)
           - --leader-election-namespace=kube-system
-          - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.1
+          - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.2
           - --max-concurrent-challenges=60
           ports:
           - containerPort: 9402
@@ -5429,7 +5429,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
 spec:
   replicas: 1
   selector:
@@ -5444,7 +5444,7 @@ spec:
         app.kubernetes.io/name: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "webhook"
-        app.kubernetes.io/version: "v1.12.1"
+        app.kubernetes.io/version: "v1.12.2"
     spec:
       serviceAccountName: cert-manager-webhook
       securityContext:
@@ -5453,7 +5453,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: cert-manager-webhook
-          image: "quay.io/jetstack/cert-manager-webhook:v1.12.1"
+          image: "quay.io/jetstack/cert-manager-webhook:v1.12.2"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
@@ -5514,7 +5514,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
   annotations:
     cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
@@ -5555,7 +5555,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.12.1"
+    app.kubernetes.io/version: "v1.12.2"
   annotations:
     cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
 webhooks:
diff --git a/projects/kubernetes-sigs/cluster-api/ATTRIBUTION.txt b/projects/kubernetes-sigs/cluster-api/ATTRIBUTION.txt
index 98bd770e4f..bb07b1e74a 100644
--- a/projects/kubernetes-sigs/cluster-api/ATTRIBUTION.txt
+++ b/projects/kubernetes-sigs/cluster-api/ATTRIBUTION.txt
@@ -110,10 +110,10 @@ https://github.com/go4org/go4
 ** gomodules.xyz/jsonpatch/v2; version v2.2.0 --
 https://github.com/gomodules/jsonpatch
 
-** google.golang.org/genproto/googleapis; version v0.0.0-20221227171554-f9683d7f8bef --
+** google.golang.org/genproto/googleapis; version v0.0.0-20230306155012-7f2fa6fef1f4 --
 https://github.com/googleapis/go-genproto
 
-** google.golang.org/grpc; version v1.52.0 --
+** google.golang.org/grpc; version v1.55.0 --
 https://github.com/grpc/grpc-go
 
 ** gopkg.in/ini.v1; version v1.67.0 --
@@ -170,7 +170,7 @@ https://github.com/kubernetes/kubectl
 ** k8s.io/utils; version v0.0.0-20221128185143-99ec85e7a448 --
 https://github.com/kubernetes/utils
 
-** sigs.k8s.io/cluster-api; version v1.4.3 --
+** sigs.k8s.io/cluster-api; version v1.4.5 --
 https://github.com/kubernetes-sigs/cluster-api
 
 ** sigs.k8s.io/controller-runtime; version v0.14.5 --
@@ -1219,7 +1219,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ------
 
-** google.golang.org/protobuf; version v1.28.1 --
+** google.golang.org/protobuf; version v1.30.0 --
 https://go.googlesource.com/protobuf
 
 Copyright (c) 2018 The Go Authors. All rights reserved.
@@ -1360,7 +1360,7 @@ Copyright (c) 2014 Benedikt Lang <github at benediktlang.de>
 https://github.com/blang/semver/v4
 Copyright (c) 2014 Benedikt Lang <github at benediktlang.de>
 
-** github.com/cespare/xxhash/v2; version v2.1.2 --
+** github.com/cespare/xxhash/v2; version v2.2.0 --
 https://github.com/cespare/xxhash/v2
 Copyright (c) 2016 Caleb Spare
 
diff --git a/projects/kubernetes-sigs/cluster-api/CAPD_ATTRIBUTION.txt b/projects/kubernetes-sigs/cluster-api/CAPD_ATTRIBUTION.txt
index a099ceba05..dcb154b96f 100644
--- a/projects/kubernetes-sigs/cluster-api/CAPD_ATTRIBUTION.txt
+++ b/projects/kubernetes-sigs/cluster-api/CAPD_ATTRIBUTION.txt
@@ -8,7 +8,7 @@ https://github.com/coreos/go-systemd
 ** github.com/docker/distribution; version v2.8.2+incompatible --
 https://github.com/distribution/distribution
 
-** github.com/docker/docker; version v20.10.24+incompatible --
+** github.com/docker/docker; version v24.0.5+incompatible --
 https://github.com/moby/moby
 
 ** github.com/docker/go-connections; version v0.4.0 --
@@ -113,10 +113,13 @@ https://github.com/kubernetes/utils
 ** sigs.k8s.io/cluster-api; version v0.0.0-00010101000000-000000000000 --
 https://github.com/kubernetes-sigs/cluster-api
 
-** sigs.k8s.io/cluster-api/test/infrastructure/container; version v1.4.3 --
+** sigs.k8s.io/cluster-api/test/infrastructure/container; version v1.4.5 --
 https://github.com/kubernetes-sigs/cluster-api
 
-** sigs.k8s.io/cluster-api/test/infrastructure/docker; version v1.4.3 --
+** sigs.k8s.io/cluster-api/test/infrastructure/docker; version v1.4.5 --
+https://github.com/kubernetes-sigs/cluster-api
+
+** sigs.k8s.io/cluster-api/test/infrastructure/kind; version v1.4.5 --
 https://github.com/kubernetes-sigs/cluster-api
 
 ** sigs.k8s.io/controller-runtime; version v0.14.5 --
@@ -125,7 +128,7 @@ https://github.com/kubernetes-sigs/controller-runtime
 ** sigs.k8s.io/json; version v0.0.0-20220713155537-f223a00ba0e2 --
 https://github.com/kubernetes-sigs/json
 
-** sigs.k8s.io/kind/pkg; version v0.18.0 --
+** sigs.k8s.io/kind/pkg; version v0.20.0 --
 https://github.com/kubernetes-sigs/kind
 
 ** sigs.k8s.io/structured-merge-diff/v4; version v4.2.3 --
@@ -881,7 +884,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ------
 
-** google.golang.org/protobuf; version v1.28.1 --
+** google.golang.org/protobuf; version v1.30.0 --
 https://go.googlesource.com/protobuf
 
 Copyright (c) 2018 The Go Authors. All rights reserved.
@@ -1047,7 +1050,7 @@ Copyright (c) 2014 Benedikt Lang <github at benediktlang.de>
 https://github.com/blang/semver/v4
 Copyright (c) 2014 Benedikt Lang <github at benediktlang.de>
 
-** github.com/cespare/xxhash/v2; version v2.1.2 --
+** github.com/cespare/xxhash/v2; version v2.2.0 --
 https://github.com/cespare/xxhash/v2
 Copyright (c) 2016 Caleb Spare
 
@@ -1075,10 +1078,6 @@ Copyright (c) 2016 Mail.Ru Group
 https://github.com/onsi/gomega
 Copyright (c) 2013-2014 Onsi Fakhouri
 
-** github.com/sirupsen/logrus; version v1.8.1 --
-https://github.com/sirupsen/logrus
-Copyright (c) 2014 Simon Eskildsen
-
 ** github.com/vincent-petithory/dataurl; version v1.0.0 --
 https://github.com/vincent-petithory/dataurl
 Copyright (c) 2014 Vincent Petithory
diff --git a/projects/kubernetes-sigs/cluster-api/CHECKSUMS b/projects/kubernetes-sigs/cluster-api/CHECKSUMS
index 6339602d77..7a18600c40 100644
--- a/projects/kubernetes-sigs/cluster-api/CHECKSUMS
+++ b/projects/kubernetes-sigs/cluster-api/CHECKSUMS
@@ -1,10 +1,10 @@
-f89356f1591cee618894373ae9ff3f4b14d6d0d0dc959c5ff1dfce81fdadc52e  _output/bin/cluster-api/linux-amd64/cluster-api-provider-docker-manager
-99d0eb50759b2cc78a81c756737249c6206c1fdb25e5d6aee4ed5daf8f71ee4d  _output/bin/cluster-api/linux-amd64/clusterctl
-4e7e52e6f1ae4b9a7d25dbc1f88c2d16aeb5eb70b97dca2b127e803033faceb9  _output/bin/cluster-api/linux-amd64/kubeadm-bootstrap-manager
-d96d281b17c1b22b47b2186e80b889eee31aac0daee4ecdc3ea9a5d67050e998  _output/bin/cluster-api/linux-amd64/kubeadm-control-plane-manager
-5717aad8f239a6f7f13616ae06ede1adfa4cc1cb38a3b904e98c3390e51a1fd6  _output/bin/cluster-api/linux-amd64/manager
-9d349a55f52928285787b868d56fa78a592f7a73851b88039357745f173224ce  _output/bin/cluster-api/linux-arm64/cluster-api-provider-docker-manager
-288beaa4422dd8f0e756d5f5939fc1ec6cd5e373136677e9fe65d366cf3445db  _output/bin/cluster-api/linux-arm64/clusterctl
-784b355d751dfeb2f391d76b3ac9bc2af79d241867569c4fb86a90b4b6817f76  _output/bin/cluster-api/linux-arm64/kubeadm-bootstrap-manager
-f0e6739075ebe64e530b14d0b974fd76b89d3de64e0bef67b151ae45356bdae4  _output/bin/cluster-api/linux-arm64/kubeadm-control-plane-manager
-d16f177d9f1c1a8676c43b7a1ef7734e67b48e5ac6223301a1a95ec42b07c819  _output/bin/cluster-api/linux-arm64/manager
+adbd6a27048e2e8b9d7f667e0c8351ce0db99ab9eb0a9516c939cfbcaedf0a3c  _output/bin/cluster-api/linux-amd64/cluster-api-provider-docker-manager
+109b8b2c7424bbc5bcfa6f7cee7a618efc24ea42eea1bfe74539bb64680c7c2f  _output/bin/cluster-api/linux-amd64/clusterctl
+1cf49c34e7f34985b46e759aadc41a25a2a07b6a8e2c6ec1c5bf60c453b91788  _output/bin/cluster-api/linux-amd64/kubeadm-bootstrap-manager
+ddff25974dbd758930a99b7de8f03b8aff22f5cbda1e1fc4a3e12f80f91104f2  _output/bin/cluster-api/linux-amd64/kubeadm-control-plane-manager
+ac1f9d41380a1ebd0960da324f0796dd0e75e03b52dca73a4a31984721b4d1e9  _output/bin/cluster-api/linux-amd64/manager
+1e64a4a26a9d64eee971feaf1d7fee9ee5bfa0ff95982a671dbc25604b9b3ccc  _output/bin/cluster-api/linux-arm64/cluster-api-provider-docker-manager
+5c4c8abbe5f256537c1e7c8ab64128800af94f98f921e0c5b1069a0b9076d555  _output/bin/cluster-api/linux-arm64/clusterctl
+2c6381f49091377526638168797692f3ccceb614c6a0b50fa99b89bd48f47ce7  _output/bin/cluster-api/linux-arm64/kubeadm-bootstrap-manager
+f5c284e79495a96b2dd2e7ae0432fe4c3197a43ecf14fc676c6e055aba3980c0  _output/bin/cluster-api/linux-arm64/kubeadm-control-plane-manager
+58530fbdfcf54462cafb47451f8d2406f6116141a2b0f645d7dd6830b312691a  _output/bin/cluster-api/linux-arm64/manager
diff --git a/projects/kubernetes-sigs/cluster-api/GIT_TAG b/projects/kubernetes-sigs/cluster-api/GIT_TAG
index 92f76b4232..959bb9d045 100644
--- a/projects/kubernetes-sigs/cluster-api/GIT_TAG
+++ b/projects/kubernetes-sigs/cluster-api/GIT_TAG
@@ -1 +1 @@
-v1.4.3
+v1.4.5
diff --git a/projects/kubernetes-sigs/cluster-api/Makefile b/projects/kubernetes-sigs/cluster-api/Makefile
index 872e5583dc..5b28efb923 100644
--- a/projects/kubernetes-sigs/cluster-api/Makefile
+++ b/projects/kubernetes-sigs/cluster-api/Makefile
@@ -28,7 +28,8 @@ BUILDSPEC_COMPUTE_TYPE=BUILD_GENERAL1_LARGE
 
 FIX_LICENSES_GO_JSON_TARGET=$(REPO)/vendor/github.com/github.com/ajeddeloh/go-json/LICENSE.txt
 FIX_LICENSES_TEST_CONTAINER_TARGET=$(REPO)/test/infrastructure/docker/LICENSE
-FIX_LICENSES_TEST_DOCKER_TARGET=$(REPO)/test/infrastructure/container/LICENSE 
+FIX_LICENSES_TEST_DOCKER_TARGET=$(REPO)/test/infrastructure/container/LICENSE
+FIX_LICENSES_TEST_KIND_TARGET=$(REPO)/test/infrastructure/kind/LICENSE
 
 include $(BASE_DIRECTORY)/Common.mk
 
@@ -37,7 +38,7 @@ $(OUTPUT_BIN_DIR)/linux-%/cluster-api-provider-docker-manager: EXTRA_GO_LDFLAGS=
 
 s3-artifacts: create-manifests
 
-$(GATHER_LICENSES_TARGETS): | $(FIX_LICENSES_GO_JSON_TARGET) $(FIX_LICENSES_TEST_CONTAINER_TARGET) $(FIX_LICENSES_TEST_DOCKER_TARGET)
+$(GATHER_LICENSES_TARGETS): | $(FIX_LICENSES_GO_JSON_TARGET) $(FIX_LICENSES_TEST_CONTAINER_TARGET) $(FIX_LICENSES_TEST_DOCKER_TARGET) $(FIX_LICENSES_TEST_KIND_TARGET)
 
 cluster-api-docker-controller/images/%: BASE_IMAGE_NAME=eks-distro-minimal-base
 
@@ -54,14 +55,18 @@ $(FIX_LICENSES_GO_JSON_TARGET): | $(GO_MOD_DOWNLOAD_TARGETS)
 			$(REPO)/vendor/github.com/ajeddeloh/go-json/LICENSE.txt;
 
 $(FIX_LICENSES_TEST_CONTAINER_TARGET): | $(GO_MOD_DOWNLOAD_TARGETS)
-# capd pulls in a dep in test/infra/container which does not have a LICENSE file and go-licenses does look up
+# CAPD pulls in a dep in test/infrastructure/container which does not have a LICENSE file and go-licenses does look it up
 # We use capi license instead
 	cp $(REPO)/LICENSE $@
 
 $(FIX_LICENSES_TEST_DOCKER_TARGET): | $(GO_MOD_DOWNLOAD_TARGETS)
-# capd is a separate module but it doesn't have its own license, it inherits the one at the REPO top level. 
+# CAPD is a separate module but it doesn't have its own license, it inherits the one at the REPO top level.
 	cp $(REPO)/LICENSE $@
 
+$(FIX_LICENSES_TEST_KIND_TARGET): | $(GO_MOD_DOWNLOAD_TARGETS)
+# CAPD pulls in a dep in test/infrstructure/kind which does not have a LICENSE file and go-licenses does look it up
+# We use capi license instead
+	cp $(REPO)/LICENSE $@
 
