diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 3fb724f..a8ae962 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -36,6 +36,11 @@ jobs:
     name: Controller image
     runs-on: ubuntu-latest
 
+    strategy:
+      fail-fast: true
+      matrix:
+        target: [ "distroless", "ubi8" ]
+
     permissions:
       contents: read
       packages: write
@@ -80,10 +85,12 @@ jobs:
           flavor: |
             latest = false
           tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{raw}}
-            type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch }}
+            type=ref,event=branch,suffix=-${{ matrix.target }}
+            type=ref,event=pr,suffix=-${{ matrix.target }}
+            type=semver,pattern={{raw}},suffix=-${{ matrix.target }}
+            type=semver,pattern={{raw}},enable=${{ matrix.target == 'distroless' }}
+            type=raw,value=latest,suffix=-${{ matrix.target }},enable=${{ github.ref_name == github.event.repository.default_branch }}
+            type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.target == 'distroless' }}
 
       # Multiple exporters are not supported yet
       # See https://github.com/moby/buildkit/pull/2760
@@ -95,6 +102,15 @@ jobs:
           if_true: type=image,push=true
           if_false: type=oci,dest=image.tar
 
+      # UBI8 does not support ARMv7
+      - name: Determine platforms
+        uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
+        id: platforms
+        with:
+          cond: ${{ matrix.target == 'ubi8' }}
+          if_true: linux/amd64,linux/arm64
+          if_false: linux/amd64,linux/arm64,linux/arm/v7
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -108,7 +124,8 @@ jobs:
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
           context: .
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          target: ${{ matrix.target }}
+          platforms: ${{ steps.platforms.outputs.value }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -246,6 +263,15 @@ jobs:
           if_true: type=image,push=true
           if_false: type=oci,dest=image.tar
 
+      # UBI8 does not support ARMv7
+      - name: Determine platforms
+        uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
+        id: platforms
+        with:
+          cond: ${{ matrix.target == 'ubi8' }}
+          if_true: linux/amd64,linux/arm64
+          if_false: linux/amd64,linux/arm64,linux/arm/v7
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -261,7 +287,7 @@ jobs:
           context: .
           file: Dockerfile-refresher
           target: ${{ matrix.target }}
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ steps.platforms.outputs.value }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
diff --git a/Dockerfile b/Dockerfile
index bfb888c..27ef75b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,3 @@
-ARG FROM_IMAGE=scratch
-
-ARG GID=1000
-ARG UID=1000
-
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.2.1@sha256:8879a398dedf0aadaacfbd332b29ff2f84bc39ae6d4e9c0a1109db27ac5ba012 AS xx
 
 FROM --platform=$BUILDPLATFORM golang:1.20.3-alpine3.16@sha256:29c4e6e307eac79e5db29a261b243f27ffe0563fa1767e8d9a6407657c9a5f08 AS builder
@@ -33,26 +28,27 @@ RUN go build -o /usr/local/bin/manager ./cmd/controller/
 RUN xx-verify /usr/local/bin/manager
 
 
-FROM alpine:3.17.3@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 AS user
+FROM redhat/ubi8-micro:8.7@sha256:6a56010de933f172b195a1a575855d37b70a4968be8edb35157f6ca193969ad2 AS ubi8
 
-ARG GID
-ARG UID
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /usr/local/src/imps/LICENSE.md /usr/local/src/imps/LICENSE.md
 
-RUN addgroup -g ${GID} -S appgroup && adduser -u ${UID} -S appuser -G appgroup
+COPY --from=builder /usr/local/bin/manager /usr/local/bin/manager
+
+USER nobody:nobody
 
+ENTRYPOINT ["manager"]
 
-FROM ${FROM_IMAGE}
 
-ARG GID
-ARG UID
+FROM gcr.io/distroless/base-debian11:latest@sha256:e711a716d8b7fe9c4f7bbf1477e8e6b451619fcae0bc94fdf6109d490bf6cea0 AS distroless
 
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /usr/local/src/imps/LICENSE.md /usr/local/src/imps/LICENSE.md
 
 COPY --from=builder /usr/local/bin/manager /usr/local/bin/manager
 
-COPY --from=user /etc/passwd /etc/passwd
-COPY --from=user /etc/group /etc/group
-USER ${UID}:${GID}
+USER nobody:nobody
 
 ENTRYPOINT ["manager"]