diff --git a/README.md b/README.md
index 2e07218..bb7a3d1 100644
--- a/README.md
+++ b/README.md
@@ -12,11 +12,16 @@ https://github.com/we-are-mono/OpenWRT-ASK/tree/mono-25.12.0-rc3/target/linux/la
 
 ## Build
 
-To avoid frequent downloading on rebuild. Find and download the latest [kernel](https://github.com/nxp-qoriq/linux/archive/refs/tags/) and [busybox](https://github.com/mirror/busybox/archive/refs/tags/).
-Put them into `dev/nxplinux.tar.gz` and `dev/busybox.tar.gz` respectively.
+To avoid frequent downloading on rebuild. Find and download the latest packages
+ * [kernel](https://github.com/nxp-qoriq/linux/archive/refs/tags/) - `dev/nxplinux.tar.gz`
+ * [busybox](https://github.com/mirror/busybox/archive/refs/tags/) (for initramfs) - `dev/busybox.tar.gz`
+ * [CRI-O](https://github.com/cri-o/cri-o/releases) - `dev/crio.tar.gz`
+ * [Kubelet](https://kubernetes.io/releases/download/) - `dev/kubelet.tar.gz`
+
+Put them into the `dev/` directory
 
 ```bash
-make itb # for out/board.itb
+make itb # for out/board.itb (contains the kernel and the initramfs)
 make release # WORK IN PROGRESS
 ```
 
@@ -29,11 +34,11 @@ Rough idea
 
 ```bash
 ./configure
-# - join cluster config
+# - asks for some config for kubelet
+# - Join a cluster? Start a cluster?
 
 make release
 
-
 # Copy the new image to the upgrade-scheduler
 kubectl cp -n kube-system upgrade-scheduler:/tmp/upgrade.img
 
diff --git a/alpine/build-rootfs.sh b/alpine/build-rootfs.sh
index 286c1d4..2d88cd8 100755
--- a/alpine/build-rootfs.sh
+++ b/alpine/build-rootfs.sh
@@ -1,3 +1,19 @@
 #!/bin/bash
 
+mkdir -p "$ROOTFS/var/cache/apk"
+mkdir -p "$ROOTFS/build"
+mount --bind /var/cache/apk "$ROOTFS/var/cache/apk"
+mount --bind /dev  "$ROOTFS/dev"
+mount --bind /proc "$ROOTFS/proc"
+mount --bind /sys  "$ROOTFS/sys"
+mount --bind /run  "$ROOTFS/run"
 
+cp /usr/bin/qemu-aarch64-static "$ROOTFS/usr/bin/"
+cp /etc/resolv.conf "$ROOTFS/etc/resolv.conf"
+cp /build/crio.tar.gz "$ROOTFS/build/"
+
+chroot "$ROOTFS" /bin/sh -c "ln -s /var/cache/apk /etc/apk/cache"
+# chroot "$ROOTFS" /bin/sh -c "apk update"
+chroot "$ROOTFS" /bin/sh -c "apk add bash curl"
+cp "/install-packages.sh" "$ROOTFS/install-packages.sh"
+chroot "$ROOTFS" /bin/bash /install-packages.sh
diff --git a/alpine/install-packages.sh b/alpine/install-packages.sh
new file mode 100755
index 0000000..6aeb61f
--- /dev/null
+++ b/alpine/install-packages.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+cd /build
+
+### CRI-O
+
+tar zxf crio.tar.gz
+cd cri-o
+
+./install
+
+crio --version
+crio config 2>&1 > /dev/null
+if [ $? -ne 0 ]; then
+	crio config
+	exit $?
