diff --git a/Dockerfile b/Dockerfile.al23
similarity index 63%
rename from Dockerfile
rename to Dockerfile.al23
index cc0a391..13a5e75 100644
--- a/Dockerfile
+++ b/Dockerfile.al23
@@ -8,11 +8,22 @@ LABEL org.opencontainers.image.title=jswank/aws-cli \
 
 RUN yum install -y --allowerasing \
   coreutils shadow-utils \
-  less which \
+  less which tar \
   sudo vim-minimal \
   aws-cli && \
   yum clean all
 
+# install eksctl
+RUN curl -sL https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz \
+  | tar -xzf - \
+  && install eksctl /usr/local/bin/eksctl
+
+# install kubectl
+RUN cd /tmp \
+  && curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+  && install kubectl /usr/local/bin/kubectl \
+  && rm kubectl
+
 RUN adduser -r --create-home --shell /bin/bash --groups wheel cli
 
 RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/00-all-wheel-np
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
new file mode 100644
index 0000000..edbcd9e
--- /dev/null
+++ b/Dockerfile.alpine
@@ -0,0 +1,27 @@
+FROM ghcr.io/jswank/alpine-cli:3
+
+LABEL org.opencontainers.image.title=jswank/aws-cli \
+      org.opencontainers.image.description="A minimal image for running AWS CLI " \
+      org.opencontainers.image.url=https://git.sr.ht/~jswank/aws-cli \
+      org.opencontainers.image.authors="Jason Swank" \
+      org.opencontainers.image.licenses=MIT
+
+USER root
+
+RUN apk add -U --no-cache stow curl git \
+  just go-task \
+  neovim \
+  aws-cli aws-cli-bash-completion aws-cli-doc mandoc
+
+# install eksctl
+RUN curl -sL https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz \
+  | tar -xzf - \
+  && install eksctl /usr/local/bin/eksctl
+
+# install kubectl
+RUN cd /tmp \
+  && curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+  && install kubectl /usr/local/bin/kubectl \
+  && rm kubectl
+
+USER cli
diff --git a/Taskfile.yml b/Taskfile.yml
new file mode 100644
index 0000000..f0849bb
--- /dev/null
+++ b/Taskfile.yml
@@ -0,0 +1,28 @@
+version: '3'
+
+env:
+  IMAGE: jswank/aws-cli
+  TAG: alpine
+
+tasks:
+
+  default:
+    cmds:
+      - task: build
+
+  build:
+    desc: build a new image
+    cmds:
+      - podman build -t ${IMAGE}:${TAG} {{.CLI_ARGS}} -f Dockerfile.${TAG} ctx
+
+  publish:
+    desc: publish the image
+    cmds:
+      - podman tag ${IMAGE}:${TAG} ${REGISTRY}/${IMAGE}:${TAG}
+      - echo "${{.REGISTRY_PASS_VAR}}" | podman login ${REGISTRY} -u ${REGISTRY_USER} --password-stdin
+      - podman push ${REGISTRY}/${IMAGE}:${TAG}
+      - podman  logout ${REGISTRY}
+    env:
+      REGISTRY: ghcr.io
+      REGISTRY_USER: jswank
+      REGISTRY_PASS_VAR: REGISTRY_PASSWORD # this environment variable will be passed to podman login as the password
diff --git a/bin/cli b/bin/aws-cli
similarity index 59%
rename from bin/cli
rename to bin/aws-cli
index 8e24935..45174ad 100755
--- a/bin/cli
+++ b/bin/aws-cli
@@ -1,8 +1,14 @@
 #!/usr/bin/env -S just --working-directory . --justfile
 
 image := "jswank/aws-cli"
+tag := "al23"
 n := "aws-cli"
 
+# path to the cdk project on this host - default to the current working
+# directory.
+proj_path := invocation_directory()
+proj := file_name(proj_path)
+
 # Invoke the 'run' recipe
 default: run
 
@@ -15,7 +21,12 @@ default: run
 #
 # Run an ephemeral container.
 @run:
-  docker run -ti --userns=keep-id --rm {{image}}
+  podman run -ti --userns=keep-id -v {{proj_path}}:/home/cli/{{proj}} \
+    --workdir /home/cli/{{proj}} --rm \
+    --env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+    --env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
+    --env AWS_REGION=$AWS_REGION \
+  {{image}}:{{tag}}
 
 # Usage: persist
 #
@@ -27,19 +38,24 @@ default: run
 # Run (or attach to) a persistent container
 persist: 
   #!/bin/sh
-  if [ $(docker ps --all --filter name="^{{n}}$" -q | wc -l) -gt 0 ]; then
-    docker start -i -a {{n}}
+  if [ $(podman ps --all --filter name="^{{n}}$" -q | wc -l) -gt 0 ]; then
+    podman start -i -a {{n}}
   else
-    docker run -ti --userns=keep-id --name {{n}} {{image}}
+    podman run -ti --userns=keep-id -v {{proj_path}}:/home/cli/{{proj}} \
+      --workdir /home/cli/{{proj}} --name {{n}} \
+      --env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+      --env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
+      --env AWS_REGION=$AWS_REGION \
+      {{image}}:{{tag}}
   fi
 
 # Pull the latest version of the image
 @pull:
-  docker pull {{image}} >/dev/null 2>&1
+  podman pull {{image}}:{{tag}} >/dev/null 2>&1
 
 # Remove the persistent container
 @clean:
-  docker rm -f {{n}} >/dev/null 2>&1
+  podman rm -f {{n}} >/dev/null 2>&1
 
 # Usage: save [new_image_name]
 #
@@ -54,7 +70,7 @@ persist:
 #
 # Save the running container as a new image
 save i=image:
-  docker commit -q {{n}} {{i}} >/dev/null 2>&1
+  podman commit -q {{n}} {{i}} >/dev/null 2>&1
 
 # Remove a running container, and run the default recipe
 @restart: clean default
diff --git a/justfile b/justfile
index fb6abe7..83f6ae9 100644
--- a/justfile
+++ b/justfile
@@ -1,6 +1,6 @@
 set dotenv-load
 
-tag := `grep ^FROM Dockerfile | cut -d: -f2`
+tag := "alpine"
 image := "jswank/aws-cli"
 
 registry := "ghcr.io"
@@ -11,7 +11,7 @@ registry_pass_var := "REGISTRY_PASSWORD"
 
 # build a new image
 build flags="":
-  podman build -t {{image}}:{{tag}} {{flags}} -f Dockerfile ctx
+  podman build -t {{image}}:{{tag}} {{flags}} -f Dockerfile.alpine ctx
 
 # publish the image
 publish alt_tag=tag: