diff --git a/.github/actions/build_apko/action.yml b/.github/actions/build_apko/action.yml
new file mode 100644
index 000000000..3de697ed5
--- /dev/null
+++ b/.github/actions/build_apko/action.yml
@@ -0,0 +1,55 @@
+name: Build apko image
+description: Build an apko image based on a supplied .yaml file
+
+inputs:
+  apkoConfig:
+    description: "Path to the apko .yaml config file. If left empty, all images will be built."
+    required: false
+  registry:
+    description: "Container registry to use"
+    default: "ghcr.io"
+    required: true
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+
+# Linux runner only (Docker required)
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to the Container registry
+      id: docker-login
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ inputs.githubToken }}
+
+    - name: Build apko images
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.apkoConfig }}" ]; then
+          echo "Building all images in image"
+          for imageConfig in image/apko/*.yaml; do
+            echo "Building image for $imageConfig"
+
+            imageName=$(basename $imageConfig | cut -d. -f1 )
+            registry=${{ inputs.registry }}/edgelesssys/apko-${imageName}
+            outTar=$imageName.tar
+
+            docker run -v "$PWD":/work cgr.dev/chainguard/apko build $imageConfig $registry $outTar
+            docker load < $outTar
+            docker push $registry
+
+          done
+        else
+          echo "Building image for ${{ inputs.apkoConfig }}"
+
+          imageName=$(basename ${{ inputs.apkoConfig }} | cut -d. -f1 )
+          registry=${{ inputs.registry }}/edgelesssys/apko-${imageName}
+          outTar=$imageName.tar
+
+          docker run -v "$PWD":/work cgr.dev/chainguard/apko build ${{ inputs.apkoConfig }} $registry $outTar
+          docker load < $outTar
+          docker push $registry
+        fi
diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml
index 5a6a48eca..6de3f2392 100644
--- a/.github/actions/build_ko/action.yml
+++ b/.github/actions/build_ko/action.yml
@@ -5,7 +5,7 @@ inputs:
     description: "Name of the micro-service"
     required: true
   registry:
-    description: "Name of the repository"
+    description: "Name of the registry to use"
     required: false
     default: "ghcr.io"
   koConfig:
diff --git a/.github/workflows/build-apko-image.yml b/.github/workflows/build-apko-image.yml
new file mode 100644
index 000000000..b99201333
--- /dev/null
+++ b/.github/workflows/build-apko-image.yml
@@ -0,0 +1,28 @@
+name: Build and upload all apko container images
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "release/**"
+      - "feat/reproducible-builds-ko"
+
+jobs:
+  build-apko-image:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out repository
+        id: checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.head_ref }}
+
+      - name: Build and upload apko image
+        uses: ./.github/actions/build_apko
+        with:
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.ko.yaml b/.ko.yaml
index 47446ed4c..6bcc6a460 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,8 +1,7 @@
 defaltBaseImage: distroless.dev/static:latest@sha256:d624beaae60b10ec342896b1470421eb473549cb3ac3bf1c6ec074d8b460b4fc
 
 baseImageOverrides:
-  github.com/edgelesssys/constellation/v2/disk-mapper/cmd: leongross/alpine-libcryptsetup:base
-  github.com/edgelesssys/constellation/v2/bootstrapper/cmd/bootstrapper: leongross/alpine-libcryptsetup:base
+  github.com/edgelesssys/constellation/v2/operators/constellation-node-operator ghcr.io/edgelesssys/alpine-base-user-65532
 
 builds:
 - id: kms
@@ -31,7 +30,6 @@ builds:
   - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}
   - -extldflags "-static"
 
-# currently ignoring USER 65532:65532 from Dockerfile operators/constellation/Dockerfile
 - id: constellation-node-operator
   dir: .
   main: ./operators/constellation-node-operator/
diff --git a/image/apko/alpine-base-user-65532.yaml b/image/apko/alpine-base-user-65532.yaml
new file mode 100644
index 000000000..47c443466
--- /dev/null
+++ b/image/apko/alpine-base-user-65532.yaml
@@ -0,0 +1,20 @@
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/edge/main
+  packages:
+    - alpine-base
+
+entrypoint:
+  command: /bin/sh -l
+
+accounts:
+  groups:
+    - groupname: "65532"
+      gid: 65532
+  users:
+    - username: "65532"
+      uid: 65532
+  run-as: "65532"
+
+environment:
+  PATH: /usr/sbin:/sbin:/usr/bin:/bin