diff --git a/.gitignore b/.gitignore
index eaa26afd25..6b95720998 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,6 +56,7 @@ network_closure.sh
 
 # build stuff
 .build
+.bazelbuild
 
 # autogenerated code we don't want to check in
 go-bindata
diff --git a/Makefile b/Makefile
index f897f5c26d..fc6df0d1bd 100644
--- a/Makefile
+++ b/Makefile
@@ -32,9 +32,13 @@ CHANNELS=$(LOCAL)/channels
 NODEUP=$(LOCAL)/nodeup
 PROTOKUBE=$(LOCAL)/protokube
 UPLOAD=$(BUILD)/upload
+BAZELBUILD=$(GOPATH_1ST)/src/k8s.io/kops/.bazelbuild
+BAZELDIST=$(BAZELBUILD)/dist
+BAZELIMAGES=$(BAZELDIST)/images
+BAZELUPLOAD=$(BAZELBUILD)/upload
 UID:=$(shell id -u)
 GID:=$(shell id -g)
-TESTABLE_PACKAGES:=$(shell egrep -v "k8s.io/kops/cloudmock|k8s.io/kops/vendor" hack/.packages) 
+TESTABLE_PACKAGES:=$(shell egrep -v "k8s.io/kops/cloudmock|k8s.io/kops/vendor" hack/.packages)
 BAZEL_OPTIONS?=
 
 # See http://stackoverflow.com/questions/18136918/how-to-get-current-relative-directory-of-your-makefile
@@ -150,7 +154,7 @@ help: # Show this help
 
 .PHONY: clean
 clean: # Remove build directory and bindata-generated files
-	for t in ${BINDATA_TARGETS}; do if test -e $$t; then rm -fv $$t; fi; done 
+	for t in ${BINDATA_TARGETS}; do if test -e $$t; then rm -fv $$t; fi; done
 	if test -e ${BUILD}; then rm -rfv ${BUILD}; fi
 
 .PHONY: kops
@@ -612,23 +616,35 @@ bazel-build-cli:
 	bazel build //cmd/kops/...
 
 # Not working yet, but we can hope
-#.PHONY: bazel-crossbuild-kops
-#bazel-crossbuild-kops:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
-#
-#.PHONY: bazel-crossbuild-nodeup
-#bazel-crossbuild-nodeup:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
+.PHONY: bazel-crossbuild-kops
+bazel-crossbuild-kops:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
 
-#.PHONY: bazel-crossbuild-protokube
-#bazel-crossbuild-protokube:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
+.PHONY: bazel-crossbuild-nodeup
+bazel-crossbuild-nodeup:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
 
-#.PHONY: bazel-crossbuild-dns-controller
-#bazel-crossbuild-dns-controller:
-#	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
+.PHONY: bazel-crossbuild-protokube
+bazel-crossbuild-protokube:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
+
+.PHONY: bazel-crossbuild-dns-controller
+bazel-crossbuild-dns-controller:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
+
+.PHONY: bazel-crossbuild-dns-controller-image
+bazel-crossbuild-dns-controller-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:dns-controller.tar
+
+.PHONY: bazel-crossbuild-protokube-image
+bazel-crossbuild-protokube-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:protokube.tar
+
+.PHONY: bazel-crossbuild-kube-discovery-image
+bazel-crossbuild-kube-discovery-image:
+	bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:kube-discovery.tar
 
 .PHONY: bazel-push
 # Will always push a linux-based build up to the server
@@ -666,3 +682,34 @@ push-kube-discovery:
 	bazel run //kube-discovery/images:kube-discovery
 	docker tag bazel/kube-discovery/images:kube-discovery ${DOCKER_REGISTRY}/kube-discovery:${DOCKER_TAG}
 	docker push ${DOCKER_REGISTRY}/kube-discovery:${DOCKER_TAG}
+
+.PHONY: bazel-protokube-export
+bazel-protokube-export:
+	mkdir -p ${BAZELIMAGES}
+	bazel run --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //images:protokube
+	docker tag bazel/images:protokube protokube:${PROTOKUBE_TAG}
+	docker save protokube:${PROTOKUBE_TAG} > ${BAZELIMAGES}/protokube.tar
+	gzip --force --best ${BAZELIMAGES}/protokube.tar
+	(${SHASUMCMD} ${BAZELIMAGES}/protokube.tar.gz | cut -d' ' -f1) > ${BAZELIMAGES}/protokube.tar.gz.sha1
+
+.PHONY: bazel-version-dist
+bazel-version-dist: bazel-crossbuild-nodeup bazel-crossbuild-kops bazel-protokube-export utils-dist
+	rm -rf ${BAZELUPLOAD}
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/
+	mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/images/
+	mkdir -p ${BAZELUPLOAD}/utils/${VERSION}/linux/amd64/
+	cp bazel-bin/cmd/nodeup/linux_amd64_pure_stripped/nodeup ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup.sha1
+	cp ${BAZELIMAGES}/protokube.tar.gz ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz
+	cp ${BAZELIMAGES}/protokube.tar.gz.sha1 ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz.sha1
+	cp bazel-bin/cmd/kops/linux_amd64_pure_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops.sha1
+	cp bazel-bin/cmd/kops/darwin_amd64_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops
+	(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops.sha1
+	cp ${DIST}/linux/amd64/utils.tar.gz ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/utils.tar.gz
+	cp ${DIST}/linux/amd64/utils.tar.gz.sha1 ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/utils.tar.gz.sha1
+
+.PHONY: bazel-upload
+bazel-upload: bazel-version-dist # Upload kops to S3
+	aws s3 sync --acl public-read ${BAZELUPLOAD}/ ${S3_BUCKET}
\ No newline at end of file
diff --git a/WORKSPACE b/WORKSPACE
index 3dd3e1e61b..89795f4bb3 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -3,8 +3,8 @@
 
 http_archive(
     name = "io_bazel_rules_go",
-    sha256 = "4d8d6244320dd751590f9100cf39fd7a4b75cd901e1f3ffdfd6f048328883695",
-    url = "https://github.com/bazelbuild/rules_go/releases/download/0.9.0/rules_go-0.9.0.tar.gz",
+    url = "https://github.com/bazelbuild/rules_go/releases/download/0.10.0/rules_go-0.10.0.tar.gz",
+    sha256 = "53c8222c6eab05dd49c40184c361493705d4234e60c42c4cd13ab4898da4c6be",
 )
 
 load("@io_bazel_rules_go//go:def.bzl", "go_rules_dependencies", "go_register_toolchains", "go_download_sdk")
@@ -40,7 +40,7 @@ go_register_toolchains(
 git_repository(
     name = "io_bazel_rules_docker",
     remote = "https://github.com/bazelbuild/rules_docker.git",
-    tag = "v0.3.0",
+    tag = "v0.4.0",
 )
 
 load(
@@ -59,3 +59,50 @@ container_pull(
     repository = "debian-hyperkube-base-amd64",
     tag = "0.8",
 )
+
+git_repository(
+    name = "distroless_rules",
+    remote = "https://github.com/googlecloudplatform/distroless.git",
+    commit = "886114394dfed219001ec3b068b139a3456e49d4"
+)
+
+load(
+    "@distroless_rules//package_manager:package_manager.bzl",
+    "package_manager_repositories",
+    "dpkg_src",
+    "dpkg_list",
+)
+
+package_manager_repositories()
+
+dpkg_src(
+    name = "debian_stretch",
+    arch = "amd64",
+    distro = "stretch",
+    sha256 = "9aea0e4c9ce210991c6edcb5370cb9b11e9e554a0f563e7754a4028a8fd0cb73",
+    snapshot = "20171101T160520Z",
+    url = "http://snapshot.debian.org/archive",
+)
+
+dpkg_list(
+    name = "package_bundle",
+    packages = [
+        "cgmanager",
+        "dbus",
+        "libapparmor1",
+        "libcgmanager0",
+        "libcryptsetup4",
+        "libdbus-1-3",
+        "libnih-dbus1",
+        "libnih1",
+        "libpam-systemd",
+        "libprocps6",
+        "libseccomp2",
+        "procps",
+        "systemd-shim",
+        "systemd",
+    ],
+    sources = [
+        "@debian_stretch//file:Packages.json",
+    ],
+)
diff --git a/images/BUILD.bazel b/images/BUILD.bazel
index 78eaaed7a9..f2bb5ebf5a 100644
--- a/images/BUILD.bazel
+++ b/images/BUILD.bazel
@@ -15,6 +15,8 @@ container_image(
     ],
 )
 
+load("@package_bundle//file:packages.bzl", "packages")
+
 container_image(
     name = "protokube",
     base = "@debian_hyperkube_base_amd64//image",
@@ -25,9 +27,30 @@ container_image(
     # systemd: needed to start kubelet
     # TODO: Replace systemd with direct calls, or chroot into rootfs
     debs = [
-        "@systemd//file",
+        packages["cgmanager"],
+        packages["dbus"],
+        packages["libapparmor1"],
+        packages["libcgmanager0"],
+        packages["libcryptsetup4"],
+        packages["libdbus-1-3"],
+        packages["libnih-dbus1"],
+        packages["libnih1"],
+        packages["libpam-systemd"],
+        packages["libprocps6"],
+        packages["libseccomp2"],
+        packages["procps"],
+        packages["systemd-shim"],
+        packages["systemd"],
     ],
-    directory = "/usr/bin/",
+    # Cannot use directory with packages or they get installed with
+    # directory as the root.
+    # directory = "/usr/bin/",
+    # TODO: figure out if there's a way to add files
+    # to actual /usr/bin while using debs above.
+    symlinks = {
+        "/usr/bin/channels": "/channels",
+        "/usr/bin/protokube": "/protokube",
+    },
     files = [
         "//channels/cmd/channels",
         # TODO "//kubectl",