diff --git a/.semaphore/push-images/whisker-backend.yml b/.semaphore/push-images/whisker-backend.yml
new file mode 100644
index 00000000000..1e1841f6b1e
--- /dev/null
+++ b/.semaphore/push-images/whisker-backend.yml
@@ -0,0 +1,47 @@
+version: v1.0
+name: Publish whisker backend images
+agent:
+  machine:
+    type: f1-standard-2
+    os_image: ubuntu2204
+
+execution_time_limit:
+  minutes: 60
+
+global_job_config:
+  env_vars:
+    - name: DEV_REGISTRIES
+      value: quay.io/calico docker.io/calico
+  secrets:
+    - name: docker
+    - name: quay-robot-calico+semaphoreci
+  prologue:
+    commands:
+      - checkout
+      # Semaphore is doing shallow clone on a commit without tags.
+      # unshallow it for GIT_VERSION:=$(shell git describe --tags --dirty --always)
+      - retry git fetch --unshallow
+      - echo $DOCKER_TOKEN | docker login --username "$DOCKER_USER" --password-stdin
+      - echo $QUAY_TOKEN | docker login --username "$QUAY_USER" --password-stdin quay.io
+      - export BRANCH_NAME=$SEMAPHORE_GIT_BRANCH
+
+blocks:
+  - name: Publish whisker backend images
+    dependencies: []
+    skip:
+      when: "branch !~ '.+'"
+    task:
+      jobs:
+        - name: Linux multi-arch
+          commands:
+            - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make -C whisker-backend cd CONFIRM=true; fi
+  - name: Publish whisker backend multi-arch manifests
+    dependencies:
+      - Publish whisker backend images
+    skip:
+      when: "branch !~ '.+'"
+    task:
+      jobs:
+        - name: Linux multi-arch manifests
+          commands:
+            - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make -C whisker-backend push-manifests-with-tag CONFIRM=true; fi
diff --git a/.semaphore/push-images/whisker.yml b/.semaphore/push-images/whisker.yml
new file mode 100644
index 00000000000..fd5a150f65d
--- /dev/null
+++ b/.semaphore/push-images/whisker.yml
@@ -0,0 +1,47 @@
+version: v1.0
+name: Publish whisker images
+agent:
+  machine:
+    type: f1-standard-2
+    os_image: ubuntu2204
+
+execution_time_limit:
+  minutes: 60
+
+global_job_config:
+  env_vars:
+    - name: DEV_REGISTRIES
+      value: quay.io/calico docker.io/calico
+  secrets:
+    - name: docker
+    - name: quay-robot-calico+semaphoreci
+  prologue:
+    commands:
+      - checkout
+      # Semaphore is doing shallow clone on a commit without tags.
+      # unshallow it for GIT_VERSION:=$(shell git describe --tags --dirty --always)
+      - retry git fetch --unshallow
+      - echo $DOCKER_TOKEN | docker login --username "$DOCKER_USER" --password-stdin
+      - echo $QUAY_TOKEN | docker login --username "$QUAY_USER" --password-stdin quay.io
+      - export BRANCH_NAME=$SEMAPHORE_GIT_BRANCH
+
+blocks:
+  - name: Publish whisker images
+    dependencies: []
+    skip:
+      when: "branch !~ '.+'"
+    task:
+      jobs:
+        - name: Linux multi-arch
+          commands:
+            - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make -C whisker cd CONFIRM=true; fi
+  - name: Publish whisker multi-arch manifests
+    dependencies:
+      - Publish whisker images
+    skip:
+      when: "branch !~ '.+'"
+    task:
+      jobs:
+        - name: Linux multi-arch manifests
+          commands:
+            - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make -C whisker push-manifests-with-tag CONFIRM=true; fi
diff --git a/.semaphore/semaphore-scheduled-builds.yml b/.semaphore/semaphore-scheduled-builds.yml
index 5d74ea528ac..f812c55c2dc 100644
--- a/.semaphore/semaphore-scheduled-builds.yml
+++ b/.semaphore/semaphore-scheduled-builds.yml
@@ -86,6 +86,14 @@ promotions:
     pipeline_file: push-images/goldmane.yml
     auto_promote:
       when: "branch =~ 'master|release-'"
+  - name: Push Whisker images
+    pipeline_file: push-images/whisker.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
+  - name: Push Whisker Backend images
+    pipeline_file: push-images/whisker-backend.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
   - name: Publish openstack packages
     pipeline_file: push-images/packaging.yaml
     auto_promote:
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index c82e96dca00..64c423b8158 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -86,6 +86,14 @@ promotions:
     pipeline_file: push-images/goldmane.yml
     auto_promote:
       when: "branch =~ 'master|release-'"
+  - name: Push Whisker images
+    pipeline_file: push-images/whisker.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
+  - name: Push Whisker Backend images
+    pipeline_file: push-images/whisker-backend.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
   - name: Publish openstack packages
     pipeline_file: push-images/packaging.yaml
     auto_promote:
diff --git a/.semaphore/semaphore.yml.d/03-promotions.yml b/.semaphore/semaphore.yml.d/03-promotions.yml
index dc902d1aeaa..aafa15b308a 100644
--- a/.semaphore/semaphore.yml.d/03-promotions.yml
+++ b/.semaphore/semaphore.yml.d/03-promotions.yml
@@ -55,6 +55,14 @@ promotions:
     pipeline_file: push-images/goldmane.yml
     auto_promote:
       when: "branch =~ 'master|release-'"
+  - name: Push Whisker images
+    pipeline_file: push-images/whisker.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
+  - name: Push Whisker Backend images
+    pipeline_file: push-images/whisker-backend.yml
+    auto_promote:
+      when: "branch =~ 'master|release-'"
   - name: Publish openstack packages
     pipeline_file: push-images/packaging.yaml
     auto_promote:
diff --git a/release/pkg/manager/calico/manager.go b/release/pkg/manager/calico/manager.go
index 233ae43315f..e45a1219fe9 100644
--- a/release/pkg/manager/calico/manager.go
+++ b/release/pkg/manager/calico/manager.go
@@ -60,6 +60,8 @@ var (
 		"pod2daemon",
 		"typha",
 		"goldmane",
+		"whisker",
+		"whisker-backend",
 	}
 
