diff --git a/Dockerfile b/Dockerfile
index 5d8aefc..6a13c51 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,8 +21,8 @@ RUN     adduser -D $BUILDUSER && \
         echo "permit nopass :abuild" > /etc/doas.d/doas.conf && \
         install -d -g abuild -m 775 /var/cache/distfiles && \
         install -d -g abuild -m 775 /packages && \
-        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
-        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
+        echo -e "$BUILDUSER:1001:64535" > /etc/subuid && \
+        echo -e "$BUILDUSER:1001:64535" > /etc/subgid && \
         echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
         wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
 
diff --git a/abuilder b/abuilder
index 48b115d..0f580bc 100755
--- a/abuilder
+++ b/abuilder
@@ -38,7 +38,7 @@ else
     # If checksum is OK, build package
     APKBUILD=$pkg abuild verify && rc=$? || rc=$?
     if [ $rc -eq 0 ]; then
-      CHOST=$TARGET_ARCH APKBUILD=$pkg abuild -r
+      APKBUILD=$pkg abuild -r
 
     else
       APKBUILD=$pkg abuild checksum
diff --git a/kubezero/aws-iam-authenticator/APKBUILD b/kubezero/aws-iam-authenticator/APKBUILD
index 868a25f..5577f6a 100644
--- a/kubezero/aws-iam-authenticator/APKBUILD
+++ b/kubezero/aws-iam-authenticator/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=aws-iam-authenticator
-pkgver=0.6.11
+pkgver=0.6.14
 pkgrel=0
 pkgdesc="AWS aws-iam-authenticator"
 url="https://github.com/kubernetes-sigs/aws-iam-authenticator"
@@ -20,5 +20,5 @@ package() {
 }
 
 sha512sums="
-6d78fbe95d6e36a7a3835b4df257e96fff3ab53fe4abd8ef525c24aebaf8727e2a6016107024bebe031b2e24295172190407ca892d1b3478329c62cdd9fe553f  aws-iam-authenticator-0.6.11.tar.gz
+26a6b394fbe767910f605a356032338a4ec254b81cd470796e3137e3595fef338bd213dee8d956c8d23e16f5508741e78664cd0f8b1acd97321d2fb5b7b723af  aws-iam-authenticator-0.6.14.tar.gz
 "
diff --git a/kubezero/aws-neuron-driver/APKBUILD b/kubezero/aws-neuron-driver/APKBUILD
index c804418..7e356fc 100644
--- a/kubezero/aws-neuron-driver/APKBUILD
+++ b/kubezero/aws-neuron-driver/APKBUILD
@@ -30,6 +30,9 @@ build() {
   # Hack running the build inside a container other uname -r returns host kernel
   KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
 
+  unset CFLAGS CPPFLAGS CXXFLAGS
+  unset LDFLAGS
+
   make KERNEL_SRC_DIR=/lib/modules/$KERNEL_VERSION/build
 }
 
diff --git a/kubezero/cri-o/APKBUILD b/kubezero/cri-o/APKBUILD
index 8160594..f8f62d9 100644
--- a/kubezero/cri-o/APKBUILD
+++ b/kubezero/cri-o/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: TBK <alpine@jjtc.eu>
 # Maintainer: ungleich <foss@ungleich.ch>
 pkgname=cri-o
-pkgver=1.27.1
+pkgver=1.28.4
 pkgrel=0
 pkgdesc="OCI-based implementation of Kubernetes Container Runtime Interface"
 url="https://github.com/cri-o/cri-o/"
@@ -103,13 +103,13 @@ package() {
 }
 
 sha512sums="
-27fb79141dd60c1744df8761a4d43603256f7f06e32d2f9c76be62b95dcf62924c7501d0461efabb013ae397c16030b6a2b037eeaae7a5daec7c28943f71bc7e  cri-o-1.27.1.tar.gz
+8d27211a4baad86d5251faa396a23d78d2962de894124be851172d6e85fbf3c0da57ec08f70840c7d8526dc6daa93999485a8d92a1d2c33b374eff84b1e063ae  cri-o-1.28.4.tar.gz
 1f60719677295c9c5c615eb25d9159bde0af68a132eee67747f57fe76642d457c98c896c6189f85637d7b4ac24ba55fd9eaeb1699f43c3c5077b645f72a479fb  crio.conf
 e9149cc2ddd24328c5290d3aea895c01e2798e066897535384f615a556496acdd52a603a0f4ac3c4c70bd5c363592f23c8b4d1987bf738300112fc62e1def555  crio.initd
 1115228546a696eeebeb6d4b3e5c3152af0c99a2559097fc5829d8b416d979c457b4b1789e0120054babf57f585d3f63cbe49949d40417ae7aab613184bf4516  crio.logrotated
 0a567dfa431ab1e53f2a351689be8d588a60cc5fcdbda403ec4f8b6ab9b1c18ad425f6c47f9a5ab1491e3a61a269dc4efa6a59e91e7521fa2b6bb165074aa8e0  cni-plugins-path.patch
 f9577aa7b1c90c6809010e9e406e65092251b6e82f6a0adbc3633290aa35f2a21895e1a8b6ba4b6375dcad3e02629b49a34ab16387e1c36eeb32c8f4dac74706  makefile-fix-install.patch
-1c1bfa5feeb0c5ddc92271a5ef80edc38d56afa1574ffc124605d5bb227a407b55dd5268df6cebc6720768ac31245e08b7950e5ab2b7f14ba934c94f1e325f86  fix-test.patch
-78c150f87027de489289596371dce0465159ced0758776b445deb58990e099de9c654406183c9da3cc909878b24d28db62121b7056cd180a6f2820e79e165cc6  remove-systemd-files.patch
+b0fdaf2280968a69e05ef72288bbf6fc03787616c6b6fca1e4398f9849167f4773e5e6e72bf1738d1fff2a84e97aa00f23aabcd50898ba8ed130969f50363006  fix-test.patch
+ae7e4a43f18076f19f3ae37d7302bfdf7a3befadf33e46bc9b1b14d50b605e8ba0d06d479568c24e8bf68f17c80ae48798068b2a46c3bcab565a5d225779f30e  remove-systemd-files.patch
 79e1a7c6183ba56f55d923e9d738be945564494042bc011d31e9195f66c268d702ee5c86711d4b46618285fc1b10b59ea55c321390feca770cfc7de334e103bd  crictl.yaml
 "
diff --git a/kubezero/cri-o/fix-test.patch b/kubezero/cri-o/fix-test.patch
index 271773e..bf4f8ef 100644
--- a/kubezero/cri-o/fix-test.patch
+++ b/kubezero/cri-o/fix-test.patch
@@ -21,7 +21,7 @@ index 8beb6f06..80193413 100644
 +		skip "need systemd cgroup manager"
 +	fi
 +
- 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_MANAGE_NS_LIFECYCLE=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
+ 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
  
  	jq '	 .linux.cgroup_parent = "Burstablecriotest123.slice"' \
 @@ -77,6 +85,10 @@ EOF
@@ -48,20 +48,20 @@ index 04492172..abae521e 100755
  
  if [[ "${DEBUG_ARGS}" == "malformed-result" ]]; then
      cat <<-EOF
-diff --git a/test/helpers.bash b/test/helpers.bash
+diff --git a/test/common.sh b/test/common.sh
 index f7f8e1f2..45b7dd58 100644
---- a/test/helpers.bash
-+++ b/test/helpers.bash
-@@ -38,7 +38,7 @@ CONTAINER_UID_MAPPINGS=${CONTAINER_UID_MAPPINGS:-}
- CONTAINER_GID_MAPPINGS=${CONTAINER_GID_MAPPINGS:-}
- OVERRIDE_OPTIONS=${OVERRIDE_OPTIONS:-}
- # CNI path
--CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/opt/cni/bin}
-+CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/usr/libexec/cni}
+--- a/test/common.sh
++++ b/test/common.sh
+@@ -41,7 +41,7 @@ # CNI path
+ if command -v host-local >/dev/null; then
+     CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-$(dirname "$(readlink "$(command -v host-local)")")}
+ else
+-    CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/opt/cni/bin}
++    CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/usr/libexec/cni}
+ fi
  # Runtime
  CONTAINER_DEFAULT_RUNTIME=${CONTAINER_DEFAULT_RUNTIME:-runc}
- RUNTIME_BINARY_PATH=$(command -v "$CONTAINER_DEFAULT_RUNTIME")
-@@ -70,7 +70,7 @@ CHECKCRIU_BINARY=${CHECKCRIU_BINARY:-${CRIO_ROOT}/test/checkcriu/checkcriu}
+@@ -74,7 +74,7 @@ CHECKCRIU_BINARY=${CHECKCRIU_BINARY:-${CRIO_ROOT}/test/checkcriu/checkcriu}
  # The default log directory where all logs will go unless directly specified by the kubelet
  DEFAULT_LOG_PATH=${DEFAULT_LOG_PATH:-/var/log/crio/pods}
  # Cgroup manager to be used
diff --git a/kubezero/cri-o/remove-systemd-files.patch b/kubezero/cri-o/remove-systemd-files.patch
index 9f8e545..bf1a0ab 100644
--- a/kubezero/cri-o/remove-systemd-files.patch
+++ b/kubezero/cri-o/remove-systemd-files.patch
@@ -6,8 +6,8 @@ index 19f8052..135385c 100644
  	sed -i '/# INCLUDE/q' scripts/get
  	cat contrib/bundle/install-paths contrib/bundle/install >> scripts/get
  
