diff --git a/roles/ensure-kubernetes/tasks/crio-Ubuntu-20.04.yaml b/roles/ensure-kubernetes/tasks/crio-Ubuntu-20.04.yaml
new file mode 100644
index 000000000..bc8c2e0b6
--- /dev/null
+++ b/roles/ensure-kubernetes/tasks/crio-Ubuntu-20.04.yaml
@@ -0,0 +1,28 @@
+- name: Add all repositories
+  include_role:
+    name: ensure-package-repositories
+  vars:
+    repositories_keys:
+      - url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/Release.key"
+      - url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/xUbuntu_{{ ansible_distribution_version }}/Release.key"
+    repositories_list:
+      - repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/ /"
+      - repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/xUbuntu_{{ ansible_distribution_version }}/ /"
+- name: Install packages
+  package:
+    name:
+      - cri-o
+      - cri-o-runc
+      - containernetworking-plugins
+      - podman
+      - cri-tools
+    state: present
+  become: true
+- name: Set crio cgroup driver
+  ini_file:
+    path: /etc/crio/crio.conf
+    section: crio.runtime
+    option: cgroup_manager
+    value: '"cgroupfs"'
+    mode: 0644
+  become: true
diff --git a/roles/ensure-kubernetes/tasks/crio-default.yaml b/roles/ensure-kubernetes/tasks/crio-default.yaml
index bc8c2e0b6..46760257b 100644
--- a/roles/ensure-kubernetes/tasks/crio-default.yaml
+++ b/roles/ensure-kubernetes/tasks/crio-default.yaml
@@ -1,28 +1,62 @@
 - name: Add all repositories
+  # Instructions from here: https://github.com/cri-o/packaging making
+  # the assumption that CRIO_VERSION == KUBERNETES_VERSION
   include_role:
     name: ensure-package-repositories
   vars:
     repositories_keys:
-      - url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/Release.key"
-      - url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/xUbuntu_{{ ansible_distribution_version }}/Release.key"
+      - url: "https://pkgs.k8s.io/core:/stable:/{{ ensure_kubernetes_kubectl_version }}/deb/Release.key"
+      - url: "https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ ensure_kubernetes_kubectl_version }}/deb/Release.key"
     repositories_list:
-      - repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/ /"
-      - repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/xUbuntu_{{ ansible_distribution_version }}/ /"
+      - repo: "deb https://pkgs.k8s.io/core:/stable:/{{ ensure_kubernetes_kubectl_version }}/deb/ /"
+      - repo: "deb https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ ensure_kubernetes_kubectl_version }}/deb/ /"
+
 - name: Install packages
   package:
     name:
       - cri-o
-      - cri-o-runc
+      - runc
       - containernetworking-plugins
-      - podman
       - cri-tools
+      - podman
+      - kubernetes-cni
     state: present
   become: true
-- name: Set crio cgroup driver
+
+# The the following two options are recommended from cri-o install notes
+- name: Enable ipv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+  become: true
+
+- name: Load br_netfilter
+  modprobe:
+    name: br_netfilter
+    state: present
+    persistent: present
+  become: true
+
+- name: Find networking plugins
   ini_file:
     path: /etc/crio/crio.conf
-    section: crio.runtime
-    option: cgroup_manager
-    value: '"cgroupfs"'
+    section: crio.network
+    option: plugin_dirs
+    value:
+      - '/opt/cni/bin/'
+      - '/usr/lib/cni'
     mode: 0644
   become: true
+  register: _crio_conf_updated
+
+# NOTE: want to restart here rather than notify and do it later, so
+# that we don't go on without the config correct.
+- name: Restart crio to pickup changes  # noqa no-handler
+  service:
+    name: crio
+    state: restarted
+  become: yes
+  when: _crio_conf_updated.changed
diff --git a/roles/ensure-kubernetes/tasks/microk8s.yaml b/roles/ensure-kubernetes/tasks/microk8s.yaml
index 3b747224e..45d6f218b 100644
--- a/roles/ensure-kubernetes/tasks/microk8s.yaml
+++ b/roles/ensure-kubernetes/tasks/microk8s.yaml
@@ -1,7 +1,7 @@
 - name: Check distro
   assert:
-    that: ansible_distribution_release in ['jammy', 'bookworm']
-    msg: 'This role only supported on Jammy or Bookworm'
+    that: ansible_distribution_release in ['jammy', 'bookworm', 'noble']
+    msg: 'This role is only supported on Jammy or Bookworm or Noble'
 
