diff --git a/devel/addon/kyverno/BUILD.bazel b/devel/addon/kyverno/BUILD.bazel
index 6df04e38c..d466b1ec0 100644
--- a/devel/addon/kyverno/BUILD.bazel
+++ b/devel/addon/kyverno/BUILD.bazel
@@ -1,3 +1,21 @@
+load("@io_bazel_rules_docker//container:bundle.bzl", "container_bundle")
+
+container_bundle(
+    name = "bundle_v1.3.6",
+    images = {
+        "ghcr.io/kyverno/kyverno:v1.3.6": "@io_kyverno//image",
+    },
+    tags = ["manual"],
+)
+
+container_bundle(
+    name = "pre_bundle_v1.3.6",
+    images = {
+        "ghcr.io/kyverno/kyvernopre:v1.3.6": "@io_kyverno_pre//image",
+    },
+    tags = ["manual"],
+)
+
 filegroup(
     name = "package-srcs",
     srcs = glob(["**"]),
diff --git a/devel/addon/kyverno/install.sh b/devel/addon/kyverno/install.sh
index a991695d3..5aadf2e0a 100755
--- a/devel/addon/kyverno/install.sh
+++ b/devel/addon/kyverno/install.sh
@@ -28,15 +28,31 @@ set -o pipefail
 SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")
 source "${SCRIPT_ROOT}/../../lib/lib.sh"
 
-KYVERNO_VERSION="v1.3.6"
-
 check_tool kubectl
 check_tool helm
 
+CHART_VERSION="v1.3.6"
+IMAGE_TAG="v1.3.6"
+PRE_IMAGE_TAG="v1.3.6"
+
+require_image "ghcr.io/kyverno/kyverno:${IMAGE_TAG}" "//devel/addon/kyverno:bundle_${IMAGE_TAG}"
+require_image "ghcr.io/kyverno/kyverno:${PRE_IMAGE_TAG}" "//devel/addon/kyverno:bundle_${PRE_IMAGE_TAG}"
+
+
 # Install latest version of Kyverno
 helm repo add kyverno https://kyverno.github.io/kyverno/
 helm repo update
-helm upgrade --install --wait kyverno kyverno/kyverno --namespace kyverno --create-namespace --version "${KYVERNO_VERSION}"
+helm upgrade \
+  --debug \
+  --install \
+  --wait \
+  --namespace kyverno \
+  --create-namespace \
+  --version "${CHART_VERSION}" \
+  --set image.tag="${IMAGE_TAG}" \
+  --set initImage.tag="${IMAGE_TAG}" \
+  kyverno \
+  kyverno/kyverno
 # Install cert-manager specific Pod security policy
 kubectl create ns cert-manager || true
 kubectl apply -f ${SCRIPT_ROOT}/policy.yaml
diff --git a/hack/utils.sh b/hack/utils.sh
index 79de9903c..020fabb39 100755
--- a/hack/utils.sh
+++ b/hack/utils.sh
@@ -67,4 +67,4 @@ replace_go_autogen_tags() {
 	# See https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md
         sed "${sed_args}"  -e "s/$REPLACE_NEW/go\:build\ \!ignore_autogenerated/" "${file}" \
           -e "s/$REPLACE_OLD/\+build \!ignore_autogenerated/" "${file}"
-}
\ No newline at end of file
+}
diff --git a/test/e2e/images.bzl b/test/e2e/images.bzl
index 8200ac459..83371db98 100644
--- a/test/e2e/images.bzl
+++ b/test/e2e/images.bzl
@@ -53,6 +53,22 @@ def install():
         digest = "sha256:8c0abb209aaef63631d1c85add422ca51848ccee2f87aea06558d37bda1c8e91",
     )
 
+    container_pull(
+        name = "io_kyverno",
+        registry = "ghcr.io",
+        repository = "kyverno/kyverno",
+        tag = "v1.3.6",
+        digest = "sha256:7d7972e7d9ed2a6da27b06ccb1c3c5d3544838d6cedb67a050ba7d655461ef52",
+    )
+
+    container_pull(
+        name = "io_kyverno_pre",
+        registry = "ghcr.io",
+        repository = "kyverno/kyvernopre",
+        tag = "v1.3.6",
+        digest = "sha256:e76fb71c59449bca1028724a88005652409b56efb90bbcdce56b0d083bda6568",
+    )
+
     ## Fetch traefik for use during e2e tests.
     container_pull(
         name = "io_traefik_traefik",