 ########### DO NOT EDIT #############################
 # To update call: make add-generated-help-block
diff --git a/projects/kubernetes-sigs/cluster-api/README.md b/projects/kubernetes-sigs/cluster-api/README.md
index cd106b284c..feb522b39f 100644
--- a/projects/kubernetes-sigs/cluster-api/README.md
+++ b/projects/kubernetes-sigs/cluster-api/README.md
@@ -1,5 +1,5 @@
 ## **Cluster API**
-![Version](https://img.shields.io/badge/version-v1.4.3-blue)
+![Version](https://img.shields.io/badge/version-v1.4.5-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiQVZ3TDBZZVVXZUZiVmtqLzVoOVcrV2FaMmxRRzJXRmJCRlZtQkNodXdWZ0FrNm0zQ3l5UzNqTkdsQXgwdzc0bTBZc1RIcjBhMUVFbEhIK3d2VDVPek1rPSIsIml2UGFyYW1ldGVyU3BlYyI6IkVuOGJxNXBPZEtDek81Q3giLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 [Cluster API](https://github.com/kubernetes-sigs/cluster-api) is a Kubernetes sub-project focused on providing declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters. It uses Kubernetes-style APIs and patterns to automate cluster lifecycle management for platform operators. The supporting infrastructure, like virtual machines, networks, load balancers, and VPCs, as well as the Kubernetes cluster configuration are all defined in the same way that application developers operate deploying and managing their workloads. This enables consistent and repeatable cluster deployments across a wide variety of infrastructure environments. Cluster API can be extended to support any infrastructure provider (AWS, Azure, vSphere, etc.) or bootstrap provider (kubeadm is default) as required by the customer.
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0001-Adding-capi-support-for-Bottlerocket.patch b/projects/kubernetes-sigs/cluster-api/patches/0001-Adding-capi-support-for-Bottlerocket.patch
index 73578af735..9a6e24eab6 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0001-Adding-capi-support-for-Bottlerocket.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0001-Adding-capi-support-for-Bottlerocket.patch
@@ -1,7 +1,7 @@
-From 9bbc1dca3a74e87ce3f663a1114017733a516964 Mon Sep 17 00:00:00 2001
+From ab51a59783ec4730bee7b5b3ff21f731ed635ab3 Mon Sep 17 00:00:00 2001
 From: Vignesh Goutham Ganesh <vgg@amazon.com>
 Date: Fri, 11 Jun 2021 10:43:09 -0700
-Subject: [PATCH 01/34] Adding capi support for Bottlerocket
+Subject: [PATCH 01/36] Adding capi support for Bottlerocket
 
 Signed-off-by: Vignesh Goutham Ganesh <vgg@amazon.com>
 
@@ -1826,19 +1826,19 @@ index 4e182d911..5a1623e9f 100644
                                  description: SkipPhases is a list of phases to skip
                                    during command execution. The list of phases can
 diff --git a/go.mod b/go.mod
-index f96cd8fa6..3588c8779 100644
+index 7fce6267e..20883a1cd 100644
 --- a/go.mod
 +++ b/go.mod
 @@ -32,6 +32,7 @@ require (
  	golang.org/x/net v0.8.0 // indirect
  	golang.org/x/oauth2 v0.6.0
- 	google.golang.org/grpc v1.52.0
+ 	google.golang.org/grpc v1.55.0
 +	gopkg.in/yaml.v2 v2.4.0
  	k8s.io/api v0.26.1
  	k8s.io/apiextensions-apiserver v0.26.1
  	k8s.io/apimachinery v0.26.1
 @@ -133,7 +134,6 @@ require (
- 	google.golang.org/protobuf v1.28.1 // indirect
+ 	google.golang.org/protobuf v1.30.0 // indirect
  	gopkg.in/inf.v0 v0.9.1 // indirect
  	gopkg.in/ini.v1 v1.67.0 // indirect
 -	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -1846,5 +1846,5 @@ index f96cd8fa6..3588c8779 100644
  	k8s.io/cli-runtime v0.25.0 // indirect
  	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0002-Add-unstacked-etcd-support.patch b/projects/kubernetes-sigs/cluster-api/patches/0002-Add-unstacked-etcd-support.patch
index f52ccabf71..288a613719 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0002-Add-unstacked-etcd-support.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0002-Add-unstacked-etcd-support.patch
@@ -1,7 +1,7 @@
-From 56b02a77502d28d11c1189078ebfb2b048b26d1f Mon Sep 17 00:00:00 2001
+From c87737fed13a3e7a1cdd679aeda036abbdb42a52 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Mon, 28 Jun 2021 13:44:50 -0700
-Subject: [PATCH 02/34] Add unstacked etcd support
+Subject: [PATCH 02/36] Add unstacked etcd support
 
 Unstacked etcd: API and config changes
 
@@ -210,7 +210,7 @@ index 254b2874b..00d19fac8 100644
  
  // ANCHOR_END: ClusterStatus
 diff --git a/api/v1beta1/cluster_types.go b/api/v1beta1/cluster_types.go
-index 4e5adab14..eeb7e8160 100644
+index 9a72b5a90..8c345b75d 100644
 --- a/api/v1beta1/cluster_types.go
 +++ b/api/v1beta1/cluster_types.go
 @@ -57,6 +57,11 @@ type ClusterSpec struct {
@@ -225,7 +225,7 @@ index 4e5adab14..eeb7e8160 100644
  	// InfrastructureRef is a reference to a provider-specific resource that holds the details
  	// for provisioning infrastructure for a cluster in said provider.
  	// +optional
-@@ -347,6 +352,15 @@ type ClusterStatus struct {
+@@ -349,6 +354,15 @@ type ClusterStatus struct {
  	// ObservedGeneration is the latest generation observed by the controller.
  	// +optional
  	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
@@ -310,7 +310,7 @@ index 6d88b5891..c65e8691a 100644
  		}
  	}
 diff --git a/config/crd/bases/cluster.x-k8s.io_clusters.yaml b/config/crd/bases/cluster.x-k8s.io_clusters.yaml
-index 2ede29e3c..85dddbba1 100644
+index a696a2256..ec0f3b2db 100644
 --- a/config/crd/bases/cluster.x-k8s.io_clusters.yaml
 +++ b/config/crd/bases/cluster.x-k8s.io_clusters.yaml
 @@ -169,6 +169,45 @@ spec:
@@ -573,7 +573,7 @@ index ec2334e96..5c7e70401 100644
 +  - update
 +  - watch
 diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
-index b9ca684b8..cab1a354d 100644
+index 131347515..41bda1998 100644
 --- a/controlplane/kubeadm/internal/controllers/controller.go
 +++ b/controlplane/kubeadm/internal/controllers/controller.go
 @@ -19,6 +19,9 @@ package controllers
@@ -648,7 +648,7 @@ index b9ca684b8..cab1a354d 100644
  	// Add finalizer first if not exist to avoid the race condition between init and delete
  	if !controllerutil.ContainsFinalizer(kcp, controlplanev1.KubeadmControlPlaneFinalizer) {
  		controllerutil.AddFinalizer(kcp, controlplanev1.KubeadmControlPlaneFinalizer)
-@@ -240,6 +284,10 @@ func (r *KubeadmControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.
+@@ -250,6 +294,10 @@ func (r *KubeadmControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.
  	return res, err
  }
  
@@ -659,7 +659,7 @@ index b9ca684b8..cab1a354d 100644
  func patchKubeadmControlPlane(ctx context.Context, patchHelper *patch.Helper, kcp *controlplanev1.KubeadmControlPlane) error {
  	// Always update the readyCondition by summarizing the state of other conditions.
  	conditions.SetSummary(kcp,
-@@ -465,6 +513,15 @@ func (r *KubeadmControlPlaneReconciler) reconcileDelete(ctx context.Context, clu
+@@ -475,6 +523,15 @@ func (r *KubeadmControlPlaneReconciler) reconcileDelete(ctx context.Context, clu
  	}
  	ownedMachines := allMachines.Filter(collections.OwnedMachines(kcp))
  
@@ -676,7 +676,7 @@ index b9ca684b8..cab1a354d 100644
  	if len(ownedMachines) == 0 {
  		controllerutil.RemoveFinalizer(kcp, controlplanev1.KubeadmControlPlaneFinalizer)
 diff --git a/controlplane/kubeadm/internal/controllers/controller_test.go b/controlplane/kubeadm/internal/controllers/controller_test.go
-index 05218bb48..4ba548546 100644
+index 70b15b95b..f9959ba22 100644
 --- a/controlplane/kubeadm/internal/controllers/controller_test.go
 +++ b/controlplane/kubeadm/internal/controllers/controller_test.go
 @@ -24,6 +24,7 @@ import (
@@ -705,7 +705,7 @@ index 05218bb48..4ba548546 100644
  		},
  	}
  
-@@ -2160,6 +2163,214 @@ func TestKubeadmControlPlaneReconciler_reconcileDelete(t *testing.T) {
+@@ -2187,6 +2190,214 @@ func TestKubeadmControlPlaneReconciler_reconcileDelete(t *testing.T) {
  	})
  }
  
@@ -1636,7 +1636,7 @@ index 000000000..096be828b
 +	return c.obj
 +}
 diff --git a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
-index 58b426e51..9beedc5af 100644
+index 9991b03d1..decaafda4 100644
 --- a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
 +++ b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
 @@ -360,23 +360,27 @@ func (r *DockerMachineReconciler) reconcileNormal(ctx context.Context, cluster *
@@ -1800,5 +1800,5 @@ index e6737ab7a..00da78f90 100644
  func GetClusterFromMetadata(ctx context.Context, c client.Client, obj metav1.ObjectMeta) (*clusterv1.Cluster, error) {
  	if obj.Labels[clusterv1.ClusterNameLabel] == "" {
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0003-Unstacked-etcd-and-controlplane-upgrade.patch b/projects/kubernetes-sigs/cluster-api/patches/0003-Unstacked-etcd-and-controlplane-upgrade.patch
index db6cd047e0..27e4d25651 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0003-Unstacked-etcd-and-controlplane-upgrade.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0003-Unstacked-etcd-and-controlplane-upgrade.patch
@@ -1,7 +1,7 @@
-From ba5fe9dd06b4d25fa3327eb3b3cd13230a15214c Mon Sep 17 00:00:00 2001
+From bda9459ed75044c0d8a6ac7209c5b6f76cf8ee70 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Fri, 6 Aug 2021 17:16:39 -0700
-Subject: [PATCH 03/34] Unstacked etcd and controlplane upgrade
+Subject: [PATCH 03/36] Unstacked etcd and controlplane upgrade
 
 Rename controlplane upgrade annotation variable
 
@@ -152,7 +152,7 @@ index e9870d34c..adc1b2a0a 100644
  
  const (
 diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go
-index cab1a354d..9fb1e9603 100644
+index 41bda1998..47770769d 100644
 --- a/controlplane/kubeadm/internal/controllers/controller.go
 +++ b/controlplane/kubeadm/internal/controllers/controller.go
 @@ -209,12 +209,35 @@ func (r *KubeadmControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.
@@ -191,7 +191,7 @@ index cab1a354d..9fb1e9603 100644
  	}
  
  	// Add finalizer first if not exist to avoid the race condition between init and delete
-@@ -431,6 +454,25 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
+@@ -441,6 +464,25 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, cluster *
  		// NOTE: we are checking the condition already exists in order to avoid to set this condition at the first
  		// reconciliation/before a rolling upgrade actually starts.
  		if conditions.Has(controlPlane.KCP, controlplanev1.MachinesSpecUpToDateCondition) {
@@ -295,5 +295,5 @@ index 9572a8ebd..7f2a32379 100644
  	}
  
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0004-Patch-config-path-in-kubevip-manifest-for-kubeadm-co.patch b/projects/kubernetes-sigs/cluster-api/patches/0004-Patch-config-path-in-kubevip-manifest-for-kubeadm-co.patch
index f91691e357..4b03287821 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0004-Patch-config-path-in-kubevip-manifest-for-kubeadm-co.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0004-Patch-config-path-in-kubevip-manifest-for-kubeadm-co.patch
@@ -1,7 +1,7 @@
-From 86ad1935e3c6a65c86f6f419911efded91182705 Mon Sep 17 00:00:00 2001
+From 592bd3389fde140a9557ae88b4adecac9b5b0fdb Mon Sep 17 00:00:00 2001
 From: Guillermo Gaston <gaslor@amazon.com>
 Date: Thu, 19 Aug 2021 21:52:52 +0000
-Subject: [PATCH 04/34] Patch config path in kubevip manifest for kubeadm
+Subject: [PATCH 04/36] Patch config path in kubevip manifest for kubeadm
  control plane join with bottlerocket format
 
 cr: https://code.amazon.com/reviews/CR-55711271
@@ -27,5 +27,5 @@ index b93e1164b..aecbda8f4 100644
  	if err != nil {
  		return nil, errors.Wrapf(err, "failed to generate user data for machine joining control plane")
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0005-Make-pause-and-bottlerocket-bootstrap-images-updatab.patch b/projects/kubernetes-sigs/cluster-api/patches/0005-Make-pause-and-bottlerocket-bootstrap-images-updatab.patch
index 76af98a823..8d0907e13f 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0005-Make-pause-and-bottlerocket-bootstrap-images-updatab.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0005-Make-pause-and-bottlerocket-bootstrap-images-updatab.patch
@@ -1,7 +1,7 @@
-From df8b2037b45148d22c07c42ea359ed258a79148d Mon Sep 17 00:00:00 2001
+From 0d29436aad0fb06b8b76fa03253991ad35001a2a Mon Sep 17 00:00:00 2001
 From: Guillermo Gaston <gaslor@amazon.com>
 Date: Tue, 31 Aug 2021 15:56:28 +0000
-Subject: [PATCH 05/34] Make pause and bottlerocket bootstrap images updatable
+Subject: [PATCH 05/36] Make pause and bottlerocket bootstrap images updatable
  in validation webhook
 
 cr: https://code.amazon.com/reviews/CR-56335855
@@ -95,5 +95,5 @@ index 6ae774051..86c02c2e5 100644
  	before := &KubeadmControlPlane{
  		ObjectMeta: metav1.ObjectMeta{
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0006-add-support-for-registry-mirror-for-bottlerocket.patch b/projects/kubernetes-sigs/cluster-api/patches/0006-add-support-for-registry-mirror-for-bottlerocket.patch
index 6efc0a3b31..c5febd2ef0 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0006-add-support-for-registry-mirror-for-bottlerocket.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0006-add-support-for-registry-mirror-for-bottlerocket.patch
@@ -1,7 +1,7 @@
-From dce8408b79a453787219a0653cfbb6b68070146f Mon Sep 17 00:00:00 2001
+From 337c0abc8c90a4b7c6373c152551c9f7cea53c07 Mon Sep 17 00:00:00 2001
 From: Abhinav Pandey <abhnvp@amazon.com>
 Date: Tue, 21 Sep 2021 08:57:56 -0700
-Subject: [PATCH 06/34] add support for registry mirror for bottlerocket
+Subject: [PATCH 06/36] add support for registry mirror for bottlerocket
 
 ---
  api/v1alpha2/zz_generated.conversion.go       | 1007 +++++++++++++++++
@@ -1573,5 +1573,5 @@ index 5a1623e9f..5410d4145 100644
                                  description: SkipPhases is a list of phases to skip
                                    during command execution. The list of phases can
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0007-Fix-proxy-template-for-bottlerocket-bootstrap.patch b/projects/kubernetes-sigs/cluster-api/patches/0007-Fix-proxy-template-for-bottlerocket-bootstrap.patch
index 5d92a0cc34..62151ba27c 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0007-Fix-proxy-template-for-bottlerocket-bootstrap.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0007-Fix-proxy-template-for-bottlerocket-bootstrap.patch
@@ -1,7 +1,7 @@
-From 172d51906704352911a99f6069c7bf37bd982e21 Mon Sep 17 00:00:00 2001
+From e535cf0b69d13bf7916f72e069c72bb126de16f7 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Thu, 30 Sep 2021 14:04:36 -0700
-Subject: [PATCH 07/34] Fix proxy template for bottlerocket bootstrap
+Subject: [PATCH 07/36] Fix proxy template for bottlerocket bootstrap
 