+fi
+
+#grep -nE 'conmon|default_runtime|runtime_path|monitor-path|pinns_path' /etc/crio/crio.conf.d/10-crio.conf
+#crio config | grep -E 'conmon|default_runtime|runtime_path|pinns_path|network_dir|plugin_dirs|cgroup_manager'
+echo "--------------"
+sed -i "s/default_runtime = \"crun\"/\0\ncgroup_manager = \"cgroupfs\"/g" /etc/crio/crio.conf.d/10-crio.conf
+cat /etc/crio/crio.conf.d/10-crio.conf
+
+mkdir -p /var/run/crio
+mkdir -p /var/lib/containers/storage
+mkdir -p /var/lib/cni
+mkdir -p /etc/cni/net.d
+mkdir -p /opt/cni/bin
+mkdir -p /run/crun
+mkdir -p /run/runc
+
+crio --log-level debug
diff --git a/alpine/prepare-chroot.sh b/alpine/prepare-chroot.sh
deleted file mode 100755
index 31c57d9..0000000
--- a/alpine/prepare-chroot.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-mkdir -p "$ROOTFS/var/cache/apk"
-mount --bind /var/cache/apk "$ROOTFS/var/cache/apk"
-mount --bind /dev  "$ROOTFS/dev"
-mount --bind /proc "$ROOTFS/proc"
-mount --bind /sys  "$ROOTFS/sys"
-mount --bind /run  "$ROOTFS/run"
-
-cp /usr/bin/qemu-aarch64-static "$ROOTFS/usr/bin/"
-cp /etc/resolv.conf "$ROOTFS/etc/resolv.conf"
-
-chroot "$ROOTFS" /bin/sh -c "ln -s /var/cache/apk /etc/apk/cache"
-chroot "$ROOTFS" /bin/sh -c "apk update; apk add bash curl"
-cp "/build-rootfs.sh" "$ROOTFS/build-rootfs.sh"
-chroot "$ROOTFS" /bin/bash /build-rootfs.sh
diff --git a/docker/alpine.Dockerfile b/docker/alpine.Dockerfile
index c74c809..695d3b7 100644
--- a/docker/alpine.Dockerfile
+++ b/docker/alpine.Dockerfile
@@ -16,6 +16,7 @@ RUN mkdir -p "/out/rootfs"
 
 # Dev-only shortcut
 COPY dev/alpine.tar.gz ./
+COPY dev/crio.tar.gz ./
 
 RUN tar -xf alpine.tar.gz -C "/out/rootfs"
 
diff --git a/kernel-extra.config b/kernel-extra.config
index d7d8c04..bb08456 100644
--- a/kernel-extra.config
+++ b/kernel-extra.config
@@ -1,4 +1,312 @@
+###############################################################################
+# Core initramfs / board support
+# These are built-in because you said initramfs needs them and you want them
+# available early during boot.
+###############################################################################
+
 CONFIG_HWMON=y
+# Hardware monitoring framework. Needed so sensor drivers can expose temps/fans.
+
 CONFIG_I2C=y
+# Core I2C subsystem. Required by your RTC/fan controller drivers.
+
 CONFIG_SENSORS_EMC2305=y
+# EMC2305 fan controller driver. Built-in so fan control is available early.
+
 CONFIG_RTC_DRV_PCF2127=y
+# RTC driver for PCF2127. Built-in so timekeeping is available early.
+
+
+###############################################################################
+# Namespaces
+# These are fundamental container primitives. Keep these built-in.
+###############################################################################
+
+CONFIG_NAMESPACES=y
+# Master switch for Linux namespaces.
+
+CONFIG_UTS_NS=y
+# Isolates hostname/domainname per container.
+
+CONFIG_IPC_NS=y
+# Isolates SysV IPC and POSIX message queues between containers.
+
+CONFIG_PID_NS=y
+# Gives containers their own PID tree (so processes inside see their own PID 1).
+
+CONFIG_NET_NS=y
+# Gives containers their own network stack, interfaces, routing, etc.
+
+CONFIG_USER_NS=y
+# User namespaces. Useful for modern container behavior and future flexibility.
+# Not every setup strictly needs this on day one, but I would enable it.
+
+
+###############################################################################
+# Cgroups / resource control
+# Required for kubelet/CRI-O to manage resource isolation.
+###############################################################################
+
+CONFIG_CGROUPS=y
+# Master switch for cgroups.
+
+CONFIG_CGROUP_BPF=y
+# Allows BPF programs to be attached to cgroups. Not required for first boot,
+# but modern systems increasingly expect this.
+
+CONFIG_CGROUP_FREEZER=y
+# Allows freezing/thawing process groups. Useful for container lifecycle control.
+
+CONFIG_CGROUP_PIDS=y
+# Limits number of processes in a cgroup.
+
+CONFIG_CGROUP_DEVICE=y
+# Controls device access from containers.
+
+CONFIG_CPUSETS=y
+# CPU affinity partitioning by cgroup.
+
+CONFIG_MEMCG=y
+# Memory cgroup support. Critical for container memory accounting/limits.
+
+CONFIG_BLK_CGROUP=y
+# Block IO control/accounting for cgroups.
+
+CONFIG_CGROUP_SCHED=y
+# Scheduler integration for cgroups.
+
+CONFIG_FAIR_GROUP_SCHED=y
+# Fair scheduler group support for cgroups.
+
+CONFIG_CFS_BANDWIDTH=y
+# CPU quota/limit support. Important for kubelet resource enforcement.
+
+
+###############################################################################
+# Filesystem / tmpfs / container filesystem basics
+###############################################################################
+
+CONFIG_KEYS=y
+# Kernel key retention service. Commonly relied on by container/userland tooling.
+
+CONFIG_TMPFS=y
+# Tmpfs support. Containers and runtimes rely on this heavily.
+
+CONFIG_TMPFS_XATTR=y
+# Extended attributes on tmpfs. Useful for container runtime behavior.
+
+CONFIG_TMPFS_POSIX_ACL=y
+# POSIX ACLs on tmpfs. Good compatibility feature for userland.
+
+CONFIG_OVERLAY_FS=m
+# Overlay filesystem. This is the big one for container image/layer storage.
+# Module is fine; CRI-O can load/use it after boot. No need to bloat FIT image.
+
+CONFIG_FS_POSIX_ACL=y
+# General POSIX ACL support. Good to have for overlay/tmpfs behavior.
+
+
+###############################################################################
+# Core networking stack
+###############################################################################
+
+CONFIG_INET=y
+# IPv4 stack.
+
+CONFIG_IPV6=y
+# IPv6 stack. You may be tempted to disable it, but Kubernetes/container stacks
+# increasingly assume it exists. Keep it on unless you have a hard reason not to.
+
+CONFIG_UNIX=y
+# Unix domain sockets. Containers and runtimes absolutely rely on this.
+
+CONFIG_TUN=m
+# TUN/TAP device support. Commonly used by networking tools/VPN/CNI-related flows.
+# Module is fine.
+
+CONFIG_DUMMY=m
+# Dummy network interface. Sometimes useful for CNI/network setups and testing.
+
+
+###############################################################################
+# Netfilter / packet filtering / NAT
+# This is where container networking gets messy. Better to enable a sane baseline.
+###############################################################################
+
+CONFIG_NETFILTER=m
+# Netfilter core framework. Module is okay if your setup loads it before use.
+
+CONFIG_NETFILTER_ADVANCED=y
+# Exposes more advanced netfilter options and modules.
+
+CONFIG_NF_CONNTRACK=m
+# Connection tracking. Critical for NAT, Kubernetes service traffic, and many CNIs.
+
+CONFIG_NF_NAT=m
+# NAT framework. Required for masquerading and pod egress in many setups.
+
+CONFIG_NF_TABLES=m
+# nftables framework. Modern Linux packet filtering backend.
+
+CONFIG_NFT_CT=m
+# nftables conntrack expressions.
+
+CONFIG_NFT_CHAIN_NAT=m
+# nftables NAT chain support.
+
+CONFIG_NFT_MASQ=m
+# nftables masquerade support. Often needed for pod egress NAT.
+
+CONFIG_NFT_REDIR=m
+# nftables redirect target.
+
+CONFIG_NFT_NAT=m
+# nftables NAT support.
+
+CONFIG_NF_NAT_IPV4=m
+# IPv4 NAT helper support. Some kernels still expose this separately.
+
+CONFIG_NF_NAT_IPV6=m
+# IPv6 NAT helper support.
+
+CONFIG_IP_NF_IPTABLES=m
+# iptables compatibility for IPv4. Still useful because lots of CNI/plugin code
+# still expects iptables even on nft-backed systems.
+
+CONFIG_IP_NF_NAT=m
+# IPv4 NAT support for iptables compatibility.
+
+CONFIG_IP6_NF_IPTABLES=m
+# ip6tables compatibility.
+
+CONFIG_IP_SET=m
+# IP sets. Useful for some network policies / firewalling toolchains.
+
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+# xtables match for address types. Often used in iptables rules.
+
+CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+# Allows comments in iptables rules. Not critical, but harmless and useful.
+
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+# xtables conntrack matching.
+
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
+# Match multiple ports in one rule.
+
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
+# Useful for TCP MSS clamping in some network paths.
+
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
+# iptables MASQUERADE target. Very commonly needed for pod outbound NAT.
+
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
+# Redirect target.
+
+CONFIG_NETFILTER_XT_TARGET_MARK=m
+# Packet marking support. Useful for advanced networking/routing rules.
+
+CONFIG_NETFILTER_XT_TARGET_CT=m
+# Connection tracking target for xtables.
+
+# Optional. Good only if you know you need transparent proxying.