--install: .gopathok install.bin install.man install.completions install.systemd install.config
-+install: .gopathok install.bin install.man install.completions install.config
+-install: install.bin install.man install.completions install.systemd install.config
++install: install.bin install.man install.completions install.config
  
  install.bin-nobuild:
  	install ${SELINUXOPT} -D -m 755 bin/crio $(BINDIR)/crio
diff --git a/kubezero/cri-tools/APKBUILD b/kubezero/cri-tools/APKBUILD
index 7b219fb..aa24db7 100644
--- a/kubezero/cri-tools/APKBUILD
+++ b/kubezero/cri-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=cri-tools
-pkgver=1.27.1
+pkgver=1.28.0
 pkgrel=0
 pkgdesc="CLI tool for Kubelet Container Runtime Interface (CRI)"
 url="https://github.com/kubernetes-sigs/cri-tools"
@@ -27,5 +27,5 @@ package() {
 }
 
 sha512sums="
-7e4349fa9a0a16d27fbde363a26978fe6e65a326d29b344f13cd2b43009f12f8cdf14fd9557ac29beb913d4258160e0fa4108d40378dd1216ff631922e40392e  cri-tools-1.27.1.tar.gz
+222d3785dc7e8485538b4745766494be02d359347eb1337c9dd04839e19269d768922ff04f07d1fb72291c3554ecf91b382307253a288c9376079135a625cc0c  cri-tools-1.28.0.tar.gz
 "
diff --git a/kubezero/docker-registry/APKBUILD b/kubezero/docker-registry/APKBUILD
index 18f7af4..6efde57 100644
--- a/kubezero/docker-registry/APKBUILD
+++ b/kubezero/docker-registry/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Christian Kampka <christian@kampka.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=docker-registry
-pkgver=2.8.2_git20230519
+pkgver=2.8.3
 pkgrel=0
 pkgdesc="An implementation of the Docker Registry HTTP API V2 for use with docker 1.6+"
 url="https://github.com/distribution/distribution"
@@ -57,7 +57,7 @@ package() {
 }
 
 sha512sums="
-8ceb8b994085bc6522e8a203785bd670977117988d391023148a4153e3c150ad7c17fb98de863c4c2300714022444dc5141a75a2899b8b0f04cbbdc17794b5c7  docker-registry-2.8.2_git20230519.tar.gz
+8ceb8b994085bc6522e8a203785bd670977117988d391023148a4153e3c150ad7c17fb98de863c4c2300714022444dc5141a75a2899b8b0f04cbbdc17794b5c7  docker-registry-2.8.3.tar.gz
 96100a4de311afa19d293a3b8a63105e1fcdf49258aa8b1752befd389e6b4a2b1f70711341ea011b450d4468bd37dbd07a393ffab3b9aa1b2213cf0fdd915904  docker-registry.initd
 5a38f4d3f0ee5cd00c0a5ced744eb5b29b839da5921adea26c5de3eb88b6b2626a7ba29b1ab931e5f8fbfafbed8c94cb972a58737ec0c0a69cf515c32139e387  config-example.patch
 "
diff --git a/kubezero/ecr-credential-provider/APKBUILD b/kubezero/ecr-credential-provider/APKBUILD
index 9aaa0cc..e41121b 100644
--- a/kubezero/ecr-credential-provider/APKBUILD
+++ b/kubezero/ecr-credential-provider/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=ecr-credential-provider
-pkgver=1.27.1
+pkgver=1.28.1
 pkgrel=0
 pkgdesc="AWS Kubernetes ecr-credential-provider"
 url="https://github.com/kubernetes/cloud-provider-aws"
@@ -24,5 +24,5 @@ package() {
 }
 
