diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5d878d1..4c93258 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,8 +1,5 @@
 name: release
 
-env:
-  DOCKER_USER: ${{ secrets.DockerHubUser }}
-
 on:
   push:
     branches:
@@ -14,15 +11,15 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579  # v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
         with:
           fetch-depth: 1
 
       - name: build image
-        run: docker build -t digitalocean/doks-debug:latest .
+        run: docker build --platform linux/amd64 -t ghcr.io/digitalocean-packages/doks-debug:latest .
 
-      - name: Log into container registry
-        run: echo "${{ secrets.DockerHubToken }}" | docker login --username ${DOCKER_USER} --password-stdin
+      - name: log into container registry
+        run: echo "${{ secrets.GHCRTOKEN }}" | docker login ghcr.io --username "${{ secrets.GHCRUSER }}" --password-stdin
 
       - name: push image
-        run: docker push digitalocean/doks-debug:latest
+        run: docker push ghcr.io/digitalocean-packages/doks-debug:latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 38097ea..f6b0e5b 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -13,7 +13,7 @@ jobs:
           fetch-depth: 1
 
       - name: build image
-        run: docker build -t doks-debug .
+        run: docker build --platform linux/amd64 -t doks-debug .
 
       - name: smoke test
         run: docker run --rm doks-debug sleep 1
diff --git a/Dockerfile b/Dockerfile
index 51b3342..0922b33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,18 @@
 # match doks-debug version with DOKS worker node image version for kernel
 # tooling compatibility reasons
-FROM debian:10-slim
+FROM debian:12-slim
+
+# Specify the version of crictl to install
+ARG CRICTL_VERSION="v1.31.1"
 
 WORKDIR /root
 
 # use same dpkg path-exclude settings that come by default with ubuntu:focal
 # image that we previously used
-RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/copyright' > /etc/dpkg/dpkg.cfg.d/excludes
-RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' > /etc/dpkg/dpkg.cfg.d/excludes
-
-RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
+RUN echo 'path-exclude=/usr/share/locale/*/LC_MESSAGES/*.mo' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-exclude=/usr/share/doc/*' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/copyright' >> /etc/dpkg/dpkg.cfg.d/excludes
+RUN echo 'path-include=/usr/share/doc/*/changelog.Debian.*' >> /etc/dpkg/dpkg.cfg.d/excludes
 
 RUN apt-get update -qq && \
     apt-get install -y apt-transport-https \
@@ -30,24 +31,34 @@ RUN apt-get update -qq && \
                        jq \
                        dnsutils \
                        tcpdump \
+                       termshark \
                        traceroute \
                        iputils-ping \
+                       iptables \
                        net-tools \
                        ncat \
                        iproute2 \
                        strace \
+                       lsof \
                        telnet \
                        openssl \
                        psmisc \
                        dsniff \
                        mtr-tiny \
                        conntrack \
-                       llvm-8 llvm-8-tools \
+                       llvm-13 llvm-13-tools \
+                       wget \
+                       watch \
                        bpftool
 
-RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
-    add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" && \
-    apt-get update -qq && \
-    apt-get install -y docker-ce
+# Install crictl
+RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz && \
+    tar zxvf crictl-${CRICTL_VERSION}-linux-amd64.tar.gz -C /usr/local/bin && \
+    rm -f crictl-${CRICTL_VERSION}-linux-amd64.tar.gz
+
+# Specify the default image endpoint for crictl
+RUN echo 'runtime-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'image-endpoint: unix:///run/containerd/containerd.sock' >> /etc/crictl.yaml
+RUN echo 'timeout: 2' >> /etc/crictl.yaml
 
 CMD [ "/bin/bash" ]
diff --git a/README.md b/README.md
index 9485b02..cd732ff 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ This DaemonSet manifest will:
  1. Ensure a pod with our Docker image is running indefinitely on every node.
  2. Use `hostPID`, `hostIPC`, and `hostNetwork`.
  3. Mount the entire host filesystem to `/host` in the containers.
- 4. Mount `/var/run/docker.sock` from the host.
+ 4. Mount the `containerd` socket at `/run/containerd/containerd.sock` from the host into the container.
 