+# Not required for initial CRI-O bring-up.
+# CONFIG_NETFILTER_XT_TARGET_TPROXY=m
+
+
+###############################################################################
+# Bridge / container interface plumbing
+###############################################################################
+
+CONFIG_VETH=m
+# Virtual Ethernet pairs. This is how container interfaces are commonly connected
+# to the host/network namespace.
+
+CONFIG_BRIDGE=m
+# Ethernet bridge support. Needed by bridge-based CNIs.
+
+CONFIG_BRIDGE_NETFILTER=m
+# Allows bridged traffic to pass through netfilter/iptables/nftables hooks.
+# Important for Kubernetes networking behavior.
+
+# Optional / version-dependent:
+# Some kernels expose additional ebtables/bridge netfilter pieces separately.
+# Keep this if your kernel has it, but don't panic if it doesn't.
+CONFIG_BRIDGE_NF_EBTABLES=m
+# Bridge filtering via ebtables compatibility. Sometimes useful, not always critical.
+
+
+###############################################################################
+# Security / sandboxing
+###############################################################################
+
+CONFIG_SECCOMP=y
+# Secure computing mode. Lets runtimes restrict syscall surface.
+
+CONFIG_SECCOMP_FILTER=y
+# BPF-based seccomp filters. This is the useful seccomp mode for containers.
+
+# AppArmor / SELinux are optional depending on distro/security model.
+# Alpine often won't use AppArmor by default; that's fine for first bring-up.
+
+# If your kernel tree has these and you care later:
+# CONFIG_SECURITY=y
+# CONFIG_SECURITYFS=y
+
+
+###############################################################################
+# Misc userspace/container compatibility
+###############################################################################
+
+CONFIG_POSIX_MQUEUE=y
+# POSIX message queues. Containers/apps sometimes rely on this.
+
+CONFIG_EPOLL=y
+# Event polling. Usually already enabled; standard modern userspace feature.
+
+CONFIG_SIGNALFD=y
+# File-descriptor-based signal delivery. Common Linux userspace feature.
+
+CONFIG_TIMERFD=y
+# File-descriptor timers. Common Linux userspace feature.
+
+CONFIG_EVENTFD=y
+# Event notification file descriptors. Common Linux userspace feature.
+
+CONFIG_MEMFD_CREATE=y
+# Anonymous memory-backed file creation. Widely used by modern software.
+
+CONFIG_FHANDLE=y
+# File handle support. Useful for container/runtime operations.
+
+CONFIG_DMIID=n
+# Optional on embedded boards; usually not needed unless your tree selects it.
+
+
+###############################################################################
+# Storage / block / other practical container bits
+###############################################################################
+
+CONFIG_BLK_DEV_LOOP=y
+# Loop devices. Often useful for image/layer tooling or debugging.
+# Could be =m too, but built-in is harmless and often convenient.
+
+CONFIG_AUTOFS_FS=y
+# Automount filesystem support. Not strictly required for CRI-O, but harmless.
+
+CONFIG_PROC_FS=y
+# /proc support. Essential.
+
+CONFIG_SYSFS=y
+# /sys support. Essential.
+
+CONFIG_DEVTMPFS=y
+# Kernel-managed /dev population support.
+
+CONFIG_DEVTMPFS_MOUNT=y
+# Automatically mount devtmpfs. Very practical on small/custom systems.
+
+### Disable XEN because it breaks our build and we don't need it
+CONFIG_XEN=n
+CONFIG_XEN_DOM0=n
+CONFIG_VHOST_XEN=n
diff --git a/makefile b/makefile
index 36000a3..df9d58d 100644
--- a/makefile
+++ b/makefile
@@ -49,11 +49,11 @@ buildenv-alpine: build-base
 		--build-arg ALPINE_VER=$(ALPINE_VER) \
 	-t $(DOCKER_IMAGE_ROOT)/buildenv-alpine:$(TAG) .
 
-alpine-rootfs: buildenv-alpine
+alpine-rootfs: buildenv-alpine kernel-build
 	docker run --rm -it \
 		--privileged \
 		-v /cache/apk:/var/cache/apk \
 		-v /cache/artifacts:/artifacts \
 		-e ROOTFS=/out/rootfs \
 		$(DOCKER_IMAGE_ROOT)/buildenv-alpine:$(TAG) \
-		bash -lc '/prepare-chroot.sh && /build-rootfs.sh'
+		bash -lc '/build-rootfs.sh'