 sha512sums="
-d7a28f4fb3cb2a1e7ee8d94405e3268608562af0ac509b51c32fcca19353eb68c87b023bd7dae1e84a76d9e856e4951cbc8a2260bab358d1eb492e47caedd29d  ecr-credential-provider-1.27.1.tar.gz
+b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539  ecr-credential-provider-1.28.1.tar.gz
 "
diff --git a/kubezero/etcdhelper/APKBUILD b/kubezero/etcdhelper/APKBUILD
index f0bdf46..586a789 100644
--- a/kubezero/etcdhelper/APKBUILD
+++ b/kubezero/etcdhelper/APKBUILD
@@ -22,5 +22,5 @@ package() {
 }
 
 sha512sums="
-97abd4e5a0078112a048037512b041bcefb9e660131403e9c87bf5fc8b632eb17ab66d20a477a2ef4808f54ae29941d74bd61390143e5781058d7bbd4333dd78  etcdhelper-0.1.0.tar.gz
+d1f3d239899a2392d11c45ea49b3bfc18255c00933e677f02eab1f0f59a940722fb40de1842a8a4253aabf066508be028443adb8920e82673342ba50130556ca  etcdhelper-0.1.0.tar.gz
 "
diff --git a/kubezero/falcoctl/APKBUILD b/kubezero/falcoctl/APKBUILD
index 84b1619..3b2c4f5 100644
--- a/kubezero/falcoctl/APKBUILD
+++ b/kubezero/falcoctl/APKBUILD
@@ -1,14 +1,13 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falcoctl
-pkgver=0.6.2
+pkgver=0.7.3
 pkgrel=0
 pkgdesc="The official CLI tool for working with Falco and its ecosystem components."
 url="https://github.com/falcosecurity/falcoctl"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-# requires go > 1.20, we only have 1.20 in 3.18 so hack
-makedepends="bash"
+makedepends="bash go"
 options="!check"
 
 
@@ -22,8 +21,6 @@ export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
 export GOBIN="$GOPATH/bin"
 
 build() {
-  # Hack until go 1.21 is stable
-  doas apk add go@edge-community
   make GOFLAGS="-buildmode=pie -v" GOLDFLAGS="-extldflags=-static -w -s" falcoctl
 
   # cleanup 444 files
@@ -36,5 +33,5 @@ package() {
 }
 
 sha512sums="
-e09f1e5e08e0f47d0c90ea2c93cf911ecef8179d821ed286cc7f8af78bd0db200f847d1c963c323f24eca9a854e161af36a444962330b55e696cb8e410fb5761  falcoctl-0.6.2.tar.gz
+61e539322c91125569c432ea1fc98c84b928795089829a062e6b5c74c7d1223cd71e557b7a8972ba7c6d1b534d1b87da254ee01e12c14038ced5a8f85a22a623  falcoctl-0.7.3.tar.gz
 "
diff --git a/kubezero/glibc/APKBUILD b/kubezero/glibc/APKBUILD
index 334b1a6..0584af5 100644
--- a/kubezero/glibc/APKBUILD
+++ b/kubezero/glibc/APKBUILD
@@ -15,7 +15,7 @@ triggers="$pkgname-bin.trigger=/lib:/usr/lib:/usr/glibc-compat/lib:/lib64"
 options="!check lib64"
 
 package() {
-  conflicts="libc6-compat"
+  conflicts="gcompat"
   mkdir -p "$pkgdir/lib" "$pkgdir/lib64" "$pkgdir/usr/glibc-compat/lib/locale" "$pkgdir"/usr/glibc-compat/lib64 "$pkgdir"/etc
   cp -a "$srcdir"/usr "$pkgdir"
   cp "$srcdir"/ld.so.conf "$pkgdir"/usr/glibc-compat/etc/ld.so.conf
diff --git a/kubezero/kubernetes/APKBUILD b/kubezero/kubernetes/APKBUILD
index 030d74d..a79a530 100644
--- a/kubezero/kubernetes/APKBUILD
+++ b/kubezero/kubernetes/APKBUILD
@@ -5,7 +5,7 @@
 # Contributor: Dave <dj.2dixx@gmail.com>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubernetes
-pkgver=1.27.8
+pkgver=1.28.8
 pkgrel=0
 pkgdesc="Container Cluster Manager"
 url="https://kubernetes.io/"
@@ -205,7 +205,7 @@ _do_zshcomp() {
 }
 