 - name: Install snapd
   become: yes
diff --git a/roles/ensure-kubernetes/tasks/minikube.yaml b/roles/ensure-kubernetes/tasks/minikube.yaml
index 063358e24..4f18ea713 100644
--- a/roles/ensure-kubernetes/tasks/minikube.yaml
+++ b/roles/ensure-kubernetes/tasks/minikube.yaml
@@ -3,6 +3,16 @@
     path: /tmp/minikube
   register: stat_result
 
+# This is needed because minikube is installed in /tmp
+- name: Disable protections for races in /tmp
+  sysctl:
+    name: fs.protected_regular
+    value: '0'
+    sysctl_set: true
+    state: present
+    reload: true
+  become: true
+
 - name: Download Minikube
   get_url:
     url: https://storage.googleapis.com/minikube/releases/{{ minikube_version }}/minikube-linux-amd64
@@ -17,13 +27,28 @@
     dest: /usr/local/bin/kubectl
     state: link
 
+- name: Get the kubernetes version
+  command: >-
+    /tmp/minikube kubectl --
+    version --client=true --output=json
+  changed_when: False
+  register: ensure_kubernetes_kubectl_version_result
+
+- name: Set the kubernetes version
+  vars:
+    kubectl_version: >-
+      {{ ensure_kubernetes_kubectl_version_result.stdout | from_json }}
+  set_fact:
+    ensure_kubernetes_kubectl_version: >-
+      v{{ kubectl_version['clientVersion']['major'] }}.{{ kubectl_version['clientVersion']['minor'] }}
+
 - name: Run ensure-docker role
   include_role:
     name: ensure-docker
 
-# Ubuntu focal doesn't have cri-o-1.15 packages, per distro tasks is
-# required to install crio
-- name: Install crio
+# Ubuntu doesn't have cri-o packages, per distro tasks is
+# required to install cri-o
+- name: Install cri-o
   # Note this is required even for the docker runtime, as minikube only
   # supports cri now.  See below for the docker wrapper
   include_tasks: "{{ zj_distro_os }}"
diff --git a/roles/ensure-podman/tasks/Ubuntu.yaml b/roles/ensure-podman/tasks/Ubuntu.yaml
index 556ef96ef..de353a593 100644
--- a/roles/ensure-podman/tasks/Ubuntu.yaml
+++ b/roles/ensure-podman/tasks/Ubuntu.yaml
@@ -1,12 +1,3 @@
-- name: Add kubic project repository
-  include_role:
-    name: ensure-package-repositories
-  vars:
-    repositories_keys:
-      - url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/Release.key"
-    repositories_list:
-      - repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version }}/ /"
-
 - name: Install podman
   package:
     name:
@@ -15,21 +6,16 @@
       - slirp4netns
       - fuse-overlayfs
       - containernetworking-plugins
+      # This enables container network dns resolution:
+      - golang-github-containernetworking-plugin-dnsname
     state: present
   become: yes
 
-# NOTE(pabelanger): Remove default registries.conf file, so we can manage it
-# ourself. It could have v1 syntax, which doesn't work with v2.
-- name: Remove /etc/containers/registries.conf
-  become: true
-  file:
-    state: absent
-    path: /etc/containers/registries.conf
-
 - name: Create containers config dir
   file:
     path: '{{ ansible_user_dir }}/.config/containers'
     state: directory
+
 - name: Force cgroup manager to cgroupfs for Ubuntu
   copy:
     content: |
diff --git a/roles/use-buildset-registry/defaults/main.yaml b/roles/use-buildset-registry/defaults/main.yaml
index fb0971126..e55374faa 100644
--- a/roles/use-buildset-registry/defaults/main.yaml
+++ b/roles/use-buildset-registry/defaults/main.yaml
@@ -2,3 +2,4 @@ buildset_registry_namespaces:
   - ['docker.io', 'https://registry-1.docker.io']
   - ['quay.io', 'https://quay.io']
   - ['gcr.io', 'https://gcr.io']
+  - ['registry.k8s.io', 'https://registry.k8s.io']
diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml
index a2fed6249..e6f17d7e8 100644
--- a/roles/use-buildset-registry/tasks/main.yaml
+++ b/roles/use-buildset-registry/tasks/main.yaml
@@ -79,13 +79,38 @@
     mode: 0644
   become: true
 
