diff --git a/hack/go.sum b/hack/go.sum
index a49e35fca..aa08f25d5 100644
--- a/hack/go.sum
+++ b/hack/go.sum
@@ -848,6 +848,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
 github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
diff --git a/internal/versions/BUILD.bazel b/internal/versions/BUILD.bazel
index 288641071..1a9beb428 100644
--- a/internal/versions/BUILD.bazel
+++ b/internal/versions/BUILD.bazel
@@ -18,5 +18,9 @@ go_test(
     name = "versions_test",
     srcs = ["versions_test.go"],
     embed = [":versions"],
-    deps = ["@com_github_stretchr_testify//assert"],
+    deps = [
+        "@com_github_stretchr_testify//assert",
+        "@com_github_stretchr_testify//require",
+        "@com_github_vincent_petithory_dataurl//:dataurl",
+    ],
 )
diff --git a/internal/versions/versions.go b/internal/versions/versions.go
index 5a1a6ce51..e7339fff9 100644
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@@ -227,6 +227,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI2LjExQHNoYTI1NjozOTUzNWQwZWZlODk1YWU5MWI1NTExZmRhZGI1MmVjOTMyOWYzODk4NzYxMTYzYThjMGRlMjAzZTIzZTMzODUzIn1d",
+				InstallPath: "/opt/kubernetes/patches/kube-apiserver+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI2LjExQHNoYTI1NjpjZGJlZmZmMTU0ZDRjY2I1ZDhlOGIxNmI4MDRjYmM2Y2M5MzI2YTc2MGI5ZjkxNDIyMjcwOGY5OTExOThkNTdjIn1d",
+				InstallPath: "/opt/kubernetes/patches/kube-controller-manager+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI2LjExQHNoYTI1NjowNjg0ZTIzMTcyZDkyMDMxNDk3MTU4MGFiMTE1YTViNjc5YWMxZmFlMmNiOTRkODNlOTEwNWMwYjFlOTNhMWJjIn1d",
+				InstallPath: "/opt/kubernetes/patches/kube-scheduler+json.json",
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.6@sha256:33445ab57f48938fe989ffe311dacee0044b82f2bd23cb7f7b563275926f0ce9", // renovate:container
@@ -278,6 +290,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI3LjhAc2hhMjU2OjcwYjA1YjYxZDg0NmViYjY5YTkwN2ZlMjU1ZDM5YTZmNmMxMGQ1Y2E5NTA0ZjNkMmMwZGZmM2Y4NjQ2OTBkMzMifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-apiserver+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI3LjhAc2hhMjU2OmU1OWM2MzczZDI2YjY4NGE5MWNmYTU5NDJjMGY3MzcxYmRhOWI0YmI3Njg5ZTNmOTBmN2VlNGY5NjUxZWUyMmIifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-controller-manager+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI3LjhAc2hhMjU2OjYyMzdlNzEwMGNjZGJiZDVlMGU3Y2ZmNzc5NjgzMWMxODVhMzk0NzE5OTgyM2YzOTEyODNjNzlkMDBhZmYwNzAifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-scheduler+json.json",
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.2@sha256:42be09a2b13b4e69b42905639d6b005ebe1ca490aabefad427256abf2cc892c7", // renovate:container
@@ -329,6 +353,18 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 				InstallPath: constants.KubectlPath,
 				Extract:     false,
 			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtYXBpc2VydmVyOnYxLjI4LjRAc2hhMjU2OjViMjhhMzY0NDY3Y2Y3ZTEzNDM0M2JiM2VlMmM2ZDQwNjgyYjQ3M2E3NDNhNzIxNDJjN2JiZTI1NzY3ZDM2ZWIifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-apiserver+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtY29udHJvbGxlci1tYW5hZ2VyOnYxLjI4LjRAc2hhMjU2OjY1NDg2YzhjMzM4Zjk2ZGMwMjJkZDFhMGFiZTg3NjNlMzhmMzUwOTViODRiMjA4Yzc4ZjQ0ZDllOTk0NDdkMWMifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-controller-manager+json.json",
+			},
+			{
+				Url:         "data:application/json;base64,W3sib3AiOiJyZXBsYWNlIiwicGF0aCI6Ii9zcGVjL2NvbnRhaW5lcnMvMC9pbWFnZSIsInZhbHVlIjoicmVnaXN0cnkuazhzLmlvL2t1YmUtc2NoZWR1bGVyOnYxLjI4LjRAc2hhMjU2OjMzNWJiYTllODYxYjg4ZmE4YjdiYjkyNTBiY2Q2OWI3YTMzZjgzZGE0ZmVlOTNmOWZjMGVlZGM2ZjM0ZTI4YmEifV0=",
+				InstallPath: "/opt/kubernetes/patches/kube-scheduler+json.json",
+			},
 		},
 		// CloudControllerManagerImageAWS is the CCM image used on AWS.
 		CloudControllerManagerImageAWS: "registry.k8s.io/provider-aws/cloud-controller-manager:v1.28.1@sha256:79b423ac8bc52d00f932b40de11fc3047a5ed1cbec47cda23bcf8f45ef583ed1", // renovate:container
diff --git a/internal/versions/versions_test.go b/internal/versions/versions_test.go
index a4781697a..dbab7107b 100644
--- a/internal/versions/versions_test.go
+++ b/internal/versions/versions_test.go
@@ -7,9 +7,14 @@ SPDX-License-Identifier: AGPL-3.0-only
 package versions
 
 import (
+	"fmt"
+	"path"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/vincent-petithory/dataurl"
 )
 
 func TestVersionFromDockerImage(t *testing.T) {
@@ -44,3 +49,25 @@ func TestVersionFromDockerImage(t *testing.T) {
 		})
 	}
 }
+
+func TestKubernetesImagePatchCompatibility(t *testing.T) {
+	// This test ensures that pinned Kubernetes images correspond to the
+	// supported Kubernetes versions. It prevents automatic upgrades until
+	// a patch generator is added to the codebase.
+	// TODO(burgerdev): remove after patches are generated automatically.
+	for v, clusterConfig := range VersionConfigs {
+		t.Run(string(v), func(t *testing.T) {
+			for i, component := range clusterConfig.KubernetesComponents.GetUpgradableComponents() {
+				if !strings.HasPrefix(component.Url, "data:") {
+					continue
+				}
+				t.Run(fmt.Sprintf("%d-%s", i, path.Base(component.InstallPath)), func(t *testing.T) {
+					require := require.New(t)
+					dataURL, err := dataurl.DecodeString(component.Url)
+					require.NoError(err)
+					require.Contains(string(dataURL.Data), clusterConfig.ClusterVersion)
+				})
+			}
+		})
+	}
+}
diff --git a/terraform-provider-constellation/go.sum b/terraform-provider-constellation/go.sum
index d1f2d7ac1..99c858fa3 100644
--- a/terraform-provider-constellation/go.sum
+++ b/terraform-provider-constellation/go.sum
@@ -871,6 +871,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=