diff --git a/Dockerfile b/Dockerfile
index d9379a7100..761cb50511 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -138,7 +138,7 @@ RUN rm -vf /charts/*.sh /charts/*.md
 # This image includes any host level programs that we might need. All binaries
 # must be placed in bin/ of the file image and subdirectories of bin/ will be flattened during installation.
 # This means bin/foo/bar will become bin/bar when rke2 installs this to the host
-FROM rancher/hardened-kubernetes:v1.26.9-rke2r1-build20230913 AS kubernetes
+FROM brandond/hardened-kubernetes:v1.26.9-bd3-rke2r1-build20231017 AS kubernetes
 FROM rancher/hardened-containerd:v1.7.7-k3s1-build20231010 AS containerd
 FROM rancher/hardened-crictl:v1.26.1-build20230406 AS crictl
 FROM rancher/hardened-runc:v1.1.8-build20230802 AS runc
diff --git a/bundle/bin/rke2-killall.sh b/bundle/bin/rke2-killall.sh
index 3f3e3bb3f8..a33eaf881d 100755
--- a/bundle/bin/rke2-killall.sh
+++ b/bundle/bin/rke2-killall.sh
@@ -64,6 +64,10 @@ do_unmount_and_remove '/var/lib/rancher/rke2'
 do_unmount_and_remove '/var/lib/kubelet/pods'
 do_unmount_and_remove '/run/netns/cni-'
 
+# Delete old containerd files and pod-manfiests
+rm -rf /var/lib/rancher/rke2/agent/containerd/ || true
+rm -rf /var/lib/rancher/rke2/agent/pod-manifests || true
+
 # Delete network interface(s) that match 'master cni0'
 ip link show 2>/dev/null | grep 'master cni0' | while read ignore iface ignore; do
     iface=${iface%%@*}
@@ -90,6 +94,7 @@ if [ -d /sys/class/net/nodelocaldns ]; then
 fi
 
 rm -rf /var/lib/cni/ /var/log/pods/ /var/log/containers
+rm -rf /var/lib/kubelet || true
 
 # Delete iptables created by CNI plugins or Kubernetes (kube-proxy)
 iptables-save | grep -v KUBE- | grep -v CNI- | grep -v cali- | grep -v cali: | grep -v CILIUM_ | grep -v flannel | iptables-restore
diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go
index 080643059d..4144db0fe6 100644
--- a/pkg/podexecutor/staticpod.go
+++ b/pkg/podexecutor/staticpod.go
@@ -445,6 +445,8 @@ func (s *StaticPodConfig) ControllerManager(_ context.Context, apiReady <-chan s
 			CISMode:       s.CISMode,
 			HealthPort:    10257,
 			HealthProto:   "HTTPS",
+			ReadyPort:     10257,
+			ReadyProto:    "HTTPS",
 			CPURequest:    s.ControlPlaneResources.KubeControllerManagerCPURequest,
 			CPULimit:      s.ControlPlaneResources.KubeControllerManagerCPULimit,
 			MemoryRequest: s.ControlPlaneResources.KubeControllerManagerMemoryRequest,
@@ -457,7 +459,7 @@ func (s *StaticPodConfig) ControllerManager(_ context.Context, apiReady <-chan s
 	})
 }
 
-// CloudControllerManager starts the cloud-controller-manager static pod, once the cloud controller manager RBAC
+// CloudControllerManager starts the 	-manager static pod, once the cloud controller manager RBAC
 // (and subsequently, the api server) is available.
 func (s *StaticPodConfig) CloudControllerManager(_ context.Context, ccmRBACReady <-chan struct{}, args []string) error {
 	image, err := s.Resolver.GetReference(images.CloudControllerManager)
@@ -476,6 +478,8 @@ func (s *StaticPodConfig) CloudControllerManager(_ context.Context, ccmRBACReady
 			CISMode:       s.CISMode,
 			HealthPort:    10258,
 			HealthProto:   "HTTPS",
+			ReadyPort:     10257,
+			ReadyProto:    "HTTPS",
 			CPURequest:    s.ControlPlaneResources.CloudControllerManagerCPURequest,
 			CPULimit:      s.ControlPlaneResources.CloudControllerManagerCPULimit,
 			MemoryRequest: s.ControlPlaneResources.CloudControllerManagerMemoryRequest,