 Bottlerocket expects no-proxy setting to be a comma-separated list
 of strings. The proxy template was parsing the input no-proxy list
@@ -67,5 +67,5 @@ index f127ec4f1..9e4f8d4a5 100644
  		bottlerocketInput.RegistryMirrorCACert = base64.StdEncoding.EncodeToString([]byte(config.RegistryMirrorConfiguration.CACert))
  	}
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0008-Update-core-conversion-spoke-versions.patch b/projects/kubernetes-sigs/cluster-api/patches/0008-Update-core-conversion-spoke-versions.patch
index 4505ee0d1b..8782d35255 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0008-Update-core-conversion-spoke-versions.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0008-Update-core-conversion-spoke-versions.patch
@@ -1,7 +1,7 @@
-From c832ddc6d2b7110e8bfa2fe5d48ff49f35e2d25d Mon Sep 17 00:00:00 2001
+From fbf32b0aaf11fb4afe7975a134956ddd3c6bddf0 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Sun, 21 Nov 2021 01:16:11 -0800
-Subject: [PATCH 08/34] Update core conversion spoke versions
+Subject: [PATCH 08/36] Update core conversion spoke versions
 
 ---
  api/v1alpha3/conversion.go              | 12 ++++++++++++
@@ -116,5 +116,5 @@ index 1f0c12a79..0abe06592 100644
  }
  
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0009-Add-bottlerocket-changes-to-capbk-v1alpha4-api.patch b/projects/kubernetes-sigs/cluster-api/patches/0009-Add-bottlerocket-changes-to-capbk-v1alpha4-api.patch
index 2cb1394259..3226b81e38 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0009-Add-bottlerocket-changes-to-capbk-v1alpha4-api.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0009-Add-bottlerocket-changes-to-capbk-v1alpha4-api.patch
@@ -1,7 +1,7 @@
-From 1848efc8e3d43bccf0a271a97bc0af50c01c9176 Mon Sep 17 00:00:00 2001
+From ca9066c6dab79b6c078204e383b4cc228d5d401e Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Sun, 21 Nov 2021 20:59:58 -0800
-Subject: [PATCH 09/34] Add bottlerocket changes to capbk v1alpha4 api
+Subject: [PATCH 09/36] Add bottlerocket changes to capbk v1alpha4 api
 
 ---
  .../kubeadm/api/v1alpha4/kubeadm_types.go     |  72 ++++++++++
@@ -1113,5 +1113,5 @@ index 5410d4145..c96b0409c 100644
                            mounts:
                              description: Mounts specifies a list of mount points to
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0010-Update-capbk-converions-spoke-version.patch b/projects/kubernetes-sigs/cluster-api/patches/0010-Update-capbk-converions-spoke-version.patch
index e4441767af..9b1b05d823 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0010-Update-capbk-converions-spoke-version.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0010-Update-capbk-converions-spoke-version.patch
@@ -1,7 +1,7 @@
-From 09696135c7d82bbed4f8476ba8f1f8e2725d0abf Mon Sep 17 00:00:00 2001
+From a1e91035769396ecd817911da1c122e825799a64 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Sun, 21 Nov 2021 21:00:31 -0800
-Subject: [PATCH 10/34] Update capbk converions spoke version
+Subject: [PATCH 10/36] Update capbk converions spoke version
 
 ---
  .../api/v1alpha4/zz_generated.conversion.go   | 180 ++++++++++++++++++
@@ -938,5 +938,5 @@ index d849616cb..9b0c13356 100644
 +	return autoConvert_v1beta1_RegistryMirrorConfiguration_To_upstreamv1beta3_RegistryMirrorConfiguration(in, out, s)
 +}
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0011-Add-status.version-to-list-of-fields-to-ignore-for-u.patch b/projects/kubernetes-sigs/cluster-api/patches/0011-Add-status.version-to-list-of-fields-to-ignore-for-u.patch
index c073203143..c01de657c1 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0011-Add-status.version-to-list-of-fields-to-ignore-for-u.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0011-Add-status.version-to-list-of-fields-to-ignore-for-u.patch
@@ -1,7 +1,7 @@
-From 8572d3e63490a44ed5d3f2e0c62dcc4486e2fc7a Mon Sep 17 00:00:00 2001
+From d117d79baeb32efcd47aade64c49a28394aaa51a Mon Sep 17 00:00:00 2001
 From: Vivek Koppuru <koppv@amazon.com>
 Date: Wed, 12 Jan 2022 19:04:15 -0800
-Subject: [PATCH 11/34] Add status.version to list of fields to ignore for
+Subject: [PATCH 11/36] Add status.version to list of fields to ignore for
  update
 
 ---
@@ -29,5 +29,5 @@ index 263bda967..1d0d4abfd 100644
  
  	allErrs := validateKubeadmControlPlaneSpec(in.Spec, in.Namespace, field.NewPath("spec"))
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0012-Add-node-labels-support-for-bottlerocket.patch b/projects/kubernetes-sigs/cluster-api/patches/0012-Add-node-labels-support-for-bottlerocket.patch
index d67d565a6f..40b6d7fc86 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0012-Add-node-labels-support-for-bottlerocket.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0012-Add-node-labels-support-for-bottlerocket.patch
@@ -1,7 +1,7 @@
-From e7342d73e45831b09d7b322d4d88ba1286ddc9e7 Mon Sep 17 00:00:00 2001
+From 86915ad4cd10427d185f97c9ae1cf1c3b21ee106 Mon Sep 17 00:00:00 2001
 From: Vivek Koppuru <koppv@amazon.com>
 Date: Mon, 24 Jan 2022 00:46:44 -0800
-Subject: [PATCH 12/34] Add node labels support for bottlerocket
+Subject: [PATCH 12/36] Add node labels support for bottlerocket
 
 ---
  .../internal/bottlerocket/bootstrap.go        |  9 ++++++++
@@ -139,5 +139,5 @@ index b1fb19751..8a8c04c92 100644
  		if err != nil {
  			scope.Error(err, "Failed to generate cloud init for bottlerocket bootstrap control plane")
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0013-Support-worker-node-taints.patch b/projects/kubernetes-sigs/cluster-api/patches/0013-Support-worker-node-taints.patch
index be5bfdc6fb..bb3a4b47a2 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0013-Support-worker-node-taints.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0013-Support-worker-node-taints.patch
@@ -1,7 +1,7 @@
-From aabc437f71a47371124a58540c6c511952d75227 Mon Sep 17 00:00:00 2001
+From 653b29f4b67b4bda361508894efb3ef987a74859 Mon Sep 17 00:00:00 2001
 From: Daniel Budris <budris@amazon.com>
 Date: Fri, 17 Dec 2021 13:38:39 -0800
-Subject: [PATCH 13/34] Support worker node taints
+Subject: [PATCH 13/36] Support worker node taints
 
 seperate taints template into its own template
 
@@ -151,5 +151,5 @@ index 8a8c04c92..4b08e24c8 100644
  		if err != nil {
  			scope.Error(err, "Failed to create a worker bottlerocket join configuration")
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0014-support-bottle-rocket-control-plane-taints.patch b/projects/kubernetes-sigs/cluster-api/patches/0014-support-bottle-rocket-control-plane-taints.patch
index 8984f9afc5..a6569c12a9 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0014-support-bottle-rocket-control-plane-taints.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0014-support-bottle-rocket-control-plane-taints.patch
@@ -1,7 +1,7 @@
-From e5e733fa20e57fb4439d1ef530b3935b412c4d15 Mon Sep 17 00:00:00 2001
+From 2c1531ccb8c3c4abbb4f041de64e3ed466e58a2f Mon Sep 17 00:00:00 2001
 From: danbudris <budris@amazon.com>
 Date: Fri, 18 Feb 2022 09:24:32 -0500
-Subject: [PATCH 14/34] support bottle rocket control plane taints
+Subject: [PATCH 14/36] support bottle rocket control plane taints
 
 ---
  .../internal/controllers/kubeadmconfig_controller.go        | 6 ++++++
@@ -32,5 +32,5 @@ index 4b08e24c8..085ff3460 100644
  		if err != nil {
  			scope.Error(err, "Failed to generate cloud init for bottlerocket bootstrap control plane")
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0015-Support-configuring-bottlerocket-control-container-u.patch b/projects/kubernetes-sigs/cluster-api/patches/0015-Support-configuring-bottlerocket-control-container-u.patch
index 3c7f7a1517..16a3347a75 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0015-Support-configuring-bottlerocket-control-container-u.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0015-Support-configuring-bottlerocket-control-container-u.patch
@@ -1,7 +1,7 @@
-From a06e828bae279ed07c82da47c4c3a7d074603a9b Mon Sep 17 00:00:00 2001
+From 911ee08e863714030269be632136849daace62dd Mon Sep 17 00:00:00 2001
 From: Michael Chu <chumich@amazon.com>
 Date: Mon, 28 Feb 2022 09:51:25 -0800
-Subject: [PATCH 15/34] Support configuring bottlerocket control container uri
+Subject: [PATCH 15/36] Support configuring bottlerocket control container uri
 
 Signed-off-by: Michael Chu <chumich@amazon.com>
 ---
@@ -1377,7 +1377,7 @@ index 07902b44e..dd8200e36 100644
 +	return out
 +}
 diff --git a/bootstrap/kubeadm/types/utils_test.go b/bootstrap/kubeadm/types/utils_test.go
-index 96a245420..73c297c82 100644
+index 5153d834a..dfbbc0839 100644
 --- a/bootstrap/kubeadm/types/utils_test.go
 +++ b/bootstrap/kubeadm/types/utils_test.go
 @@ -163,11 +163,16 @@ func TestMarshalClusterConfigurationForVersion(t *testing.T) {
@@ -1963,5 +1963,5 @@ index 63bbea586..0fede6ce6 100644
  				  extraArgs:
  				    bar: baz
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0016-Change-format-for-storing-etcd-machine-address.patch b/projects/kubernetes-sigs/cluster-api/patches/0016-Change-format-for-storing-etcd-machine-address.patch
index ba242a2886..0393eab664 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0016-Change-format-for-storing-etcd-machine-address.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0016-Change-format-for-storing-etcd-machine-address.patch
@@ -1,7 +1,7 @@
-From a61a6c78af776a1a4c37e022d7710fc80dfe0679 Mon Sep 17 00:00:00 2001
+From 1fa85d2f3a536f32806d7248c3c20fcf24e53168 Mon Sep 17 00:00:00 2001
 From: Rajashree Mandaogane <mandaor@amazon.com>
 Date: Thu, 3 Mar 2022 15:01:35 -0800
-Subject: [PATCH 16/34] Change format for storing etcd machine address
+Subject: [PATCH 16/36] Change format for storing etcd machine address
 
 Once the first etcd member is initialized, the machine controller has
 to update the secret with the address of the machine, so it can be used
@@ -39,5 +39,5 @@ index 03806a1b7..4181ca366 100644
  						Type: clusterv1.ClusterSecretType,
  					}
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0017-Parse-provider-id-from-kubelet-extra-args.patch b/projects/kubernetes-sigs/cluster-api/patches/0017-Parse-provider-id-from-kubelet-extra-args.patch
index f36a370e38..5720bbcc20 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0017-Parse-provider-id-from-kubelet-extra-args.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0017-Parse-provider-id-from-kubelet-extra-args.patch
@@ -1,7 +1,7 @@
-From d296b944750dcb151a92029b272017e8ede466f0 Mon Sep 17 00:00:00 2001
+From 3dfeda0ea93ca714f86548051d83568b8d65f506 Mon Sep 17 00:00:00 2001
 From: Vignesh Goutham Ganesh <vgg@amazon.com>
 Date: Wed, 8 Jun 2022 10:27:26 -0700
-Subject: [PATCH 17/34] Parse provider-id from kubelet extra args
+Subject: [PATCH 17/36] Parse provider-id from kubelet extra args
 
 Signed-off-by: Vignesh Goutham Ganesh <vgg@amazon.com>
 ---
@@ -44,5 +44,5 @@ index e635308ea..3a760d51a 100644
  	if config.BottlerocketControl.ImageRepository != "" && config.BottlerocketControl.ImageTag != "" {
  		bottlerocketInput.ControlContainerSource = fmt.Sprintf("%s:%s", config.BottlerocketControl.ImageRepository, config.BottlerocketControl.ImageTag)
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0018-Add-bottlerocket-control-image-on-nodes-joining-a-ne.patch b/projects/kubernetes-sigs/cluster-api/patches/0018-Add-bottlerocket-control-image-on-nodes-joining-a-ne.patch
index 1472da39b1..1663d2fdd5 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0018-Add-bottlerocket-control-image-on-nodes-joining-a-ne.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0018-Add-bottlerocket-control-image-on-nodes-joining-a-ne.patch
@@ -1,7 +1,7 @@
-From d76ed134f879c167b326bf6ae3ba099c6caac815 Mon Sep 17 00:00:00 2001
+From 047aee742c344db71b94e7f6d9580a0451d731d0 Mon Sep 17 00:00:00 2001
 From: Victor Pineda <vgonzla@amazon.com>
 Date: Sun, 19 Jun 2022 10:39:50 -0700
-Subject: [PATCH 18/34] Add bottlerocket control image on nodes joining a new
+Subject: [PATCH 18/36] Add bottlerocket control image on nodes joining a new
  cluster
 
 ---
@@ -21,5 +21,5 @@ index bc5561a56..2d536dd33 100644
  		if scope.Config.Spec.JoinConfiguration.Proxy.HTTPSProxy != "" {
  			bottlerocketConfig.ProxyConfiguration = scope.Config.Spec.JoinConfiguration.Proxy
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0019-Add-feature-to-specifiy-additional-host-containers-i.patch b/projects/kubernetes-sigs/cluster-api/patches/0019-Add-feature-to-specifiy-additional-host-containers-i.patch
index 33a316a93b..1e0168c72b 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0019-Add-feature-to-specifiy-additional-host-containers-i.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0019-Add-feature-to-specifiy-additional-host-containers-i.patch
@@ -1,7 +1,7 @@
-From c4fac7513d2806e08d31f6f06f55818d6accb89a Mon Sep 17 00:00:00 2001
+From d25012d2ec17da496f2453e05b6b324077e5b4a1 Mon Sep 17 00:00:00 2001
 From: Victor Pineda <vgonzla@amazon.com>
 Date: Tue, 21 Jun 2022 07:50:19 -0700
-Subject: [PATCH 19/34] Add feature to specifiy additional host containers in
+Subject: [PATCH 19/36] Add feature to specifiy additional host containers in
  BR
 
 Host containers are a feature within BR that allows us to pull images
@@ -1149,5 +1149,5 @@ index e11d335ee..1cf471a08 100644
                                  description: 'CACertPath is the path to the SSL certificate
                                    authority used to secure comunications between node
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0020-Add-bottlerocket-custom-bootstrap-containers-config-.patch b/projects/kubernetes-sigs/cluster-api/patches/0020-Add-bottlerocket-custom-bootstrap-containers-config-.patch
index 6b4de203b8..d1db6bf900 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0020-Add-bottlerocket-custom-bootstrap-containers-config-.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0020-Add-bottlerocket-custom-bootstrap-containers-config-.patch
@@ -1,7 +1,7 @@
-From fe2b73e880f5aae02565920f0fad3bb06f193a47 Mon Sep 17 00:00:00 2001
+From bf2f722696179c5c4372a8626ff3fb645b6ff568 Mon Sep 17 00:00:00 2001
 From: Jiayi Wang <jiayiwang7@yahoo.com>
 Date: Mon, 21 Nov 2022 17:31:22 -0500
-Subject: [PATCH 20/34] Add bottlerocket custom bootstrap containers config
+Subject: [PATCH 20/36] Add bottlerocket custom bootstrap containers config
  option
 