 In order to make use of these workloads, you can exec into a pod of choice by name:
 
@@ -47,11 +47,11 @@ Once you're in, you have access to the set of tools listed in the `Dockerfile`.
  - [`netcat`](https://linux.die.net/man/1/nc) - is a multi-tool for interacting with TCP and UDP; it can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
  - [`iproute2`](https://wiki.linuxfoundation.org/networking/iproute2) - is a collection of utilities for controlling TCP / IP networking and traffic control in Linux.
  - [`strace`](https://github.com/strace/strace) - is a diagnostic, debugging and instructional userspace utility with a traditional command-line interface for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state.
- - [`docker`](https://docs.docker.com/engine/reference/commandline/cli/) - is the CLI tool used for interacting with Docker containers on the system.
  - [`dstat`](http://dag.wiee.rs/home-made/dstat/) - is a versatile replacement for vmstat, iostat, netstat and ifstat. Dstat overcomes some of their limitations and adds some extra features, more counters and flexibility. Dstat is handy for monitoring systems during performance tuning tests, benchmarks or troubleshooting.
  - [`htop`](https://hisham.hm/htop/) - is interactive process viewer for Unix systems.
  - [`atop`](https://www.atoptool.nl/) - is an advanced interactive monitor for Linux-systems to view the load on system-level and process-level.
-
+ - [`wget`](https://www.gnu.org/software/wget/) - for retrieving files using HTTP, HTTPS, FTP and FTPS.
+ - [`crictl`](https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md) - A CLI for CRI endpoints. Configured to use `/run/containerd/containerd.sock` as a default endpoint. 
 # Tips and Tricks
 
 ## chroot + systemctl
diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml
index 6bd1527..55506ac 100644
--- a/k8s/daemonset.yaml
+++ b/k8s/daemonset.yaml
@@ -15,7 +15,9 @@ spec:
         name: doks-debug
       annotations:
         clusterlint.digitalocean.com/disabled-checks: "hostpath-volume"
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      dnsPolicy: ClusterFirstWithHostNet
       hostPID: true
       hostIPC: true
       hostNetwork: true
@@ -25,7 +27,7 @@ spec:
       - name: doks-debug
         securityContext:
           privileged: true
-        image: digitalocean/doks-debug:latest
+        image: ghcr.io/digitalocean-packages/doks-debug:latest
         command: [ "sleep", "infinity" ]
         resources:
           requests:
@@ -37,15 +39,16 @@ spec:
         volumeMounts:
           - name: host
             mountPath: /host
-          - name: docker
-            mountPath: /var/run/docker.sock
+          - name: containerd
+            mountPath: /run/containerd/containerd.sock
+      terminationGracePeriodSeconds: 0
       volumes:
         - name: host
           hostPath:
             path: /
-        - name: docker
+        - name: containerd
           hostPath:
-            path: /var/run/docker.sock
+            path: /run/containerd/containerd.sock
             type: Socket
   updateStrategy:
     rollingUpdate:
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 50816d0..18d0aca 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -16,7 +16,9 @@ spec:
         name: doks-debug
       annotations:
         clusterlint.digitalocean.com/disabled-checks: "hostpath-volume"
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      dnsPolicy: ClusterFirstWithHostNet
       hostPID: true
       hostIPC: true
       hostNetwork: true
@@ -26,7 +28,7 @@ spec:
       - name: doks-debug
         securityContext:
           privileged: true
-        image: digitalocean/doks-debug:latest
+        image: ghcr.io/digitalocean-packages/doks-debug:latest
         command: [ "sleep", "infinity" ]
         resources:
           requests:
@@ -38,15 +40,16 @@ spec:
         volumeMounts:
           - name: host
             mountPath: /host
-          - name: docker
-            mountPath: /var/run/docker.sock
+          - name: containerd
+            mountPath: /run/containerd/containerd.sock
+      terminationGracePeriodSeconds: 0
       volumes:
         - name: host
           hostPath:
             path: /
-        - name: docker
+        - name: containerd
           hostPath:
-            path: /var/run/docker.sock
+            path: /run/containerd/containerd.sock
             type: Socket
   strategy:
     rollingUpdate: