diff --git a/README.md b/README.md
index 1465947597..190118bbdd 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,7 @@
 | [ko](./images/ko) | `cgr.dev/chainguard/ko` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/ko.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/ko:latest) |
 | [kube-bench](./images/kube-bench) | `cgr.dev/chainguard/kube-bench` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kube-bench.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kube-bench:latest) |
 | [kube-downscaler](./images/kube-downscaler) | `cgr.dev/chainguard/kube-downscaler` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kube-downscaler.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kube-downscaler:latest) |
+| [kube-fluentd-operator](./images/kube-fluentd-operator) | `cgr.dev/chainguard/kube-fluentd-operator` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kube-fluentd-operator.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kube-fluentd-operator:latest) |
 | [kube-state-metrics](./images/kube-state-metrics) | `cgr.dev/chainguard/kube-state-metrics` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kube-state-metrics.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kube-state-metrics:latest) |
 | [kubectl](./images/kubectl) | `cgr.dev/chainguard/kubectl` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kubectl.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kubectl:latest) |
 | [kubernetes-csi-external-attacher](./images/kubernetes-csi-external-attacher) | `cgr.dev/chainguard/kubernetes-csi-external-attacher` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/kubernetes-csi-external-attacher.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/kubernetes-csi-external-attacher:latest) |
diff --git a/images/kube-fluentd-operator/README.md b/images/kube-fluentd-operator/README.md
new file mode 100644
index 0000000000..9ea218bbbe
--- /dev/null
+++ b/images/kube-fluentd-operator/README.md
@@ -0,0 +1,37 @@
+<!--monopod:start-->
+# kube-fluentd-operator
+| | |
+| - | - |
+| **Status** | stable |
+| **OCI Reference** | `cgr.dev/chainguard/kube-fluentd-operator` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/kube-fluentd-operator/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+*[Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+This image is used for the [Kubernetes Fluentd Operator](https://github.com/vmware/kube-fluentd-operator)
+
+
+## Get It!
+
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/kube-fluentd-operator:latest
+```
+
+This image is a drop-in replacement for the Kubernetes Fluentd Operator available upstream at `vmware/kube-fluentd-operator`.
+
+## Use It!
+
+```
+git clone git@github.com:vmware/kube-fluentd-operator.git
+helm install kfo ./kube-fluentd-operator/charts/log-router \
+  --set rbac.create=true \
+  --set image.tag=latest \
+  --set image.repository=cgr.dev/chainguard/kube-fluentd-operator
+```
diff --git a/images/kube-fluentd-operator/configs/latest.apko.yaml b/images/kube-fluentd-operator/configs/latest.apko.yaml
new file mode 100644
index 0000000000..b8a8c8fc9c
--- /dev/null
+++ b/images/kube-fluentd-operator/configs/latest.apko.yaml
@@ -0,0 +1,30 @@
+contents:
+  packages:
+    - kube-fluentd-operator
+    - kube-fluentd-operator-oci-entrypoint
+    - kube-fluentd-operator-default-config
+    - kube-fluentd-operator-compat
+
+entrypoint:
+  command: /fluentd/entrypoint.sh
+
+environment:
+  FLUENTD_CONF: fluent.conf
+  LD_PRELOAD: /usr/lib/libjemalloc.so.2
+  GEM_PATH: /usr/lib/gem/home
+  GEM_HOME: /usr/lib/gem/home
+  PATH: /usr/lib/gem/home/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 0 # need to write to /var/log and hostPath volumes are mounted as root
+
+annotations:
+  "org.opencontainers.image.url": https://edu.chainguard.dev/chainguard/chainguard-images/reference/kube-fluentd-operator
+  "org.opencontainers.image.source": https://github.com/chainguard-images/images/tree/main/images/kube-fluentd-operator
diff --git a/images/kube-fluentd-operator/image.yaml b/images/kube-fluentd-operator/image.yaml
new file mode 100644
index 0000000000..b286ab5206
--- /dev/null
+++ b/images/kube-fluentd-operator/image.yaml
@@ -0,0 +1,3 @@
+versions:
+  - apko:
+      config: configs/latest.apko.yaml
diff --git a/images/kube-fluentd-operator/main.tf b/images/kube-fluentd-operator/main.tf
new file mode 100644
index 0000000000..1b84c51db6
--- /dev/null
+++ b/images/kube-fluentd-operator/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "latest" {
+  source = "../../tflib/publisher"
+
+  target_repository = var.target_repository
+  config            = file("${path.module}/configs/latest.apko.yaml")
+}
+
+module "version-tags" {
+  source  = "../../tflib/version-tags"
+  package = "kube-fluentd-operator"
+  config  = module.latest.config
+}
+
+module "test-latest" {
+  source = "./tests"
+  digest = module.latest.image_ref
+}
+
+module "tagger" {
+  source = "../../tflib/tagger"
+
+  depends_on = [
+    module.test-latest,
+  ]
+
+  tags = merge(
+    { for t in toset(concat(["latest"], module.version-tags.tag_list)) : t => module.latest.image_ref },
+  )
+}
diff --git a/images/kube-fluentd-operator/tests/main.tf b/images/kube-fluentd-operator/tests/main.tf
new file mode 100644
index 0000000000..c91501a50a
--- /dev/null
+++ b/images/kube-fluentd-operator/tests/main.tf
@@ -0,0 +1,48 @@
+terraform {
+  required_providers {
+    oci    = { source = "chainguard-dev/oci" }
+    helm   = { source = "hashicorp/helm" }
+    random = { source = "hashicorp/random" }
+  }
+}
+
+variable "skip_crds" {
+  description = "Used to deconflict between multiple installations within the same cluster."