 sha512sums="
-ddc14d21ba470d24d115de67cdb801c742f04124101ff0e2741170971fdf6bcf0a75ef82807d63394dd8b06dc186a86cccf93a7aab4f9e49b922b981ce5ed8aa  kubernetes-1.27.8.tar.gz
+2bbc48394784b34712c6b419cd07971780410223e7015c5fe6ed2c25c4e9499e81c9ea1f4269d399fd7e908971f5b8e873595d2b67332f7b49f61a5411a2aed1  kubernetes-1.28.8.tar.gz
 5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40  make-e2e_node-run-over-distro-bins.patch
 94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64  make-test-cmd-run-over-hyperkube-based-kubectl.patch
 e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1  kube-apiserver.initd
diff --git a/kubezero/kubezero/APKBUILD b/kubezero/kubezero/APKBUILD
index 0b6dd9a..b5a356d 100644
--- a/kubezero/kubezero/APKBUILD
+++ b/kubezero/kubezero/APKBUILD
@@ -1,7 +1,10 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubezero
-pkgver=1.27
+pkgver=1.28.8
+_crio=1.28.4
+_ecr=1.28.1
+
 pkgrel=0
 pkgdesc="KubeZero release package"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/kubezero"
@@ -11,11 +14,11 @@ depends="
         podman
         xz
         cri-tools
-        cri-o~$pkgver
+        cri-o~$_crio
         kubelet~$pkgver
         kubectl~$pkgver
-        ecr-credential-provider~$pkgver
-        aws-iam-authenticator~0.6.11
+        ecr-credential-provider~$_ecr
+        aws-iam-authenticator~0.6.14
         "
 options="!check"
 #install="$pkgname.post-install"
@@ -25,7 +28,7 @@ subpackages="
         "
 
 IMAGES="
-       quay.io/cilium/cilium:v1.14.4
+       quay.io/cilium/cilium:v1.15.3
        ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
        "
 
diff --git a/kubezero/nvidia-container-toolkit/APKBUILD b/kubezero/nvidia-container-toolkit/APKBUILD
index a5c6763..e707423 100644
--- a/kubezero/nvidia-container-toolkit/APKBUILD
+++ b/kubezero/nvidia-container-toolkit/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-container-toolkit
-pkgver=1.13.5
+pkgver=1.14.6
 pkgrel=0
 pkgdesc="NVIDIA Container toolkit incl. cri hooks"
 url="https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/overview.html"
@@ -12,14 +12,12 @@ depends="glibc-bin nvidia-drivers"
 options="!check !tracedeps"
 
 _nv_ver="$pkgver"-1
-_libcap=2.25-2
-_libseccomp=2.3.3-4
+_libcap=2.44-1
 
-source="https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/libnvidia-container1_"$_nv_ver"_amd64.deb
-        https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/libnvidia-container-tools_"$_nv_ver"_amd64.deb
-        https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/nvidia-container-toolkit_"$_nv_ver"_amd64.deb
+source="https://nvidia.github.io/libnvidia-container/stable/deb/amd64/libnvidia-container1_"$_nv_ver"_amd64.deb
+        https://nvidia.github.io/libnvidia-container/stable/deb/amd64/libnvidia-container-tools_"$_nv_ver"_amd64.deb
+        https://nvidia.github.io/libnvidia-container/stable/deb/amd64/nvidia-container-toolkit_"$_nv_ver"_amd64.deb
 	http://deb.debian.org/debian/pool/main/libc/libcap2/libcap2_"$_libcap"_amd64.deb
-	http://deb.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_"$_libseccomp"_amd64.deb
 	config.toml
 	oci-nvidia-hook.json
 	"
@@ -52,11 +50,6 @@ package() {
   mv lib/x86_64-linux-gnu/libcap.so.* "$pkgdir"/usr/glibc-compat/lib
   rm -rf control.tar.xz data.tar.xz debian-binary usr
 
-  # libseccomp
-  ar -x "$srcdir"/libseccomp2_"$_libseccomp"_amd64.deb && tar xfJ data.tar.xz
-  mv usr/lib/x86_64-linux-gnu/libseccomp.so.* "$pkgdir"/usr/glibc-compat/lib
-  rm -rf control.tar.xz data.tar.xz debian-binary usr
-
   # Now lets patch the elf binaries to fix library paths and order
   doas apk add patchelf@edge-community
   patchelf --remove-rpath "$pkgdir"/usr/bin/nvidia-container-cli
@@ -68,11 +61,10 @@ package() {
 }
 
 sha512sums="
-903155c63c7af83dbd431ba3e5bc0d8ca74cce38996bf944b80520b5838f9765bbc0cbe201122d8ccc21cbd01dd4c4e47d2b451bdab7fadc99a8d75b941fda67  libnvidia-container1_1.13.5-1_amd64.deb
-2d4cbbdd80db2730b1ed9db8d4b36c5212ce5361350dcdfbc5795dac887136cecd40c13843e61350bad12b103cd1550030c76de35a2cbbca2a6df3850b6b68ca  libnvidia-container-tools_1.13.5-1_amd64.deb
-8614c2b436dab3886df6a2328b3753c27704dd3a78f0abe5c333c57fb4ee8deebb6fc03051931b3794bf152d947b721c160acf6614e5145b39bb7162d1ef45d8  nvidia-container-toolkit_1.13.5-1_amd64.deb
-694a3ec64ef3056d5874ff03b889b868c294bccb16506468fdf1c289fe3aaadc2da25a5934de653af9633a5d993d2bb21491d84b3b2e2529e6b31d92c78a2228  libcap2_2.25-2_amd64.deb
-5a4eaa96e6e774948889909d618a8ed44a82f649cbba11622dc7b4478098bea006995d5a5a60ca026a57b76ad866d1e2c6caebd154a26eb6bd7e15291b558057  libseccomp2_2.3.3-4_amd64.deb
+ac73361c10498cdb15e6facbc78867c576fe7a79e6e41e85eed57a24f49d35ec4d21663777549e30b62601e463a0a62e28a219daae13cf20fa9ac7b64bbc9daa  libnvidia-container1_1.14.6-1_amd64.deb
+08697b2133f198b056b6b5aade64574ee1e40ddbeaa5d73aa7b42642c6ac67a99ad8cc4a24465ef226a5596ddfed30fcf790ffe57d351c433869486269ba3ea3  libnvidia-container-tools_1.14.6-1_amd64.deb
+bc8aaae2f6c7f93d307a3c11fe77db2b0a4dbc59b4c4ab46d4d655ee522edc6d0b2882b08034aaf5b007d889d661e368d28a379c53605c7da788660b4eba86f4  nvidia-container-toolkit_1.14.6-1_amd64.deb
+cc9109cdcf51dc40db732e10ac3eda7e4ac73299ad51d2ec619d7f4cff3f0311be0937530d2175e5486c393bc9e91c709072094fad510573785739afaad831f1  libcap2_2.44-1_amd64.deb
 040ac2e3f58549dc09e5bce0d694e4be2f6aae736014bf0ee90042646562d5f1ef1f5990eb9f2c2a2fdf504587b82f4aa0eb99d04c5d3e407670e4012e3edd4e  config.toml
 0f150ea59b2372bf3ef60e657142b19f46500d1c70cb179d37ce117d6b03e86427dbf356873affb7639e082a07f852a922ae3aea4a8f8885640e43675c4e4add  oci-nvidia-hook.json
 "
diff --git a/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2 b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2
new file mode 120000
index 0000000..019a2e2
--- /dev/null
+++ b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2
@@ -0,0 +1 @@
+libpsx.so.2.66
\ No newline at end of file
diff --git a/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66 b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66
new file mode 100644
index 0000000..89d3e12
Binary files /dev/null and b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66 differ
diff --git a/kubezero/nvidia-drivers/APKBUILD b/kubezero/nvidia-drivers/APKBUILD
index 0217f1f..41fdeca 100644
--- a/kubezero/nvidia-drivers/APKBUILD
+++ b/kubezero/nvidia-drivers/APKBUILD
@@ -1,8 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-drivers
-#pkgver=535.54.03
-pkgver=525.125.06
+pkgver=550.54.14
 pkgrel=0
 pkgdesc="NVIDIA Driver"
 url="https://www.nvidia.com/download/index.aspx"
@@ -56,5 +55,5 @@ package() {
 }
 