 ---
@@ -949,5 +949,5 @@ index 1cf471a08..235ff121f 100644
                                  description: BottlerocketCustomHostContainers contains
                                    the information of any additional images that we
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0021-Support-configuring-bottlerocket-admin-container-ima.patch b/projects/kubernetes-sigs/cluster-api/patches/0021-Support-configuring-bottlerocket-admin-container-ima.patch
index f3f9c5ca0b..5c257b308c 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0021-Support-configuring-bottlerocket-admin-container-ima.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0021-Support-configuring-bottlerocket-admin-container-ima.patch
@@ -1,7 +1,7 @@
-From cf837cbdb469ced07fb59e54fb462e84f2fe4341 Mon Sep 17 00:00:00 2001
+From 9af291751d19ef9366981d009564aff2d63de6ac Mon Sep 17 00:00:00 2001
 From: Jiayi Wang <jiayiwang7@yahoo.com>
 Date: Wed, 23 Nov 2022 09:26:28 -0500
-Subject: [PATCH 21/34] Support configuring bottlerocket admin container image
+Subject: [PATCH 21/36] Support configuring bottlerocket admin container image
 
 ---
  .../api/v1alpha4/zz_generated.conversion.go   |  2 +
@@ -540,5 +540,5 @@ index 235ff121f..e435df3e1 100644
                                  description: BottlerocketBootstrap holds the image
                                    source for kubeadm bootstrap container This is only
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0022-Make-bottlerocket-admin-control-custom-bootstrap-con.patch b/projects/kubernetes-sigs/cluster-api/patches/0022-Make-bottlerocket-admin-control-custom-bootstrap-con.patch
index c41af84f92..ada7a13a48 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0022-Make-bottlerocket-admin-control-custom-bootstrap-con.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0022-Make-bottlerocket-admin-control-custom-bootstrap-con.patch
@@ -1,7 +1,7 @@
-From 7e8163f9c06dfc121e9846df4347b1a4b473bbdd Mon Sep 17 00:00:00 2001
+From 4b71ea19d2950c9f40866cfdf4c53b6b00f934d0 Mon Sep 17 00:00:00 2001
 From: Jiayi Wang <jiayiwang7@yahoo.com>
 Date: Thu, 5 Jan 2023 14:56:09 -0500
-Subject: [PATCH 22/34] Make bottlerocket admin, control, custom bootstrap
+Subject: [PATCH 22/36] Make bottlerocket admin, control, custom bootstrap
  container images updatable in webhook
 
 ---
@@ -113,5 +113,5 @@ index 86c02c2e5..38caa9e1e 100644
  
  	for _, tt := range tests {
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0023-Mark-etcd-machine-status-to-running-after-etcd-contr.patch b/projects/kubernetes-sigs/cluster-api/patches/0023-Mark-etcd-machine-status-to-running-after-etcd-contr.patch
index 87c19af427..7c5f0da302 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0023-Mark-etcd-machine-status-to-running-after-etcd-contr.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0023-Mark-etcd-machine-status-to-running-after-etcd-contr.patch
@@ -1,7 +1,7 @@
-From 8d2a0d025ed938f6e0f8ba1eb14b8378f30b41bb Mon Sep 17 00:00:00 2001
+From d50e030cedd8e3179da857341254c7ac8e036dfc Mon Sep 17 00:00:00 2001
 From: Jiayi Wang <jiayiwang7@yahoo.com>
 Date: Mon, 9 Jan 2023 15:41:05 -0500
-Subject: [PATCH 23/34] Mark etcd machine status to running after etcd
+Subject: [PATCH 23/36] Mark etcd machine status to running after etcd
  controller adds the etcd machine ready label
 
 ---
@@ -42,5 +42,5 @@ index 4181ca366..5e846594a 100644
  		}
  	}
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0024-add-support-for-registry-credentials.patch b/projects/kubernetes-sigs/cluster-api/patches/0024-add-support-for-registry-credentials.patch
index aaa78a60a3..6c6451cd51 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0024-add-support-for-registry-credentials.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0024-add-support-for-registry-credentials.patch
@@ -1,7 +1,7 @@
-From d99a986d4aedc37300caa4381ef2724948f4def1 Mon Sep 17 00:00:00 2001
+From 1f98daffc1cb94d648634ab0f9b2e7ed059d7643 Mon Sep 17 00:00:00 2001
 From: Ahree Hong <ahreeh@amazon.com>
 Date: Wed, 14 Dec 2022 12:47:42 -0800
-Subject: [PATCH 24/34] add support for registry credentials
+Subject: [PATCH 24/36] add support for registry credentials
 
 Signed-off-by: Ahree Hong <ahreeh@amazon.com>
 ---
@@ -236,5 +236,5 @@ index 043764325..17abd5d70 100644
  
  // Purpose is the name to append to the secret generated for a cluster.
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0025-Add-support-for-configuring-NTP-servers-on-bottleroc.patch b/projects/kubernetes-sigs/cluster-api/patches/0025-Add-support-for-configuring-NTP-servers-on-bottleroc.patch
index a6639b0667..f125b92539 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0025-Add-support-for-configuring-NTP-servers-on-bottleroc.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0025-Add-support-for-configuring-NTP-servers-on-bottleroc.patch
@@ -1,7 +1,7 @@
-From 1a9397f68159ee7a06db6b12b50c4c41f90f7f84 Mon Sep 17 00:00:00 2001
+From 1ad96274de542d3fe4c9ca6c6a82ad90eb3bf7c5 Mon Sep 17 00:00:00 2001
 From: Abhinav <abhinavmpandey08@gmail.com>
 Date: Wed, 1 Feb 2023 16:34:23 -0800
-Subject: [PATCH 25/34] Add support for configuring NTP servers on bottlerocket
+Subject: [PATCH 25/36] Add support for configuring NTP servers on bottlerocket
  through CAPI
 
 Signed-off-by: Abhinav <abhinavmpandey08@gmail.com>
@@ -180,5 +180,5 @@ index afaab8a16..fbf7b634f 100644
  // requests for reconciliation of KubeadmConfigs.
  func (r *KubeadmConfigReconciler) ClusterToKubeadmConfigs(o client.Object) []ctrl.Request {
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0026-set-hostname-for-BR-nodes.patch b/projects/kubernetes-sigs/cluster-api/patches/0026-set-hostname-for-BR-nodes.patch
index fad5478e86..6b2858f028 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0026-set-hostname-for-BR-nodes.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0026-set-hostname-for-BR-nodes.patch
@@ -1,7 +1,7 @@
-From af634bbd184cdcf85b8a86fb8bef636723d85835 Mon Sep 17 00:00:00 2001
+From b3515beb3508064e2fd3dc7aa6621bb3006122ef Mon Sep 17 00:00:00 2001
 From: Ahree Hong <ahreeh@amazon.com>
 Date: Tue, 7 Feb 2023 14:26:36 -0800
-Subject: [PATCH 26/34] set hostname for BR nodes
+Subject: [PATCH 26/36] set hostname for BR nodes
 
 Signed-off-by: Ahree Hong <ahreeh@amazon.com>
 ---
@@ -254,5 +254,5 @@ index fbf7b634f..448fbb70b 100644
  		if scope.Config.Spec.JoinConfiguration.Proxy.HTTPSProxy != "" {
  			bottlerocketConfig.ProxyConfiguration = scope.Config.Spec.JoinConfiguration.Proxy
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0027-Add-bottlerocket-k8s-settings-support.patch b/projects/kubernetes-sigs/cluster-api/patches/0027-Add-bottlerocket-k8s-settings-support.patch
index b74659345d..2a634d8c6a 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0027-Add-bottlerocket-k8s-settings-support.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0027-Add-bottlerocket-k8s-settings-support.patch
@@ -1,7 +1,7 @@
-From e86bfd17c07ffcce31729e3a35b74f46439b49bb Mon Sep 17 00:00:00 2001
+From 4a62e4063652fae52047125c964260144ec7b58e Mon Sep 17 00:00:00 2001
 From: Abhinav Pandey <abhinavmpandey08@gmail.com>
 Date: Thu, 2 Mar 2023 10:18:07 -0800
-Subject: [PATCH 27/34] Add bottlerocket k8s settings support
+Subject: [PATCH 27/36] Add bottlerocket k8s settings support
 
 Signed-off-by: Abhinav Pandey <abhinavmpandey08@gmail.com>
 ---
@@ -26,7 +26,7 @@ Signed-off-by: Abhinav Pandey <abhinavmpandey08@gmail.com>
  18 files changed, 741 insertions(+), 189 deletions(-)
 
 diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go
-index 45a5e207e..57b5ef5c5 100644
+index e97701dcf..ec3381651 100644
 --- a/api/v1beta1/zz_generated.openapi.go
 +++ b/api/v1beta1/zz_generated.openapi.go
 @@ -716,6 +716,12 @@ func schema_sigsk8sio_cluster_api_api_v1beta1_ClusterSpec(ref common.ReferenceCa
@@ -1446,5 +1446,5 @@ index e435df3e1..1302cc4e1 100644
                                  description: BottlerocketAdmin holds the image source
                                    for admin container This is only for bottlerocket
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0028-add-br-kernel.sysctl-settings.patch b/projects/kubernetes-sigs/cluster-api/patches/0028-add-br-kernel.sysctl-settings.patch
index 3ba7814fd9..45bdce149e 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0028-add-br-kernel.sysctl-settings.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0028-add-br-kernel.sysctl-settings.patch
@@ -1,7 +1,7 @@
-From 8aff0194036a40bb4ccedd16a116f4342dbed412 Mon Sep 17 00:00:00 2001
+From cc5c2c85b953e0bc7dd67274a78195a3c0cb9556 Mon Sep 17 00:00:00 2001
 From: Ahree Hong <ahreeh@amazon.com>
 Date: Tue, 7 Mar 2023 14:01:39 -0800
-Subject: [PATCH 28/34] add br kernel.sysctl settings
+Subject: [PATCH 28/36] add br kernel.sysctl settings
 
 Signed-off-by: Ahree Hong <ahreeh@amazon.com>
 ---
@@ -442,5 +442,5 @@ index 1302cc4e1..933f00038 100644
                                      description: Kubernetes holds the kubernetes settings
                                        for bottlerocket nodes.
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0029-add-boot-kernel-settings-for-BR.patch b/projects/kubernetes-sigs/cluster-api/patches/0029-add-boot-kernel-settings-for-BR.patch
index fedba71ede..81be4e9afd 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0029-add-boot-kernel-settings-for-BR.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0029-add-boot-kernel-settings-for-BR.patch
@@ -1,7 +1,7 @@
-From 1a0527cf83205f1598657d1841a8b645f4313373 Mon Sep 17 00:00:00 2001
+From 154ed559d76378bc989e97ec7752c3fe4778e4c4 Mon Sep 17 00:00:00 2001
 From: Ahree Hong <ahreeh@amazon.com>
 Date: Thu, 23 Mar 2023 01:51:16 -0700
-Subject: [PATCH 29/34] add boot kernel settings for BR
+Subject: [PATCH 29/36] add boot kernel settings for BR
 
 Signed-off-by: Ahree Hong <ahreeh@amazon.com>
 ---
@@ -464,5 +464,5 @@ index 5e846594a..9be6ddb34 100644
  						},
  						Type: clusterv1.ClusterSecretType,
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0030-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch b/projects/kubernetes-sigs/cluster-api/patches/0030-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
index 370d0da585..b87e4202fd 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0030-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0030-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
@@ -1,7 +1,7 @@
-From 49ad34dc9dc928f2941acca54d942ce99c7bdc64 Mon Sep 17 00:00:00 2001
+From c85bce28cfaa6fccda64c0b7cd20a23a8bf83293 Mon Sep 17 00:00:00 2001
 From: Jackson West <jgw@amazon.com>
 Date: Sat, 6 May 2023 14:08:17 -0500
-Subject: [PATCH 30/34] Patch haproxy maxconn value to avoid ulimit issue
+Subject: [PATCH 30/36] Patch haproxy maxconn value to avoid ulimit issue
 
 EKS-A uses haproxy 2.5 which errors if the maxconn value
 requires more FDs than allowed by the ulimit setting of docker.
@@ -29,5 +29,5 @@ index 8d2f70a02..1c6e7a68e 100644
  resolvers docker
    nameserver dns 127.0.0.11:53
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0031-Add-support-for-custom-cert-bundles-in-BR-21.patch b/projects/kubernetes-sigs/cluster-api/patches/0031-Add-support-for-custom-cert-bundles-in-BR-21.patch
index e1e98ff95d..55170231f5 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0031-Add-support-for-custom-cert-bundles-in-BR-21.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0031-Add-support-for-custom-cert-bundles-in-BR-21.patch
@@ -1,7 +1,7 @@
-From c9c73a189cc89abdc412321023fb0a36d35eebf7 Mon Sep 17 00:00:00 2001
+From a58deaf1edbd265b95d8973f60bb8b08c4453d14 Mon Sep 17 00:00:00 2001
 From: ahreehong <46465244+ahreehong@users.noreply.github.com>
 Date: Fri, 19 May 2023 16:29:08 -0400
-Subject: [PATCH 31/34] Add support for custom cert bundles in BR (#21)
+Subject: [PATCH 31/36] Add support for custom cert bundles in BR (#21)
 
 * add support for custom cert bundles br
 
@@ -586,5 +586,5 @@ index a79e90dea..7821a39d5 100644
                                  description: ControlPlane defines the additional control
                                    plane instance to be deployed on the joining node.
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0032-CAPI-Move-Cluster-Filter.patch b/projects/kubernetes-sigs/cluster-api/patches/0032-CAPI-Move-Cluster-Filter.patch
index 180d300148..e19b46da79 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0032-CAPI-Move-Cluster-Filter.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0032-CAPI-Move-Cluster-Filter.patch
@@ -1,7 +1,7 @@
-From 2d7b64dbc81da3370fe028e0eca58a358236a263 Mon Sep 17 00:00:00 2001
+From 6ea8cfc943f7555f68b40fb73b805b79b80b847d Mon Sep 17 00:00:00 2001
 From: Vignesh Goutham Ganesh <vgg@amazon.com>
 Date: Tue, 16 May 2023 11:03:09 -0500
-Subject: [PATCH 32/34] CAPI Move Cluster Filter
+Subject: [PATCH 32/36] CAPI Move Cluster Filter
 
 Signed-off-by: Vignesh Goutham Ganesh <vgg@amazon.com>
 ---
@@ -466,5 +466,5 @@ index c75557e0a..04b1ef8fe 100644
  	})
  }
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0033-Move-objects-with-force-move-label-and-no-cluster-te.patch b/projects/kubernetes-sigs/cluster-api/patches/0033-Move-objects-with-force-move-label-and-no-cluster-te.patch
index 443fb5f2a2..0e25a361b7 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0033-Move-objects-with-force-move-label-and-no-cluster-te.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0033-Move-objects-with-force-move-label-and-no-cluster-te.patch
@@ -1,7 +1,7 @@
-From 8f09f40abf6fc48d7baa8c85a2c20faab185fc33 Mon Sep 17 00:00:00 2001
+From c3b0a1d849f55fd0218b7c9a0214bcc4d0a29161 Mon Sep 17 00:00:00 2001
 From: Vignesh Goutham Ganesh <vgg@amazon.com>
 Date: Tue, 30 May 2023 10:14:31 -0500
-Subject: [PATCH 33/34] Move objects with force move label and no cluster
+Subject: [PATCH 33/36] Move objects with force move label and no cluster
  tenants
 
 Signed-off-by: Vignesh Goutham Ganesh <vgg@amazon.com>
@@ -84,5 +84,5 @@ index 46572d62f..9100880e1 100644
  
  	for _, tt := range tests {
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0034-allow-registry-mirror-configurations-to-be-mutable-f.patch b/projects/kubernetes-sigs/cluster-api/patches/0034-allow-registry-mirror-configurations-to-be-mutable-f.patch
index 2e1e9f4cd0..d2b0a4cb92 100644
--- a/projects/kubernetes-sigs/cluster-api/patches/0034-allow-registry-mirror-configurations-to-be-mutable-f.patch
+++ b/projects/kubernetes-sigs/cluster-api/patches/0034-allow-registry-mirror-configurations-to-be-mutable-f.patch
@@ -1,7 +1,7 @@
-From a12cbf1f9cf870358ba8d969f1c48cef4e28560c Mon Sep 17 00:00:00 2001
+From a662d1d884bfaf6ce261cb289def124e8f60e703 Mon Sep 17 00:00:00 2001
 From: Cavaughn Browne <cxbrowne@amazon.com>
 Date: Thu, 20 Jul 2023 11:05:49 -0500
-Subject: [PATCH 34/34] allow registry mirror configurations to be mutable for
+Subject: [PATCH 34/36] allow registry mirror configurations to be mutable for
  BR
 
 ---
@@ -107,5 +107,5 @@ index 38caa9e1e..45eb1976e 100644
  
  	for _, tt := range tests {
 -- 
-2.34.1
+2.40.1
 
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0035-Add-support-for-external-etcd-machines-in-Kind-mappe.patch b/projects/kubernetes-sigs/cluster-api/patches/0035-Add-support-for-external-etcd-machines-in-Kind-mappe.patch
new file mode 100644
index 0000000000..5625cfc036
--- /dev/null
+++ b/projects/kubernetes-sigs/cluster-api/patches/0035-Add-support-for-external-etcd-machines-in-Kind-mappe.patch
@@ -0,0 +1,189 @@
+From d4d08cedc601c13d08cb78a664d26a8251fde297 Mon Sep 17 00:00:00 2001
+From: Abhay Krishna Arunachalam <arnchlm@amazon.com>
+Date: Wed, 16 Aug 2023 19:58:01 -0700
+Subject: [PATCH 35/36] Add support for external etcd machines in Kind mapper
+
+---
+ .../docker/exp/internal/docker/nodepool.go    |  4 +-
+ .../controllers/dockermachine_controller.go   | 13 ++--
+ .../docker/internal/docker/machine.go         | 69 +++++++++++++------
+ 3 files changed, 54 insertions(+), 32 deletions(-)
+
+diff --git a/test/infrastructure/docker/exp/internal/docker/nodepool.go b/test/infrastructure/docker/exp/internal/docker/nodepool.go
+index 1a46d283a..9e1705cac 100644
+--- a/test/infrastructure/docker/exp/internal/docker/nodepool.go
++++ b/test/infrastructure/docker/exp/internal/docker/nodepool.go
+@@ -219,7 +219,7 @@ func (np *NodePool) addMachine(ctx context.Context) error {
+ 		}
+ 	}
+ 
+-	if err := externalMachine.Create(ctx, np.dockerMachinePool.Spec.Template.CustomImage, constants.WorkerNodeRoleValue, np.machinePool.Spec.Template.Spec.Version, labels, np.dockerMachinePool.Spec.Template.ExtraMounts); err != nil {
++	if err := externalMachine.Create(ctx, np.dockerMachinePool.Spec.Template.CustomImage, constants.WorkerNodeRoleValue, np.machinePool.Spec.Template.Spec.Version, labels, np.dockerMachinePool.Spec.Template.ExtraMounts, false); err != nil {
+ 		return errors.Wrapf(err, "failed to create docker machine with instance name %s", instanceName)
+ 	}
+ 	return nil
+@@ -301,7 +301,7 @@ func (np *NodePool) reconcileMachine(ctx context.Context, machine *docker.Machin
+ 			}
+ 
+ 			// Run the bootstrap script. Simulates cloud-init/Ignition.
+-			if err := externalMachine.ExecBootstrap(timeoutCtx, bootstrapData, format, np.machinePool.Spec.Template.Spec.Version, np.dockerMachinePool.Spec.Template.CustomImage); err != nil {
++			if err := externalMachine.ExecBootstrap(timeoutCtx, bootstrapData, format, np.machinePool.Spec.Template.Spec.Version, np.dockerMachinePool.Spec.Template.CustomImage, false); err != nil {
+ 				return ctrl.Result{}, errors.Wrapf(err, "failed to exec DockerMachinePool instance bootstrap for instance named %s", machine.Name())
+ 			}
+ 			// Check for bootstrap success
+diff --git a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
+index decaafda4..00cbe0d39 100644
+--- a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
++++ b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go
+@@ -252,7 +252,7 @@ func (r *DockerMachineReconciler) reconcileNormal(ctx context.Context, cluster *
+ 	if !externalMachine.Exists() {
+ 		// NOTE: FailureDomains don't mean much in CAPD since it's all local, but we are setting a label on
+ 		// each container, so we can check placement.
+-		if err := externalMachine.Create(ctx, dockerMachine.Spec.CustomImage, role, machine.Spec.Version, docker.FailureDomainLabel(machine.Spec.FailureDomain), dockerMachine.Spec.ExtraMounts); err != nil {
++		if err := externalMachine.Create(ctx, dockerMachine.Spec.CustomImage, role, machine.Spec.Version, docker.FailureDomainLabel(machine.Spec.FailureDomain), dockerMachine.Spec.ExtraMounts, util.IsEtcdMachine(machine)); err != nil {
+ 			return ctrl.Result{}, errors.Wrap(err, "failed to create worker DockerMachine")
+ 		}
+ 	}
+@@ -332,7 +332,7 @@ func (r *DockerMachineReconciler) reconcileNormal(ctx context.Context, cluster *
+ 			}()
+ 
+ 			// Run the bootstrap script. Simulates cloud-init/Ignition.
+-			if err := externalMachine.ExecBootstrap(timeoutCtx, bootstrapData, format, machine.Spec.Version, dockerMachine.Spec.CustomImage); err != nil {
++			if err := externalMachine.ExecBootstrap(timeoutCtx, bootstrapData, format, machine.Spec.Version, dockerMachine.Spec.CustomImage, util.IsEtcdMachine(machine)); err != nil {
+ 				conditions.MarkFalse(dockerMachine, infrav1.BootstrapExecSucceededCondition, infrav1.BootstrapFailedReason, clusterv1.ConditionSeverityWarning, "Repeating bootstrap")
+ 				return ctrl.Result{}, errors.Wrap(err, "failed to exec DockerMachine bootstrap")
+ 			}
+@@ -361,12 +361,12 @@ func (r *DockerMachineReconciler) reconcileNormal(ctx context.Context, cluster *
+ 	// Machine will never get a node ref as ProviderID is required to set the node ref, so we would get a deadlock.
+ 	if cluster.Spec.ControlPlaneRef != nil &&
+ 		!conditions.IsTrue(cluster, clusterv1.ControlPlaneInitializedCondition) &&
+-		!isEtcdMachine(machine) {
++		!util.IsEtcdMachine(machine) {
+ 		return ctrl.Result{RequeueAfter: 15 * time.Second}, nil
+ 	}
+ 
+ 	// In case of an etcd cluster, there is no concept of kubernetes node. So we can generate the node Provider ID and set it on machine spec directly
+-	if !isEtcdMachine(machine) {
++	if !util.IsEtcdMachine(machine) {
+ 		// Usually a cloud provider will do this, but there is no docker-cloud provider.
+ 		// Requeue if there is an error, as this is likely momentary load balancer
+ 		// state changes during control plane provisioning.
+@@ -534,8 +534,3 @@ func setMachineAddress(ctx context.Context, dockerMachine *infrav1.DockerMachine
+ 	}
+ 	return nil
+ }
+-
+-func isEtcdMachine(machine *clusterv1.Machine) bool {
+-	_, ok := machine.Labels[clusterv1.MachineEtcdClusterLabelName]
+-	return ok
+-}
+diff --git a/test/infrastructure/docker/internal/docker/machine.go b/test/infrastructure/docker/internal/docker/machine.go
+index 12bda2cb2..d36e122ca 100644
+--- a/test/infrastructure/docker/internal/docker/machine.go
++++ b/test/infrastructure/docker/internal/docker/machine.go
+@@ -47,6 +47,7 @@ import (
+ 	"sigs.k8s.io/cluster-api/test/infrastructure/docker/internal/provisioning/ignition"
+ 	"sigs.k8s.io/cluster-api/test/infrastructure/kind"
+ 	"sigs.k8s.io/cluster-api/util/patch"
++	versionutil "sigs.k8s.io/cluster-api/util/version"
+ )
+ 
+ type nodeCreator interface {
+@@ -192,23 +193,35 @@ func (m *Machine) ContainerImage() string {
+ }
+ 
+ // Create creates a docker container hosting a Kubernetes node.
+-func (m *Machine) Create(ctx context.Context, image string, role string, version *string, labels map[string]string, mounts []infrav1.Mount) error {
++func (m *Machine) Create(ctx context.Context, image string, role string, version *string, labels map[string]string, mounts []infrav1.Mount, isEtcdMachine bool) error {
+ 	log := ctrl.LoggerFrom(ctx)
+ 
+ 	// Create if not exists.
+ 	if m.container == nil {
+ 		var err error
++		var semVer semver.Version
++
++		// External etcd machines do not set a version field in the machine.Spec.Version.
++		// So we are parsing the Kubernetes semantic version from the Kind node tag and
++		// using that to get the Kind Mapping.
++		if isEtcdMachine {
++			nodeImageTag := strings.Split(image, ":")[1]
++			semVer, err = versionutil.ParseMajorMinorPatch(nodeImageTag)
++			if err != nil {
++				return errors.Wrap(err, "failed to parse semantic version from image tag")
++			}
++		} else {
++			// Parse the semver from the Spec.Version if not nil and get the KindMapping using the semver.
++			// NOTE: The KindMapping allows to select the most recent kindest/node image available, if any, as well as
++			// provide info about the mode to be used when starting the kindest/node image itself.
++			if version == nil {
++				return errors.New("cannot create a DockerMachine for a nil version")
++			}
+ 
+-		// Get the KindMapping for the target K8s version.
+-		// NOTE: The KindMapping allows to select the most recent kindest/node image available, if any, as well as
+-		// provide info about the mode to be used when starting the kindest/node image itself.
+-		if version == nil {
+-			return errors.New("cannot create a DockerMachine for a nil version")
+-		}
+-
+-		semVer, err := semver.Parse(strings.TrimPrefix(*version, "v"))
+-		if err != nil {
+-			return errors.Wrap(err, "failed to parse DockerMachine version")
++			semVer, err = semver.Parse(strings.TrimPrefix(*version, "v"))
++			if err != nil {
++				return errors.Wrap(err, "failed to parse DockerMachine version")
++			}
+ 		}
+ 
+ 		kindMapping := kind.GetMapping(semVer, image)
+@@ -320,23 +333,37 @@ func (m *Machine) PreloadLoadImages(ctx context.Context, images []string) error
+ }
+ 
+ // ExecBootstrap runs bootstrap on a node, this is generally `kubeadm <init|join>`.
+-func (m *Machine) ExecBootstrap(ctx context.Context, data string, format bootstrapv1.Format, version *string, image string) error {
++func (m *Machine) ExecBootstrap(ctx context.Context, data string, format bootstrapv1.Format, version *string, image string, isEtcdMachine bool) error {
+ 	log := ctrl.LoggerFrom(ctx)
+ 
+ 	if m.container == nil {
+ 		return errors.New("unable to set ExecBootstrap. the container hosting this machine does not exists")
+ 	}
+ 
+-	// Get the kindMapping for the target K8s version.
+-	// NOTE: The kindMapping allows to select the most recent kindest/node image available, if any, as well as
+-	// provide info about the mode to be used when starting the kindest/node image itself.
+-	if version == nil {
+-		return errors.New("cannot create a DockerMachine for a nil version")
+-	}
++	var err error
++	var semVer semver.Version
+ 
+-	semVer, err := semver.Parse(strings.TrimPrefix(*version, "v"))
+-	if err != nil {
+-		return errors.Wrap(err, "failed to parse DockerMachine version")
++	// External etcd machines do not set a version field in the machine.Spec.Version.
++	// So we are parsing the Kubernetes semantic version from the Kind node tag and
++	// using that to get the Kind Mapping.
++	if isEtcdMachine {
++		nodeImageTag := strings.Split(image, ":")[1]
++		semVer, err = versionutil.ParseMajorMinorPatch(nodeImageTag)
++		if err != nil {
++			return errors.Wrap(err, "failed to parse semantic version from image tag")
++		}
++	} else {
++		// Parse the semver from the Spec.Version if not nil and get the KindMapping using the semver.
++		// NOTE: The KindMapping allows to select the most recent kindest/node image available, if any, as well as
++		// provide info about the mode to be used when starting the kindest/node image itself.
++		if version == nil {
++			return errors.New("cannot create a DockerMachine for a nil version")
++		}
++
++		semVer, err = semver.Parse(strings.TrimPrefix(*version, "v"))
++		if err != nil {
++			return errors.Wrap(err, "failed to parse DockerMachine version")
++		}
+ 	}
+ 
+ 	kindMapping := kind.GetMapping(semVer, image)
+-- 
+2.40.1
+
diff --git a/projects/kubernetes-sigs/cluster-api/patches/0036-disable-cgroupns-private-to-fix-AL2.patch b/projects/kubernetes-sigs/cluster-api/patches/0036-disable-cgroupns-private-to-fix-AL2.patch
new file mode 100644
index 0000000000..263df9c080
--- /dev/null
+++ b/projects/kubernetes-sigs/cluster-api/patches/0036-disable-cgroupns-private-to-fix-AL2.patch
@@ -0,0 +1,39 @@
+From 2091c72ae50fd8419cd6924a1873d65e600827bc Mon Sep 17 00:00:00 2001
+From: Jackson West <jgw@amazon.com>
+Date: Sat, 19 Aug 2023 09:35:39 -0500
+Subject: [PATCH 36/36] disable cgroupns=private to fix AL2
+
+---
+ test/infrastructure/container/docker.go | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/test/infrastructure/container/docker.go b/test/infrastructure/container/docker.go
+index 225a0e5b9..57bedee24 100644
+--- a/test/infrastructure/container/docker.go
++++ b/test/infrastructure/container/docker.go
+@@ -39,7 +39,6 @@ import (
+ 	"k8s.io/utils/pointer"
+ 
+ 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+-	"sigs.k8s.io/cluster-api/test/infrastructure/kind"
+ )
+ 
+ const (
+@@ -404,9 +403,11 @@ func (d *dockerRuntime) RunContainer(ctx context.Context, runConfig *RunContaine
+ 	networkConfig := network.NetworkingConfig{}
+ 
+ 	// NOTE: starting from Kind 0.20 kind requires CgroupnsMode to be set to private.
+-	if runConfig.KindMode != kind.ModeNone && runConfig.KindMode != kind.Mode0_19 {
+-		hostConfig.CgroupnsMode = "private"
+-	}
++	// AWS: groupns = private breaks on AL2 nodes, kind 0.20 still "supports" non-private mode
++	// but it is deprecated it. For now we revert to the previous behavior. 
++	// if runConfig.KindMode != kind.ModeNone && runConfig.KindMode != kind.Mode0_19 {
++	// 	hostConfig.CgroupnsMode = "private"
++	// }
+ 
+ 	if runConfig.IPFamily == clusterv1.IPv6IPFamily {
+ 		hostConfig.Sysctls = map[string]string{
+-- 
+2.40.1
+
diff --git a/projects/kubernetes-sigs/cri-tools/README.md b/projects/kubernetes-sigs/cri-tools/README.md
index a40dcc884e..b8de883853 100644
--- a/projects/kubernetes-sigs/cri-tools/README.md
+++ b/projects/kubernetes-sigs/cri-tools/README.md
@@ -1,5 +1,5 @@
 ## **CRI Tools**
-![Version](https://img.shields.io/badge/version-v1.26.1-blue)
+![Version](https://img.shields.io/badge/version-v1.27.0-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiUUlRZXJEVUxWcjI1OE8weVdXQnY4alBSU1lxVm1FOGVoZE83VldDbjJiaFBtY25XT3NIK1RhckZkQXZGclZDSkVLUG5PMmd5K2J2RVlSYk9pclUybC9zPSIsIml2UGFyYW1ldGVyU3BlYyI6IkF3RGUzVDFhVlB0eUlGMWwiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 The [CRI tools project](https://github.com/kubernetes-sigs/cri-tools) provides a CLI and validation tools for the `kubelet`'s Container Runtime Interface (CRI). This allows CRI runtime developers to debug their runtimes (like `containerd`, `CRI-O`, etc.) without needing to set up Kubernetes components. The `crictl` CLI can perform numerous functions such as running containers, fetching logs, listing conatiner stats, removing images, etc.
diff --git a/projects/kubernetes-sigs/kind/ATTRIBUTION.txt b/projects/kubernetes-sigs/kind/ATTRIBUTION.txt
index 2979916389..d460c8d4e6 100644
--- a/projects/kubernetes-sigs/kind/ATTRIBUTION.txt
+++ b/projects/kubernetes-sigs/kind/ATTRIBUTION.txt
@@ -11,7 +11,7 @@ https://github.com/spf13/cobra
 ** gopkg.in/yaml.v2; version v2.4.0 --
 https://gopkg.in/yaml.v2
 
-** sigs.k8s.io/kind; version v0.18.0 --
+** sigs.k8s.io/kind; version v0.20.0 --
 https://github.com/kubernetes-sigs/kind
 
 
diff --git a/projects/kubernetes-sigs/kind/CHECKSUMS b/projects/kubernetes-sigs/kind/CHECKSUMS
index c1cae58cc0..47f1fb4487 100644
--- a/projects/kubernetes-sigs/kind/CHECKSUMS
+++ b/projects/kubernetes-sigs/kind/CHECKSUMS
@@ -1,4 +1,5 @@
-057fc05e48a0566cc13bab1568acd6d66c068521ab38d8d3316b3b412923bd1f  _output/bin/kind/linux-amd64/kind
-b39cbfb49a362a4f0e927b541025cea89fc7c6ca1792b2e28965713e9493090d  _output/bin/kind/linux-amd64/kindnetd
-fe588e4d6e367eba755530577f107986e13b77c770faaba55770dc667e8ef5fe  _output/bin/kind/linux-arm64/kind
-caabe7940bf5713902ca848904b878d50eaa1d93f091cefbf3a15efb110b566f  _output/bin/kind/linux-arm64/kindnetd
+d937d5fc56e33d6f43f1847fa9d3f27fe4ee545238fd5906aaeb7309f66042db  _output/bin/kind/linux-amd64/kind
+2c7ba783282034c923d38d3c1dfd715f0c13fe3402e554be45d99c69a017ba84  _output/bin/kind/linux-amd64/kindnetd
+8bb27c07715177dd1a9c20243954c4f35c9757fb1e71e803d52c158111f82360  _output/bin/kind/linux-arm64/kind
+873a2c98337c841811caad9ca819b0856e9d57d67a9d617ce2b2d1cd6bee5dd9  _output/bin/kind/linux-arm64/kindnetd
+
diff --git a/projects/kubernetes-sigs/kind/GIT_TAG b/projects/kubernetes-sigs/kind/GIT_TAG
index a86d3df725..1847373e96 100644
--- a/projects/kubernetes-sigs/kind/GIT_TAG
+++ b/projects/kubernetes-sigs/kind/GIT_TAG
@@ -1 +1 @@
-v0.18.0
+v0.20.0
diff --git a/projects/kubernetes-sigs/kind/KINDNETD_ATTRIBUTION.txt b/projects/kubernetes-sigs/kind/KINDNETD_ATTRIBUTION.txt
index 1b7e3bd3c8..7b9a89dcd4 100644
--- a/projects/kubernetes-sigs/kind/KINDNETD_ATTRIBUTION.txt
+++ b/projects/kubernetes-sigs/kind/KINDNETD_ATTRIBUTION.txt
@@ -59,7 +59,7 @@ https://github.com/kubernetes/utils
 ** sigs.k8s.io/json; version v0.0.0-20220713155537-f223a00ba0e2 --
 https://github.com/kubernetes-sigs/json
 
-** sigs.k8s.io/kind/images/kindnetd/cmd/kindnetd; version v0.18.0 --
+** sigs.k8s.io/kind/images/kindnetd/cmd/kindnetd; version v0.20.0 --
 https://github.com/kubernetes-sigs/kind
 
 ** sigs.k8s.io/structured-merge-diff/v4; version v4.2.3 --
diff --git a/projects/kubernetes-sigs/kind/README.md b/projects/kubernetes-sigs/kind/README.md
index 658c8679ad..4dd3449450 100644
--- a/projects/kubernetes-sigs/kind/README.md
+++ b/projects/kubernetes-sigs/kind/README.md
@@ -1,5 +1,5 @@
 ## **Kind**
-![Version](https://img.shields.io/badge/version-v0.18.0-blue)
+![Version](https://img.shields.io/badge/version-v0.20.0-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiVkgvQm93WHUvUWJ1U2ZhSG9JTUJNMFdjdGtwSkIyRCt1azM0THYxcWYweC8rM2lHRmNYMXI0QkVPUm4yZ0JZZ1c4RzdMeTJ3dGtpREdYeFpvTEhtc2FnPSIsIml2UGFyYW1ldGVyU3BlYyI6Im9GV2EzRGZQNVZ5c25kTmoiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 [Kind](https://github.com/kubernetes-sigs/kind) is a tool for running local Kubernetes clusters using Docker container "nodes". kind bootstraps each "node" with `kubeadm`. kind consists of:
diff --git a/projects/kubernetes-sigs/kind/build/node-image-build-args.sh b/projects/kubernetes-sigs/kind/build/node-image-build-args.sh
index cecbceca49..7dd7a23b23 100755
--- a/projects/kubernetes-sigs/kind/build/node-image-build-args.sh
+++ b/projects/kubernetes-sigs/kind/build/node-image-build-args.sh
@@ -51,13 +51,13 @@ ETCD_VERSION=$(build::eksd_releases::get_eksd_component_version "etcd" $EKSD_REL
 
 # Expected versions provided by kind which are replaced in the docker build with our versions
 # when updating kind check the following, they may need to be updated
-# https://github.com/kubernetes-sigs/kind/blob/v0.18.0/pkg/build/nodeimage/const_cni.go#L23
-KINDNETD_IMAGE_TAG="docker.io/kindest/kindnetd:v20230330-48f316cd@sha256:c19d6362a6a928139820761475a38c24c0cf84d507b9ddf414a078cf627497af"
-# https://github.com/kubernetes-sigs/kind/blob/v0.18.0/pkg/build/nodeimage/const_storage.go#L28
-LOCAL_PATH_PROVISONER_IMAGE_TAG="docker.io/kindest/local-path-provisioner:v0.0.23-kind.0@sha256:f2d0a02831ff3a03cf51343226670d5060623b43a4cfc4808bd0875b2c4b9501"
-# https://github.com/kubernetes-sigs/kind/blob/v0.18.0/pkg/build/nodeimage/const_storage.go#L29
-LOCAL_PATH_HELPER_IMAGE_TAG="docker.io/kindest/local-path-helper:v20230330-48f316cd@sha256:135203f2441f916fb13dad1561d27f60a6f11f50ec288b01a7d2ee9947c36270"
-# https://github.com/kubernetes-sigs/kind/blob/v0.18.0/images/base/files/etc/containerd/config.toml#L37
+# https://github.com/kubernetes-sigs/kind/blob/v0.20.0/pkg/build/nodeimage/const_cni.go#L23
+KINDNETD_IMAGE_TAG="docker.io/kindest/kindnetd:v20230511-dc714da8"
+# https://github.com/kubernetes-sigs/kind/blob/v0.20.0/pkg/build/nodeimage/const_storage.go#L28
+LOCAL_PATH_PROVISONER_IMAGE_TAG="docker.io/kindest/local-path-provisioner:v20230511-dc714da8"
+# https://github.com/kubernetes-sigs/kind/blob/v0.20.0/pkg/build/nodeimage/const_storage.go#L29
+LOCAL_PATH_HELPER_IMAGE_TAG="docker.io/kindest/local-path-helper:v20230510-486859a6"
+# https://github.com/kubernetes-sigs/kind/blob/v0.20.0/images/base/files/etc/containerd/config.toml#L37
 PAUSE_IMAGE_TAG="registry.k8s.io/pause:3.7"
 
 mkdir -p $(dirname $OUTPUT_FILE)
diff --git a/projects/kubernetes-sigs/kind/patches/0001-Switch-to-AL2-base-image-for-node-image.patch b/projects/kubernetes-sigs/kind/patches/0001-Switch-to-AL2-base-image-for-node-image.patch
index 0ae5053fe4..cb20545466 100644
--- a/projects/kubernetes-sigs/kind/patches/0001-Switch-to-AL2-base-image-for-node-image.patch
+++ b/projects/kubernetes-sigs/kind/patches/0001-Switch-to-AL2-base-image-for-node-image.patch
@@ -1,24 +1,28 @@
-From 3c55c9e2dfbd31a1f0e4c92db01728d076f08086 Mon Sep 17 00:00:00 2001
+From fc6ed013f61ce370ea9bb89d972c70acae247aa9 Mon Sep 17 00:00:00 2001
 From: Jackson West <jgw@amazon.com>
-Date: Sat, 2 Apr 2022 22:00:37 -0500
-Subject: [PATCH 1/2] Switch to AL2 base image for node image
+Date: Thu, 29 Jun 2023 00:56:53 -0700
+Subject: [PATCH 1/3] Switch to AL2 base image for node image
 
-Signed-off-by: Jackson West <jgw@amazon.com>
 ---
- images/base/Dockerfile                        | 146 ++++++++----------
+ images/base/Dockerfile                        | 231 +++++++-----------
  images/base/files/usr/local/bin/clean-install |  10 +-
- 2 files changed, 69 insertions(+), 87 deletions(-)
+ 2 files changed, 99 insertions(+), 142 deletions(-)
 
 diff --git a/images/base/Dockerfile b/images/base/Dockerfile
-index f6abfa3b..e4c13a47 100644
+index eb3f95ad..0ab8ab87 100644
 --- a/images/base/Dockerfile
 +++ b/images/base/Dockerfile
-@@ -19,43 +19,25 @@
+@@ -17,11 +17,27 @@
+ # For systemd + docker configuration used below, see the following references:
+ # https://systemd.io/CONTAINER_INTERFACE/
  
- # start from ubuntu, this image is reasonably small as a starting point
- # for a kubernetes node image, it doesn't contain much we don't need
--ARG BASE_IMAGE=ubuntu:22.04
--FROM $BASE_IMAGE as build
+-# start from debian slim, this image is reasonably small as a starting point
+-# for a kubernetes node image, it doesn't contain much (anything?) we don't need
+-# this stage will install basic files and packages
+-ARG BASE_IMAGE=debian:bullseye-slim
+-FROM $BASE_IMAGE as base
++# start from ubuntu, this image is reasonably small as a starting point
++# for a kubernetes node image, it doesn't contain much we don't need
 +ARG BASE_IMAGE
 +ARG BUILDER_IMAGE
 +FROM $BASE_IMAGE as base-amd64
@@ -27,41 +31,8 @@ index f6abfa3b..e4c13a47 100644
 +ARG CRICTL_AMD64_SHA256SUM_URL
 +ARG CRICTL_URL=${CRICTL_AMD64_URL}
 +ARG CRICTL_SHA256SUM_URL=${CRICTL_AMD64_SHA256SUM_URL}
- 
--# `docker buildx` automatically sets this arg value
--ARG TARGETARCH
- 
--# Configure containerd and runc binaries from kind-ci/containerd-nightlies repository
--# The repository contains latest stable releases and nightlies built for multiple architectures
--ARG CONTAINERD_VERSION="1.6.19-46-g941215f49"
--ARG CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download"
--ARG CONTAINERD_URL="${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-${TARGETARCH}.tar.gz"
--ARG CONTAINERD_AMD64_SHA256SUM="df182a12d9108042df7dc449506be43f2fed8b3babde5bb9a72e5554e055a085"
--ARG CONTAINERD_ARM64_SHA256SUM="2c76703c81ddaee5295911b8d8816dc84bcd8c5f78e48ea6f03b00a86148694e"
--
--ARG RUNC_URL="${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION}/runc.${TARGETARCH}"
--ARG RUNC_AMD64_SHA256SUM="76acadf30309b3e36aeb1bdb69238e52be2dd12e7a3557641e6f25415c1cb29b"
--ARG RUNC_ARM64_SHA256SUM="2216c944455b4664113ce0af8b4a6ddc3beb7bacecc06b45b03b004995c822c1"
--
--# Configure crictl binary from upstream
--ARG CRICTL_VERSION="v1.26.1"
--ARG CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${TARGETARCH}.tar.gz"
--ARG CRICTL_AMD64_SHA256SUM="0c1a0f9900c15ee7a55e757bcdc220faca5dd2e1cfc120459ad1f04f08598127"
--ARG CRICTL_ARM64_SHA256SUM="cfa28be524b5da1a6dded455bb497dfead27b1fd089e1161eb008909509be585"
--
--# Configure CNI binaries from upstream
--ARG CNI_PLUGINS_VERSION="v1.2.0"
--ARG CNI_PLUGINS_TARBALL="${CNI_PLUGINS_VERSION}/cni-plugins-linux-${TARGETARCH}-${CNI_PLUGINS_VERSION}.tgz"
--ARG CNI_PLUGINS_URL="https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_TARBALL}"
--ARG CNI_PLUGINS_AMD64_SHA256SUM="f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37"
--ARG CNI_PLUGINS_ARM64_SHA256SUM="525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57"
--
--# Configure containerd-fuse-overlayfs snapshotter binary from upstream
--ARG CONTAINERD_FUSE_OVERLAYFS_VERSION="1.0.5"
--ARG CONTAINERD_FUSE_OVERLAYFS_TARBALL="v${CONTAINERD_FUSE_OVERLAYFS_VERSION}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-linux-${TARGETARCH}.tar.gz"
--ARG CONTAINERD_FUSE_OVERLAYFS_URL="https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/${CONTAINERD_FUSE_OVERLAYFS_TARBALL}"
--ARG CONTAINERD_FUSE_OVERLAYFS_AMD64_SHA256SUM="1f4b12322cc1b044dfbbeaec30fc42295cedc8b6f0642146ba518333f9d5ddca"
--ARG CONTAINERD_FUSE_OVERLAYFS_ARM64_SHA256SUM="073e83196a7a73bd130fe44085bd65303c7e6cfc8c53ba46d90a16cbb8e5a112"
++
++
 +FROM $BASE_IMAGE as base-arm64
 +
 +ARG CRICTL_ARM64_URL
@@ -74,79 +45,189 @@ index f6abfa3b..e4c13a47 100644
  
  # copy in static files
  # all scripts are 0755 (rwx r-x r-x)
-@@ -102,11 +84,11 @@ COPY --chmod=0644 files/etc/systemd/system/kubelet.service.d/* /etc/systemd/syst
+@@ -71,10 +87,11 @@ COPY --chmod=0644 files/etc/systemd/system/kubelet.service.d/* /etc/systemd/syst
  RUN echo "Installing Packages ..." \
      && DEBIAN_FRONTEND=noninteractive clean-install \
        systemd \
--      conntrack iptables iproute2 ethtool socat util-linux mount ebtables kmod \
--      libseccomp2 pigz \
-+      conntrack iptables iproute ethtool socat util-linux ebtables kmod \
+-      conntrack iptables iproute2 ethtool util-linux mount ebtables kmod \
+-      libseccomp2 pigz fuse-overlayfs \
+-      nfs-common open-iscsi \
++      conntrack iptables iproute ethtool util-linux ebtables kmod \
 +      libseccomp pigz \
-       bash ca-certificates curl rsync \
--      nfs-common fuse-overlayfs open-iscsi \
--      jq \
 +      nfs-utils \
-+      containerd which tar procps hostname jq lockdev sudo \
+       bash ca-certificates curl jq procps \
++      containerd  hostname lockdev rsync sudo tar which \
      && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \
      && rm -f /lib/systemd/system/multi-user.target.wants/* \
      && rm -f /etc/systemd/system/*.wants/* \
-@@ -114,49 +96,65 @@ RUN echo "Installing Packages ..." \
-     && rm -f /lib/systemd/system/sockets.target.wants/*udev* \
+@@ -83,148 +100,90 @@ RUN echo "Installing Packages ..." \
      && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
      && rm -f /lib/systemd/system/basic.target.wants/* \
--    && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \
+     && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \
 -    && ln -s "$(which systemd)" /sbin/init
++    # already set on al23
++    # && ln -s "$(which systemd)" /sbin/init    
 +    # avoid runaway agetty processes most likely due to al2 being based on older centos 7
-+    && systemctl mask getty@tty1.service \
-+    && echo "ReadKMsg=no" >> /etc/systemd/journald.conf
++    # leaving for now, but al23 may not be affected by this issue
++    && systemctl mask getty@tty1.service
++    
  
- RUN echo "Enabling kubelet ... " \
-     && systemctl enable kubelet.service
- 
--RUN echo "Installing containerd ..." \
--    && curl -sSL --retry 5 --output /tmp/containerd.${TARGETARCH}.tgz "${CONTAINERD_URL}" \
--    && echo "${CONTAINERD_AMD64_SHA256SUM}  /tmp/containerd.amd64.tgz" | tee /tmp/containerd.sha256 \
--    && echo "${CONTAINERD_ARM64_SHA256SUM}  /tmp/containerd.arm64.tgz" | tee -a /tmp/containerd.sha256 \
--    && sha256sum --ignore-missing -c /tmp/containerd.sha256 \
--    && rm -f /tmp/containerd.sha256 \
--    && tar -C /usr/local -xzvf /tmp/containerd.${TARGETARCH}.tgz \
--    && rm -rf /tmp/containerd.${TARGETARCH}.tgz \
--    && rm -f /usr/local/bin/containerd-stress /usr/local/bin/containerd-shim-runc-v1 \
--    && curl -sSL --retry 5 --output /tmp/runc.${TARGETARCH} "${RUNC_URL}" \
--    && echo "${RUNC_AMD64_SHA256SUM}  /tmp/runc.amd64" | tee /tmp/runc.sha256 \
--    && echo "${RUNC_ARM64_SHA256SUM}  /tmp/runc.arm64" | tee -a /tmp/runc.sha256 \
--    && sha256sum --ignore-missing -c /tmp/runc.sha256 \
--    && mv /tmp/runc.${TARGETARCH} /usr/local/sbin/runc \
--    && chmod 755 /usr/local/sbin/runc \
-+RUN echo "Enabling containerd ..." \
-     && ctr oci spec \
-         | jq '.hooks.createContainer[.hooks.createContainer| length] |= . + {"path": "/usr/local/bin/mount-product-files"}' \
-         | jq 'del(.process.rlimits)' \
-         > /etc/containerd/cri-base.json \
-     && containerd --version \
-     && runc --version \
--    && systemctl enable containerd
-+    && systemctl enable containerd.service \
-+    && cp /usr/lib/systemd/system/containerd.service /etc/systemd/system/containerd.service
+ RUN echo "Enabling services ... " \
+     && systemctl enable kubelet.service \
+     && systemctl enable containerd.service \
+     && systemctl enable undo-mount-hacks.service
  
--RUN echo "Installing crictl ..." \
 +RUN echo "Installing crictl ..." \   
-     && curl -sSL --retry 5 --output /tmp/crictl.${TARGETARCH}.tgz "${CRICTL_URL}" \
--    && echo "${CRICTL_AMD64_SHA256SUM}  /tmp/crictl.amd64.tgz" | tee /tmp/crictl.sha256 \
--    && echo "${CRICTL_ARM64_SHA256SUM}  /tmp/crictl.arm64.tgz" | tee -a /tmp/crictl.sha256 \
--    && sha256sum --ignore-missing -c /tmp/crictl.sha256 \
++    && curl -sSL --retry 5 --output /tmp/crictl.${TARGETARCH}.tgz "${CRICTL_URL}" \
 +    && echo "$(curl $CRICTL_SHA256SUM_URL | cut -d ' ' -f1)  /tmp/crictl.${TARGETARCH}.tgz" | tee /tmp/crictl.sha256 \
 +    && sha256sum -c /tmp/crictl.sha256 \
-     && rm -f /tmp/crictl.sha256 \
-     && tar -C /usr/local/bin -xzvf /tmp/crictl.${TARGETARCH}.tgz \
--    && rm -rf /tmp/crictl.${TARGETARCH}.tgz
++    && rm -f /tmp/crictl.sha256 \
++    && tar -C /usr/local/bin -xzvf /tmp/crictl.${TARGETARCH}.tgz \
 +    && rm -rf /tmp/crictl.${TARGETARCH}.tgz 
 +
-+RUN echo "Ensuring /etc/kubernetes/manifests" \
-+    && mkdir -p /etc/kubernetes/manifests
-+
+ RUN echo "Ensuring /etc/kubernetes/manifests" \
+     && mkdir -p /etc/kubernetes/manifests
+ 
+-# shared stage to setup go version for building binaries
+-# NOTE we will be cross-compiling for performance reasons
+-# This is also why we start again FROM the same base image but a different
+-# platform and only the files needed for building
+-# We will copy the built binaries from later stages to the final stage(s)
+-FROM --platform=$BUILDPLATFORM $BASE_IMAGE as go-build
+-COPY --chmod=0755 files/usr/local/bin/* /usr/local/bin/
+-COPY --chmod=0755 scripts/third_party/gimme/gimme /usr/local/bin/
+-COPY --chmod=0755 scripts/target-cc /usr/local/bin/
+-# tools needed at build-time only
+-# first ensure we can install packages for both architectures
+-RUN dpkg --add-architecture arm64 && dpkg --add-architecture amd64 \
+-    && clean-install bash ca-certificates curl git make pkg-config \
+-    crossbuild-essential-amd64 crossbuild-essential-arm64 \
+-    libseccomp-dev:amd64 libseccomp-dev:arm64
+-# set by makefile to .go-version
+-ARG GO_VERSION
+-RUN eval "$(gimme "${GO_VERSION}")" \
+-    && GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
+-
+-
+-# stage for building containerd
+-FROM go-build as build-containerd
+-ARG TARGETARCH GO_VERSION
+-ARG CONTAINERD_VERSION="v1.7.1"
+-ARG CONTAINERD_CLONE_URL="https://github.com/containerd/containerd"
+-# we don't build with optional snapshotters, we never select any of these
+-# they're not ideal inside kind anyhow, and we save some disk space
+-ARG BUILDTAGS="no_aufs no_zfs no_btrfs no_devmapper"
+-RUN git clone --filter=tree:0 "${CONTAINERD_CLONE_URL}" /containerd \
+-    && cd /containerd \
+-    && git checkout "${CONTAINERD_VERSION}" \
+-    && eval "$(gimme "${GO_VERSION}")" \
+-    && export GOARCH=$TARGETARCH && export CC=$(target-cc) && export CGO_ENABLED=1 \
+-    && make bin/ctr bin/containerd bin/containerd-shim-runc-v2 \
+-    && GOARCH=$TARGETARCH go-licenses save --save_path=/_LICENSES \
+-        ./cmd/ctr ./cmd/containerd ./cmd/containerd-shim-runc-v2
+-
+-# stage for building runc
+-FROM go-build as build-runc
+-ARG TARGETARCH GO_VERSION
+-ARG RUNC_VERSION="v1.1.7"
+-ARG RUNC_CLONE_URL="https://github.com/opencontainers/runc"
+-RUN git clone --filter=tree:0 "${RUNC_CLONE_URL}" /runc \
+-    && cd /runc \
+-    && git checkout "${RUNC_VERSION}" \
+-    && eval "$(gimme "${GO_VERSION}")" \
+-    && export GOARCH=$TARGETARCH && export CC=$(target-cc) && export CGO_ENABLED=1 \
+-    && make runc \
+-    && GOARCH=$TARGETARCH go-licenses save --save_path=/_LICENSES .
+-
+-# stage for building crictl
+-FROM go-build as build-crictl
+-ARG TARGETARCH GO_VERSION
+-ARG CRI_TOOLS_CLONE_URL="https://github.com/kubernetes-sigs/cri-tools"
+-ARG CRICTL_VERSION="v1.27.0"
+-RUN git clone --filter=tree:0 "${CRI_TOOLS_CLONE_URL}" /cri-tools \
+-    && cd /cri-tools \
+-    && git checkout "${CRICTL_VERSION}" \
+-    && eval "$(gimme "${GO_VERSION}")" \
+-    && export GOARCH=$TARGETARCH && export CC=$(target-cc) && export CGO_ENABLED=1 \
+-    && make BUILD_BIN_PATH=./build crictl \
+-    && GOARCH=$TARGETARCH go-licenses save --save_path=/_LICENSES ./cmd/crictl
+-
+-# stage for building cni-plugins
+-FROM go-build as build-cni
+-ARG TARGETARCH GO_VERSION
+-ARG CNI_PLUGINS_VERSION="v1.3.0"
+-ARG CNI_PLUGINS_CLONE_URL="https://github.com/containernetworking/plugins"
+-RUN git clone --filter=tree:0 "${CNI_PLUGINS_CLONE_URL}" /cni-plugins \
+-    && cd /cni-plugins \
+-    && git checkout "${CNI_PLUGINS_VERSION}" \
+-    && eval "$(gimme "${GO_VERSION}")" \
+-    && mkdir ./bin \
+-    && export GOARCH=$TARGETARCH && export CC=$(target-cc) && export CGO_ENABLED=1 \
+-    && go build -o ./bin/host-local -mod=vendor ./plugins/ipam/host-local \
+-    && go build -o ./bin/loopback -mod=vendor ./plugins/main/loopback \
+-    && go build -o ./bin/ptp -mod=vendor ./plugins/main/ptp \
+-    && go build -o ./bin/portmap -mod=vendor ./plugins/meta/portmap \
+-    && GOARCH=$TARGETARCH go-licenses save --save_path=/_LICENSES \
+-        ./plugins/ipam/host-local \
+-        ./plugins/main/loopback ./plugins/main/ptp \
+-        ./plugins/meta/portmap
+-
+-# stage for building containerd-fuse-overlayfs
+-FROM go-build as build-fuse-overlayfs
+-ARG TARGETARCH GO_VERSION
+-ARG CONTAINERD_FUSE_OVERLAYFS_VERSION="v1.0.5"
+-ARG CONTAINERD_FUSE_OVERLAYFS_CLONE_URL="https://github.com/containerd/fuse-overlayfs-snapshotter"
+-RUN git clone --filter=tree:0 "${CONTAINERD_FUSE_OVERLAYFS_CLONE_URL}" /fuse-overlayfs-snapshotter \
+-    && cd /fuse-overlayfs-snapshotter \
+-    && git checkout "${CONTAINERD_FUSE_OVERLAYFS_VERSION}" \
+-    && eval "$(gimme "${GO_VERSION}")" \
+-    && export GOARCH=$TARGETARCH && export CC=$(target-cc) && export CGO_ENABLED=1 \
+-    && make bin/containerd-fuse-overlayfs-grpc \
+-    && GOARCH=$TARGETARCH go-licenses save --save_path=/_LICENSES ./cmd/containerd-fuse-overlayfs-grpc
+-
+-
+-# build final image layout from other stages
+-FROM base as build
+-# copy over containerd build and install
+-COPY --from=build-containerd /containerd/bin/containerd /usr/local/bin/
+-COPY --from=build-containerd /containerd/bin/ctr /usr/local/bin/
+-COPY --from=build-containerd /containerd/bin/containerd-shim-runc-v2 /usr/local/bin/
++# this was removed upstream when they switched to debian
++# keeping since this unit exists in al23
 +RUN echo "Adjusting systemd-tmpfiles timer" \
 +    && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#'
++
+ RUN ctr oci spec \
+         | jq '.hooks.createContainer[.hooks.createContainer| length] |= . + {"path": "/kind/bin/mount-product-files.sh"}' \
+         | jq 'del(.process.rlimits)' \
+         > /etc/containerd/cri-base.json \
+     && containerd --version
+-COPY --from=build-containerd /_LICENSES/* /LICENSES/
+-# copy over runc build and install
+-COPY --from=build-runc /runc/runc /usr/local/sbin/runc
+-RUN runc --version
+-COPY --from=build-runc /_LICENSES/* /LICENSES/
+-# copy over crictl build and install
+-COPY --from=build-crictl /cri-tools/build/crictl /usr/local/bin/
+-COPY --from=build-crictl /_LICENSES/* /LICENSES/
+-# copy over CNI plugins build and install
+-RUN  mkdir -p /opt/cni/bin
+-COPY --from=build-cni /cni-plugins/bin/host-local /opt/cni/bin/
+-COPY --from=build-cni /cni-plugins/bin/loopback /opt/cni/bin/
+-COPY --from=build-cni /cni-plugins/bin/ptp /opt/cni/bin/
+-COPY --from=build-cni /cni-plugins/bin/portmap /opt/cni/bin/
+-COPY --from=build-cni /_LICENSES/* /LICENSES/
+-# copy over containerd-fuse-overlayfs and install
+-COPY --from=build-fuse-overlayfs /fuse-overlayfs-snapshotter/bin/containerd-fuse-overlayfs-grpc /usr/local/bin/
+-COPY --from=build-fuse-overlayfs /_LICENSES/* /LICENSES/
+-
+-# squash down to one compressed layer, without any lingering whiteout files etc
+-FROM scratch
+-COPY --from=build / /
+-# add metadata, must be done after the squashing
++
++# force use of al23 provided containerd.service config
++RUN cp /usr/lib/systemd/system/containerd.service /etc/systemd/system/containerd.service
 +
 +# These targets are basing off the "pushed" verison of the image above which is BUILDER_IMAGE
 +# the final base will be eks-distro-base, with the contents from the above copied
@@ -171,44 +252,33 @@ index f6abfa3b..e4c13a47 100644
 +
 +COPY --chmod=0755 files/usr/local/bin/* /usr/local/bin/
 +COPY --chmod=0644 files/etc/* /etc
- 
- RUN echo "Installing CNI plugin binaries ..." \
-     && curl -sSL --retry 5 --output /tmp/cni.${TARGETARCH}.tgz "${CNI_PLUGINS_URL}" \
--    && echo "${CNI_PLUGINS_AMD64_SHA256SUM}  /tmp/cni.amd64.tgz" | tee /tmp/cni.sha256 \
--    && echo "${CNI_PLUGINS_ARM64_SHA256SUM}  /tmp/cni.arm64.tgz" | tee -a /tmp/cni.sha256 \
--    && sha256sum --ignore-missing -c /tmp/cni.sha256 \
++
++RUN echo "Installing CNI plugin binaries ..." \
++    && curl -sSL --retry 5 --output /tmp/cni.${TARGETARCH}.tgz "${CNI_PLUGINS_URL}" \
 +    && echo "${CNI_PLUGINS_SHA256SUM}  /tmp/cni.${TARGETARCH}.tgz" | tee /tmp/cni.sha256 \
 +    && sha256sum -c /tmp/cni.sha256 \
-     && rm -f /tmp/cni.sha256 \
-     && mkdir -p /opt/cni/bin \
-     && tar -C /opt/cni/bin -xzvf /tmp/cni.${TARGETARCH}.tgz \
-@@ -169,24 +167,10 @@ RUN echo "Installing CNI plugin binaries ..." \
-       \) \
-       -delete
- 
--RUN echo "Installing containerd-fuse-overlayfs ..." \
--    && curl -sSL --retry 5 --output /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz "${CONTAINERD_FUSE_OVERLAYFS_URL}" \
--    && echo "${CONTAINERD_FUSE_OVERLAYFS_AMD64_SHA256SUM}  /tmp/containerd-fuse-overlayfs.amd64.tgz" | tee /tmp/containerd-fuse-overlayfs.sha256 \
--    && echo "${CONTAINERD_FUSE_OVERLAYFS_ARM64_SHA256SUM}  /tmp/containerd-fuse-overlayfs.arm64.tgz" | tee -a /tmp/containerd-fuse-overlayfs.sha256 \
--    && sha256sum --ignore-missing -c /tmp/containerd-fuse-overlayfs.sha256 \
--    && rm -f /tmp/containerd-fuse-overlayfs.sha256 \
--    && tar -C /usr/local/bin -xzvf /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz \
--    && rm -rf /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz
--
--RUN echo "Ensuring /etc/kubernetes/manifests" \
--    && mkdir -p /etc/kubernetes/manifests
- 
--RUN echo "Adjusting systemd-tmpfiles timer" \
--    && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#'
++    && rm -f /tmp/cni.sha256 \
++    && mkdir -p /opt/cni/bin \
++    && tar -C /opt/cni/bin -xzvf /tmp/cni.${TARGETARCH}.tgz \
++    && rm -rf /tmp/cni.${TARGETARCH}.tgz \
++    && find /opt/cni/bin -type f -not \( \
++         -iname host-local \
++         -o -iname ptp \
++         -o -iname portmap \
++         -o -iname loopback \
++      \) \
++      -delete
++
++
 +FROM $BASE_IMAGE as base-versioned
- 
--# squash
--FROM scratch
--COPY --from=build / /
++
 +COPY --from=base-versioned-intermediate / /
- 
- # tell systemd that it is in docker (it will check for the container env)
++
++
++
+ # first tell systemd that it is in docker (it will check for the container env)
  # https://systemd.io/CONTAINER_INTERFACE/
+ ENV container docker
 diff --git a/images/base/files/usr/local/bin/clean-install b/images/base/files/usr/local/bin/clean-install
 index b0b861c3..f1d714a6 100755
 --- a/images/base/files/usr/local/bin/clean-install
@@ -236,5 +306,5 @@ index b0b861c3..f1d714a6 100755
 -   /usr/share/local/*
 +   /usr/share/local/* || true
 -- 
-2.39.2
+2.40.1
 