+  default     = false
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+resource "random_pet" "suffix" {}
+
+resource "helm_release" "kfo" {
+  name             = "kfo-${random_pet.suffix.id}"
+  namespace        = "kfo"
+  chart            = "https://github.com/vmware/kube-fluentd-operator/releases/download/v1.17.4/log-router-0.4.0.tgz" # not sure how we can get the correct version of the chart rather than hardcoding a version below
+  create_namespace = true
+  timeout          = 120
+
+  values = [
+    <<EOF
+rbac:
+  create: true
+image:
+  repository: "${data.oci_string.ref.registry_repo}"
+  tag: "${data.oci_string.ref.pseudo_tag}"
+EOF
+  ]
+}
+
+data "oci_exec_test" "smoke" {
+  digest = var.digest # This doesn't actually matter here, just pass it something valid
+
+  # This script calls other files in the same relative directory
+  working_dir = path.module
+  script      = "./smoke-test.sh"
+
+  depends_on = [helm_release.kfo]
+}
diff --git a/images/kube-fluentd-operator/tests/smoke-test.sh b/images/kube-fluentd-operator/tests/smoke-test.sh
new file mode 100755
index 0000000000..aff79c3185
--- /dev/null
+++ b/images/kube-fluentd-operator/tests/smoke-test.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o pipefail -x
+
+sleep 5
+
+# There are docs to test a deployment of the operator, but this is not
+# working, same result with the upstream image. # https://github.com/vmware/kube-fluentd-operator#try-it-out
+
+# Instead, we will test the operator by deploying the log-router helm chart
+# and check the deamonset pod is healthy + the logs contain the expected text
+
+# Check the log-router pods are deployed and healthy
+kubectl wait --for=condition=ready pod --selector app=log-router --timeout=120s -n kfo
+
+# Define the timeout and delay variables
+TIMEOUT=180
+DELAY=5
+TIMER=0
+
+# Loop until the current time is greater than the end time
+while [ $TIMER -lt $TIMEOUT ]; do
+  # Run the command and check for the text
+  if kubectl logs -n kfo -l app=log-router --tail -1 -c fluentd | grep "fluentd worker is now running"; then
+    echo "Worker is running"
+      exit 0
+  fi
+
+	# Sleep for the specified delay, then increment the timer
+	sleep $DELAY
+	TIMER=$(($TIMER + $DELAY))
+done
+
+echo "Worker failed to start within 3 minutes"
+exit 1
diff --git a/main.tf b/main.tf
index c31509eeb8..3dd19a689e 100644
--- a/main.tf
+++ b/main.tf
@@ -458,6 +458,11 @@ module "kubernetes-ingress-defaultbackend" {
   target_repository = "${var.target_repository}/kubernetes-ingress-defaultbackend"
 }
 
+module "kube-fluentd-operator" {
+  source            = "./images/kube-fluentd-operator"
+  target_repository = "${var.target_repository}/kube-fluentd-operator"
+}
+
 module "kubewatch" {
   source            = "./images/kubewatch"
   target_repository = "${var.target_repository}/kubewatch"