-- name: Restart docker daemon
-  service:
-    name: docker
-    state: restarted
-  become: true
-  register: docker_restart
-  failed_when: docker_restart is failed and not 'Could not find the requested service' in docker_restart.msg
+- name: Populate service facts
+  service_facts:
+
+# This is a copy of the logic from the ensure-docker handlers
+- name: Restart docker if it exists
+  block:
+    - name: Stop docker.socket to avoid any conflict
+      become: true
+      service:
+        name: docker.socket
+        enabled: yes
+        state: stopped
+      failed_when: false
+
+    - name: Assure docker service is running
+      become: true
+      service:
+        name: docker
+        enabled: yes
+        state: started
+
+    - name: Assure docker.socket service is running
+      become: true
+      service:
+        name: docker.socket
+        enabled: yes
+        state: started
+      failed_when: false
+  when:
+    # docker-ce may have been uninstalled by cri-o
+    - "'docker.service' in ansible_facts.services"
+    - ansible_facts.services['docker.service']['status'] != 'not-found'
 
 - name: Ensure containers directory exists
   become: yes
diff --git a/test-playbooks/ensure-kubernetes/post.yaml b/test-playbooks/ensure-kubernetes/post.yaml
index 76c5d0bda..cf4cc30dc 100644
--- a/test-playbooks/ensure-kubernetes/post.yaml
+++ b/test-playbooks/ensure-kubernetes/post.yaml
@@ -24,7 +24,7 @@
                 restartPolicy: Never
                 containers:
                   - name: test
-                    image: k8s.gcr.io/pause:3.1
+                    image: registry.k8s.io/pause:3.1
 
         - name: Start pod
           command: kubectl apply -f test-pod.yaml
diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml
index 55bc0cf00..85d0053ed 100644
--- a/zuul-tests.d/container-roles-jobs.yaml
+++ b/zuul-tests.d/container-roles-jobs.yaml
@@ -368,6 +368,11 @@
       - test-playbooks/registry/test-registry-post.yaml
     vars:
       container_command: podman
+    # There seems to be flakiness in pre-Noble
+    nodeset:
+      nodes:
+        - name: ubuntu-noble
+          label: ubuntu-noble
 
 - job:
     name: zuul-jobs-test-ensure-kubernetes-crio
@@ -396,15 +401,6 @@
         - name: ubuntu-focal
           label: ubuntu-focal
 
-- job:
-    name: zuul-jobs-test-ensure-kubernetes-crio-ubuntu-jammy
-    description: Test the ensure-kubernetes role with crio-o on ubuntu-jammy
-    parent: zuul-jobs-test-ensure-kubernetes-crio
-    nodeset:
-      nodes:
-        - name: ubuntu-jammy
-          label: ubuntu-jammy
-
 - job:
     name: zuul-jobs-test-ensure-kubernetes-microk8s
     description: |
@@ -564,7 +560,6 @@
         - zuul-jobs-test-registry-buildset-registry-k8s-microk8s
         - zuul-jobs-test-registry-buildset-registry-k8s-crio
         - zuul-jobs-test-ensure-kubernetes-crio-ubuntu-focal
-        - zuul-jobs-test-ensure-kubernetes-crio-ubuntu-jammy
         - zuul-jobs-test-ensure-kubernetes-microk8s-ubuntu-jammy
         - zuul-jobs-test-ensure-kubernetes-microk8s-debian-bookworm
         - zuul-jobs-test-ensure-skopeo-debian-bookworm