 	// Directories for Windows.
diff --git a/whisker-backend/Makefile b/whisker-backend/Makefile
index eccefaaee0d..a59719f0f7d 100644
--- a/whisker-backend/Makefile
+++ b/whisker-backend/Makefile
@@ -66,9 +66,9 @@ release-build: .release-$(VERSION).created
 	$(MAKE) clean image-all RELEASE=true
 	$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=$(VERSION)
 	$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=latest
+	touch $@
 
 release-publish: release-prereqs .release-$(VERSION).published
 .release-$(VERSION).published:
 	$(MAKE) push-images-to-registries push-manifests IMAGETAG=$(VERSION) RELEASE=$(RELEASE) CONFIRM=$(CONFIRM)
-
 	touch $@
diff --git a/whisker/Makefile b/whisker/Makefile
index c1252967c3c..ec0eccad0fc 100644
--- a/whisker/Makefile
+++ b/whisker/Makefile
@@ -53,3 +53,21 @@ lint: install
 	$(DOCKER_RUN_RM) -e NODE_OPTIONS=--max_old_space_size=8192 -e CNX_APP_VERSION=$(GIT_VERSION) $(BUILD_IMAGE_NAME) yarn lint --quiet
 
 ci: install format lint yarn-test
+
+###############################################################################
+# Release
+###############################################################################
+## Deploys images to registry
+cd: image-all cd-common
+
+release-build: .release-$(VERSION).created
+.release-$(VERSION).created:
+	$(MAKE) clean image-all RELEASE=true
+	$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=$(VERSION)
+	$(MAKE) retag-build-images-with-registries RELEASE=true IMAGETAG=latest
+	touch $@
+
+release-publish: release-prereqs .release-$(VERSION).published
+.release-$(VERSION).published:
+	$(MAKE) push-images-to-registries push-manifests IMAGETAG=$(VERSION) RELEASE=$(RELEASE) CONFIRM=$(CONFIRM)
+	touch $@
diff --git a/whisker/docker-image/Dockerfile.nginx b/whisker/docker-image/Dockerfile.nginx
index adc9bcb02b4..d32d44fb14b 100644
--- a/whisker/docker-image/Dockerfile.nginx
+++ b/whisker/docker-image/Dockerfile.nginx
@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+ARG CALICO_BASE
+
 FROM registry.access.redhat.com/ubi8/ubi:latest as ubi
 
 RUN dnf upgrade -y
@@ -21,6 +23,37 @@ COPY docker-image/nginx.repo /etc/yum.repos.d/nginx.repo
 RUN dnf --enablerepo=nginx-stable install -y \
     nginx
 
+FROM scratch as source
+
+# binary and dependencies
+COPY --from=ubi /usr/sbin/nginx /usr/sbin/nginx
+
+COPY --from=ubi /bin/sh /bin/sh
+COPY --from=ubi /usr/bin/cat /usr/bin/cat
+COPY --from=ubi /usr/bin/cd /usr/bin/cd
+COPY --from=ubi /usr/bin/coreutils /usr/bin/coreutils
+COPY --from=ubi /usr/bin/sed /usr/bin/sed
+
+COPY --from=ubi /lib64/libacl.so.1 /lib64/libacl.so.1
+COPY --from=ubi /lib64/libattr.so.1 /lib64/libattr.so.1
+COPY --from=ubi /lib64/libcap.so.2 /lib64/libcap.so.2
+COPY --from=ubi /lib64/libcrypt.so.1 /lib64/libcrypt.so.1
+COPY --from=ubi /lib64/libcrypto.so.1.1 /lib64/libcrypto.so.1.1
+COPY --from=ubi /lib64/libdl.so.2 /lib64/libdl.so.2
+COPY --from=ubi /lib64/libpcre2-8.so.0 /lib64/libpcre2-8.so.0
+COPY --from=ubi /lib64/librt.so.1 /lib64/librt.so.1
+COPY --from=ubi /lib64/libselinux.so.1 /lib64/libselinux.so.1
+COPY --from=ubi /lib64/libssl.so.1.1 /lib64/libssl.so.1.1
+COPY --from=ubi /lib64/libtinfo.so.6 /lib64/libtinfo.so.6
+COPY --from=ubi /lib64/libz.so.1 /lib64/libz.so.1
+
+# web server configs and folder permissions
+COPY --from=ubi --chown=10001:10001 /etc/nginx /etc/nginx/
+# nginx-start.sh writes clientsideConfig.js into this folder
+COPY --from=ubi --chown=10001:10001 /usr/share/nginx/html /usr/share/nginx/html/
+COPY --from=ubi --chown=10001:10001 /var/cache/nginx /var/cache/nginx/
+COPY --from=ubi --chown=10001:10001 /var/log/nginx /var/log/nginx/
+
 COPY docker-image/nginx-start.sh /usr/bin/nginx-start.sh
 
 COPY docker-image/default.conf /etc/nginx/conf.d/default.conf
@@ -28,4 +61,10 @@ COPY docker-image/nginx.conf /etc/nginx/nginx.conf
 
 COPY dist /usr/share/nginx/html/
 
+FROM ${CALICO_BASE}
+
+COPY --from=source / /
+
+USER 10001:10001
+
 CMD ["/usr/bin/nginx-start.sh"]