diff --git a/.github/actions/build-dep-image-with-apko/action.yml b/.github/actions/build-dep-image-with-apko/action.yml
new file mode 100644
index 000000000..7f234ca74
--- /dev/null
+++ b/.github/actions/build-dep-image-with-apko/action.yml
@@ -0,0 +1,51 @@
+name: 'Build and push a dep image with apko'
+description: 'Composite action for building and pushing a dep image with apko'
+inputs:
+  apko-config:
+    description: 'Path to apko config'
+    required: true
+
+  image-name:
+    description: 'Full destination image name'
+    required: true
+
+  registry-username:
+    description: 'Username to login to registry'
+    default: ''
+    required: false
+
+  registry-password:
+    description: 'Password to login to registry'
+    default: ''
+    required: false
+
+  overwrite:
+    description: 'Overwrite the existing image tag'
+    default: 'false'
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - id: check-image-exists
+      if: ${{ inputs.overwrite != 'true' }}
+      shell: bash
+      run: |
+        set -euo pipefail
+        if docker manifest inspect ${{ inputs.image-name }} > /dev/null 2>&1; then
+          echo "Image already exists. Will not overwrite."
+          echo "image-exists=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Image does not exist. Will build and push."
+          echo "image-exists=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - uses: chainguard-images/actions/apko-publish@main
+      if: ${{ inputs.overwrite == 'true' || steps.check-image-exists.outputs.image-exists == 'false' }}
+      with:
+        config: ${{ inputs.apko-config }}
+        archs: amd64,arm64
+        tag: ${{ inputs.image-name }}
+        vcs-url: true
+        generic-user: ${{ inputs.registry-username }}
+        generic-pass: ${{ inputs.registry-password }}
diff --git a/.github/workflows/image-deps-updater.yaml b/.github/workflows/image-deps-updater.yaml
new file mode 100644
index 000000000..d26caf0b6
--- /dev/null
+++ b/.github/workflows/image-deps-updater.yaml
@@ -0,0 +1,47 @@
+name: Update image deps
+
+on:
+  schedule:
+    - cron: '0 4 * * *'
+  workflow_dispatch:
+    inputs:
+      overwrite:
+        description: 'Overwrite the existing image tags'
+        required: false
+        default: 'true'
+  push:
+    branches:
+    - emosbaugh/sc-108755/use-chainguard-images-for-embedded-cluster
+jobs:
+  build-3rd-party-images:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Get tags
+      id: get-tags
+      run: |
+        set -euo pipefail
+
+        # We're only using the APKINDEX files to get the versions, so it doesn't matter which arch we use
+
+        curl -LO --fail --show-error https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
+        tar -xzvf APKINDEX.tar.gz
+
+        calico_version=$(< APKINDEX grep -A1 "^P:calico$" | tail -n 1 | sed -n -e 's/V://p' | tr -d '\n')
+
+        sed "s/__CALICO_VERSION__/$calico_version/g" deploy/images/calico-node/apko.tmpl.yaml > deploy/images/calico-node/apko.yaml
+
+        {
+          echo "calico-tag=$calico_version"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Build and push calico-node image
+      uses: ./.github/actions/build-dep-image-with-apko
+      with:
+        apko-config: deploy/images/calico-node/apko.yaml
+        image-name: docker.io/replicated/ec-calico-node:${{ steps.get-tags.outputs.calico-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        overwrite: ${{ github.event.inputs.overwrite }}
diff --git a/deploy/images/calico-node/apko.tmpl.yaml b/deploy/images/calico-node/apko.tmpl.yaml
new file mode 100644
index 000000000..79866f47d
--- /dev/null
+++ b/deploy/images/calico-node/apko.tmpl.yaml
@@ -0,0 +1,37 @@
+contents:
+  repositories:
+    - https://packages.wolfi.dev/os
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  packages:
+    - calico-node=__CALICO_VERSION__
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  # calico-node is responsible for many host level networking tasks and as such, needs root
+  run-as: "0"
+
+environment:
+  # Tell sv where to find the services
+  SVDIR: /etc/service/enabled
+
+paths:
+  - path: /etc/service/available
+    type: directory
+    uid: 0
+    gid: 0
+    permissions: 0o755
+  - path: /etc/calico
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+
+entrypoint:
+  command: /usr/sbin/start_runit