 sha512sums="
-a5f13b633d111d9dc928e8522cd916a2b756fccbf2dc532649762a3f9bdc5503bd57c9c698da8205c49e82720b45789413a1afc26be77d741f823b49ae2f333d  NVIDIA-Linux-x86_64-525.125.06.run
+65fe0a3498e1b46368cfc7995fea720e4ba6373b0a74f4fc6280fbf75b2697948adf5b52b7d068b8df5ddbd347df7c0361db7e1a1fdc0d9fcfc6f478888936be  NVIDIA-Linux-x86_64-550.54.14.run
 "
diff --git a/kubezero/nvidia-open-gpu/APKBUILD b/kubezero/nvidia-open-gpu/APKBUILD
index 0912888..b5966a8 100644
--- a/kubezero/nvidia-open-gpu/APKBUILD
+++ b/kubezero/nvidia-open-gpu/APKBUILD
@@ -26,7 +26,10 @@ build() {
   # Hack running the build inside a container other uname -r returns host kernel
   KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
 
-  make KERNEL_UNAME=$KERNEL_VERSION || bash
+  unset CFLAGS CPPFLAGS CXXFLAGS
+  unset LDFLAGS
+
+  make KERNEL_UNAME=$KERNEL_VERSION
 }
 
 package() {
diff --git a/kubezero/zdt-base/APKBUILD b/kubezero/zdt-base/APKBUILD
index 31bf074..d61b9e8 100644
--- a/kubezero/zdt-base/APKBUILD
+++ b/kubezero/zdt-base/APKBUILD
@@ -24,6 +24,8 @@ source="
         syslog-ng.conf
         syslog-ng.logrotate.conf
         syslog-ng.apparmor
+        cloudbender.stop
+        cloudbender.start
         dhcpcd-mtu.hook
         monitrc
         monit_alert.sh.aws
@@ -58,9 +60,14 @@ package() {
   # early init script to eg. mount var, cannot use any network !
   install -Dm755 "$srcdir/cloudbender-early.init" "$pkgdir/etc/init.d/cloudbender-early"
 
-  # various tasks during boot
+  # various tasks during first boot
   install -Dm755 "$srcdir/cloudbender.init" "$pkgdir/etc/init.d/cloudbender"
 
+  # local boot & shutdown
+  install -Dm755 "$srcdir/cloudbender.start" "$pkgdir/etc/local.d/cloudbender.start"
+  install -Dm755 "$srcdir/cloudbender.stop" "$pkgdir/etc/local.d/cloudbender.stop"
+
+
   # syslog-ng configs, json all into messages
   install -Dm644 "$srcdir"/syslog-ng.conf "$pkgdir"/lib/zdt/syslog-ng.conf
   install -Dm644 "$srcdir"/syslog-ng.logrotate.conf "$pkgdir"/lib/zdt/syslog-ng.logrotate.conf
@@ -104,7 +111,7 @@ nocloud() {
 }
 
 sha512sums="
-c73970604c225199596f932fee3093d0cc9364f90b12f5490eac17643d12e65b4f662aae994ad9e3ebdbd4ee691e41a068fc988513377d6def0697fcd76285e2  common.sh
+c1808572d074e1a91e0efc3c31462f6035159338843e51fbccca5102b2923506ce60ba9e1ef00b2fbb134da7a33f55af364e1bff15c272eb7f4ebc6035f33887  common.sh
 cf8b75a81bb35e853761d21b15b5b109f15350c54daaf66d2912541a20f758c3ca237d58932e5608d2d3867fe15a07ebd694fd1c313a8290d15afc2b27a575dd  boot.sh
 eb7d5b6f92f500dbaba04a915cdd8d66e90456ca86bed86b3a9243f0c25577a9aa42c2ba28c3cad9dda6e6f2d14363411d78eff35656c7c60a6a8646f43dcba5  cloudbender-early.init
 cac71c605324ad8e60b72f54b8c39ee0924205fcd1f072af9df92b0e8216bcde887ffec677eb2f0eacce3df430f31d5b5609e997d85f14389ee099fbde3c478f  cloudbender.init
@@ -115,6 +122,8 @@ cac71c605324ad8e60b72f54b8c39ee0924205fcd1f072af9df92b0e8216bcde887ffec677eb2f0e
 b86dec8c059642309b2f583191457b7fac7264b75dc5f4a06ad641de6b76589c0571b8b72b51519516ba7e68a128fe2da29b4a2a6dc77c252204675c51b2d128  syslog-ng.conf
 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329  syslog-ng.logrotate.conf
 e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee  syslog-ng.apparmor
+cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  cloudbender.stop
+b93cec571afe5128ab4d7c3998b3dc48753897f37169a111f606a48d1982e6ffce52a4ac9568a6a062f621148fb652049b84926a40a62d89be3786e6836261e6  cloudbender.start
 f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189  dhcpcd-mtu.hook
 e00a8f296c76446fe1241bf804c0108f47a2676f377a413ee9fede0943362a6582cad30fe13edd93f3d0daab0e2d7696553fb9458dca62adc05572dce339021a  monitrc
 c955dabe692c0a4a2fa2b09ab9096f6b14e83064b34ae8d22697096daf6551f00b590d837787d66ea1d0030a7cc30bef583cc4c936c980465663e73aec5fa2dc  monit_alert.sh.aws
diff --git a/kubezero/zdt-base/cloudbender.start b/kubezero/zdt-base/cloudbender.start
new file mode 100644
index 0000000..3839fff
--- /dev/null
+++ b/kubezero/zdt-base/cloudbender.start
@@ -0,0 +1,10 @@
+# mounts are shared to run containers later, eg. cilium, falco
+# should be handled in openrc, see: https://github.com/OpenRC/openrc/pull/526/files
+mount --make-rshared /
+
+# Enable THP incl. defrag but very conservatively
+# see: https://go.dev/doc/gc-guide#Linux_transparent_huge_pages
+echo "madvise" > /sys/kernel/mm/transparent_hugepage/enabled
+echo "defer+madvise" > /sys/kernel/mm/transparent_hugepage/defrag
+echo "0" > /sys/kernel/mm/transparent_hugepage/khugepaged/max_ptes_none
+
diff --git a/kubezero/zdt-base/cloudbender.stop b/kubezero/zdt-base/cloudbender.stop
new file mode 100644
index 0000000..e69de29
diff --git a/kubezero/zdt-base/common.sh b/kubezero/zdt-base/common.sh
index fd82303..64ba744 100644
--- a/kubezero/zdt-base/common.sh
+++ b/kubezero/zdt-base/common.sh
@@ -23,11 +23,6 @@ setup_instance() {
   add_once /etc/fstab "bpffs       /sys/fs/bpf    bpf      rw,nosuid,nodev,noexec,relatime,mode=700 0 0"
   mount -a
 
-  # Ensure certain mounts are shared to run containers later, eg. cilium, falco
-  mount --make-shared /sys/fs/cgroup
-  mount --make-shared /sys/fs/bpf
-  mount --make-shared /sys
-
   add_once /etc/hosts "${IP_ADDRESS} ${_META_HOSTNAME} ${HOSTNAME}"
 
   # workaround for dhcpcd / openresolv to omit search domain if equal to domain breaking DNS resolution of shortnames for eg. etcd and kube-apiserver
@@ -444,11 +439,8 @@ register_service_dns() {
     route53.py --fqdn "${SERVICENAME}.${DNSZONE}" --record $_IP
 
     # Register shutdown hook to remove DNS entry on terminate
-    cat <<EOF >> /etc/local.d/route53.stop
-echo "Deleting Route53 record for ${SERVICENAME}.${DNSZONE}" >> /tmp/shutdown.log
-route53.py --delete --fqdn "${SERVICENAME}.${DNSZONE}" --record ${PUBLIC_IP_ADDRESS:-$IP_ADDRESS}
-EOF
-    chmod +x /etc/local.d/route53.stop
+    add_once /etc/local.d/cloudbender.stop "echo \"Deleting Route53 record for ${SERVICENAME}.${DNSZONE}\" >> /tmp/shutdown.log"
+    add_once /etc/local.d/cloudbender.stop "route53.py --delete --fqdn \"${SERVICENAME}.${DNSZONE}\" --record ${PUBLIC_IP_ADDRESS:-$IP_ADDRESS}"
 
     # Short cut our public IP to private one to allow talking to our own service name
     add_once /etc/hosts "${IP_ADDRESS} ${SERVICENAME}.${DNSZONE}"