diff --git a/projects/kubernetes-sigs/kind/patches/0002-skip-ctr-pulling-required-images-since-the-build-rem.patch b/projects/kubernetes-sigs/kind/patches/0002-skip-ctr-pulling-required-images-since-the-build-rem.patch
index d2be7215f8..37f8f84526 100644
--- a/projects/kubernetes-sigs/kind/patches/0002-skip-ctr-pulling-required-images-since-the-build-rem.patch
+++ b/projects/kubernetes-sigs/kind/patches/0002-skip-ctr-pulling-required-images-since-the-build-rem.patch
@@ -1,19 +1,19 @@
-From 2a6b966caf858c5683660b644b7c2ee914e4e533 Mon Sep 17 00:00:00 2001
+From 314187ac127a4e8a190e62b9788a7940efbbb6f0 Mon Sep 17 00:00:00 2001
 From: Jackson West <jgw@amazon.com>
 Date: Sat, 2 Apr 2022 22:01:04 -0500
-Subject: [PATCH 2/2] skip ctr pulling required images since the build removes
+Subject: [PATCH 2/3] skip ctr pulling required images since the build removes
  them anyway
 
 Signed-off-by: Jackson West <jgw@amazon.com>
 ---
- pkg/build/nodeimage/buildcontext.go | 48 +++++++++++++++--------------
- 1 file changed, 25 insertions(+), 23 deletions(-)
+ pkg/build/nodeimage/buildcontext.go | 36 +++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
 
 diff --git a/pkg/build/nodeimage/buildcontext.go b/pkg/build/nodeimage/buildcontext.go
-index ecbaf6b1..6922a23a 100644
+index fed540dc..7815c87f 100644
 --- a/pkg/build/nodeimage/buildcontext.go
 +++ b/pkg/build/nodeimage/buildcontext.go
-@@ -257,29 +257,31 @@ func (c *buildContext) prePullImagesAndWriteManifests(bits kube.Bits, parsedVers
+@@ -258,23 +258,25 @@ func (c *buildContext) prePullImagesAndWriteManifests(bits kube.Bits, parsedVers
  		}
  	}()
  
@@ -22,17 +22,11 @@ index ecbaf6b1..6922a23a 100644
 -		image := image // https://golang.org/doc/faq#closures_and_goroutines
 -		fns = append(fns, func() error {
 -			if !builtImages.Has(image) {
--				/*
--					TODO: show errors when we have real errors. See comments in
--					importer implementation
--					err := importer.Pull(image, dockerBuildOsAndArch(c.arch))
--					if err != nil {
--						c.logger.Warnf("Failed to pull %s with error: %v", image, err)
--						runE := exec.RunErrorForError(err)
--						c.logger.Warn(string(runE.Output))
--					}
--				*/
--				_ = importer.Pull(image, dockerBuildOsAndArch(c.arch))
+-				if err = importer.Pull(image, dockerBuildOsAndArch(c.arch)); err != nil {
+-					c.logger.Warnf("Failed to pull %s with error: %v", image, err)
+-					runE := exec.RunErrorForError(err)
+-					c.logger.Warn(string(runE.Output))
+-				}
 -			}
 -			return nil
 -		})
@@ -47,17 +41,11 @@ index ecbaf6b1..6922a23a 100644
 +	// 	image := image // https://golang.org/doc/faq#closures_and_goroutines
 +	// 	fns = append(fns, func() error {
 +	// 		if !builtImages.Has(image) {
-+	// 			/*
-+	// 				TODO: show errors when we have real errors. See comments in
-+	// 				importer implementation
-+	// 				err := importer.Pull(image, dockerBuildOsAndArch(c.arch))
-+	// 				if err != nil {
-+	// 					c.logger.Warnf("Failed to pull %s with error: %v", image, err)
-+	// 					runE := exec.RunErrorForError(err)
-+	// 					c.logger.Warn(string(runE.Output))
-+	// 				}
-+	// 			*/
-+	// 			_ = importer.Pull(image, dockerBuildOsAndArch(c.arch))
++	// 			if err = importer.Pull(image, dockerBuildOsAndArch(c.arch)); err != nil {
++	// 				c.logger.Warnf("Failed to pull %s with error: %v", image, err)
++	// 				runE := exec.RunErrorForError(err)
++	// 				c.logger.Warn(string(runE.Output))
++	// 			}
 +	// 		}
 +	// 		return nil
 +	// 	})
diff --git a/projects/kubernetes-sigs/kind/patches/0003-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch b/projects/kubernetes-sigs/kind/patches/0003-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
index 094ccd6d8a..6056b556b5 100644
--- a/projects/kubernetes-sigs/kind/patches/0003-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
+++ b/projects/kubernetes-sigs/kind/patches/0003-Patch-haproxy-maxconn-value-to-avoid-ulimit-issue.patch
@@ -1,12 +1,11 @@
-From bc76a1b60451aa3df5bf85b37009eb298de86a2b Mon Sep 17 00:00:00 2001
-From: Prow Bot <prow@amazonaws.com>
+From 00c9ce28d95941e4d555f2ace4a0eb3bc15d01a7 Mon Sep 17 00:00:00 2001
+From: Jackson West <jgw@amazon.com>
 Date: Wed, 19 Apr 2023 12:28:28 -0500
 Subject: [PATCH 3/3] Patch haproxy maxconn value to avoid ulimit issue
 
 EKS-A uses haproxy 2.5 which errors if the maxconn value
 requires more FDs than allowed by the ulimit setting of docker.
 100k maxconn is too high for the default ulimit on an al2 node.
-
 ---
  images/haproxy/haproxy.cfg                  | 5 ++++-
  pkg/cluster/internal/loadbalancer/config.go | 5 ++++-
diff --git a/projects/kubernetes-sigs/kind/patches/0004-Disable-cgroupns-private-to-fix-cluster-creation-on-.patch b/projects/kubernetes-sigs/kind/patches/0004-Disable-cgroupns-private-to-fix-cluster-creation-on-.patch
new file mode 100644
index 0000000000..8b80fc1d7a
--- /dev/null
+++ b/projects/kubernetes-sigs/kind/patches/0004-Disable-cgroupns-private-to-fix-cluster-creation-on-.patch
@@ -0,0 +1,26 @@
+From 00cfd713adb67782d7d0a013b4be5a4a61232425 Mon Sep 17 00:00:00 2001
+From: Jackson West <jgw@amazon.com>
+Date: Sat, 19 Aug 2023 09:21:55 -0500
+Subject: [PATCH] Disable cgroupns=private to fix cluster creation on AL2
+
+---
+ pkg/cluster/internal/providers/docker/provision.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/cluster/internal/providers/docker/provision.go b/pkg/cluster/internal/providers/docker/provision.go
+index 6c644a36..351c023b 100644
+--- a/pkg/cluster/internal/providers/docker/provision.go
++++ b/pkg/cluster/internal/providers/docker/provision.go
+@@ -171,7 +171,8 @@ func commonArgs(cluster string, cfg *config.Cluster, networkName string, nodeNam
+ 		// this is the default with cgroups v2 but not with cgroups v1, unless
+ 		// overridden in the daemon --default-cgroupns-mode
+ 		// https://github.com/docker/cli/pull/3699#issuecomment-1191675788
+-		"--cgroupns=private",
++		// AWS: Seems to cause issues on AL2 nodes
++		//"--cgroupns=private",
+ 	}
+ 
+ 	// enable IPv6 if necessary
+-- 
+2.40.1
+
diff --git a/projects/kubernetes-sigs/kind/patches/0004-TEMP-lock-containerd-and-runc-version.patch b/projects/kubernetes-sigs/kind/patches/0004-TEMP-lock-containerd-and-runc-version.patch
deleted file mode 100644
index 27f9ddd373..0000000000
--- a/projects/kubernetes-sigs/kind/patches/0004-TEMP-lock-containerd-and-runc-version.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 04ce891cae930cc9c1b08ff68aeeb727166d6376 Mon Sep 17 00:00:00 2001
-From: Prow Bot <prow@amazonaws.com>
-Date: Sat, 12 Aug 2023 12:08:58 -0500
-Subject: [PATCH] TEMP: lock containerd and runc version
-
----
- images/base/Dockerfile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/images/base/Dockerfile b/images/base/Dockerfile
-index e4c13a47..f38be515 100644
---- a/images/base/Dockerfile
-+++ b/images/base/Dockerfile
-@@ -103,6 +103,9 @@ RUN echo "Installing Packages ..." \
- RUN echo "Enabling kubelet ... " \
-     && systemctl enable kubelet.service
- 
-+RUN echo "force runc and containerd version ... " \
-+    && DEBIAN_FRONTEND=noninteractive clean-install containerd-1.6.19-1.amzn2023.0.1 runc-1.1.5-1.amzn2023.0.1
-+
- RUN echo "Enabling containerd ..." \
-     && ctr oci spec \
-         | jq '.hooks.createContainer[.hooks.createContainer| length] |= . + {"path": "/usr/local/bin/mount-product-files"}' \
--- 
-2.40.1
-
diff --git a/projects/kubernetes-sigs/kind/patches/0005-TEMP-lock-containerd-and-runc-version.patch b/projects/kubernetes-sigs/kind/patches/0005-TEMP-lock-containerd-and-runc-version.patch
new file mode 100644
index 0000000000..95e904c440
--- /dev/null
+++ b/projects/kubernetes-sigs/kind/patches/0005-TEMP-lock-containerd-and-runc-version.patch
@@ -0,0 +1,25 @@
+From 83d3e302ef9533aa20c9c33eb3fa3c1e4eff317e Mon Sep 17 00:00:00 2001
+From: Jackson West <jgw@amazon.com>
+Date: Sun, 20 Aug 2023 14:30:06 -0500
+Subject: [PATCH] TEMP: lock containerd and runc version
+
+---
+ images/base/Dockerfile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/images/base/Dockerfile b/images/base/Dockerfile
+index 0ab8ab87..2a86d2e5 100644
+--- a/images/base/Dockerfile
++++ b/images/base/Dockerfile
+@@ -106,6 +106,8 @@ RUN echo "Installing Packages ..." \
+     # leaving for now, but al23 may not be affected by this issue
+     && systemctl mask getty@tty1.service
+     
++RUN echo "force runc and containerd version ... " \
++    && DEBIAN_FRONTEND=noninteractive clean-install runc-1.1.5-1.amzn2023.0.1
+ 
+ RUN echo "Enabling services ... " \
+     && systemctl enable kubelet.service \
+-- 
+2.40.1
+
diff --git a/projects/vmware/govmomi/README.md b/projects/vmware/govmomi/README.md
index 77503228ef..c6a9dbefa8 100644
--- a/projects/vmware/govmomi/README.md
+++ b/projects/vmware/govmomi/README.md
@@ -1,5 +1,5 @@
 ## **GoVMOMI**
-![Version](https://img.shields.io/badge/version-v0.30.4-blue)
+![Version](https://img.shields.io/badge/version-v0.30.5-blue)
 ![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiZ1FxODROWXBIdytIZVBsNUFzODdBcngreGlZdlVwdUliRThoTGNDajBab0YzdDZ3NzVKSnBTVDBTS0lzY25sUG82MzZPMWdteE14VkZrK0F2TlppKzBjPSIsIml2UGFyYW1ldGVyU3BlYyI6IkJHNTRwbGtDV2xYRCtaZ0wiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
 [GoVMOMI](https://github.com/vmware/govmomi) is a Go library for interacting with VMware vSphere APIs (ESXi and/or vCenter). It primarily provides convenience functions for working with the vSphere API. It provides Go bindings to the default implementation of the VMware Managed Object Management Interface (VMOMI)