diff --git a/.buildkite/integration-restricted-test.sh b/.buildkite/integration-restricted-test.sh
index a869d0262271..ec544bc0e0ce 100755
--- a/.buildkite/integration-restricted-test.sh
+++ b/.buildkite/integration-restricted-test.sh
@@ -14,4 +14,5 @@ export BUILD_UUID=$BUILDKITE_BUILD_ID
 # export BUILD_BRANCH="$(echo $BUILDKITE_BRANCH | tr ' @./' '_' | tr 'A-Z' 'a-z')"
 export BUILD_BRANCH=unknown
 
-./tests/integration/restricted/test.sh
+# TODO(jac): PodSecurity Policies were entirely removed in k8s v1.25
+# ./tests/integration/restricted/test.sh
diff --git a/base/blobstore/blobstore.Deployment.yaml b/base/blobstore/blobstore.Deployment.yaml
index 907a6825fb5a..8a4306188838 100644
--- a/base/blobstore/blobstore.Deployment.yaml
+++ b/base/blobstore/blobstore.Deployment.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
       - name: blobstore
-        image: index.docker.io/sourcegraph/blobstore:187572_2022-12-06_cbecc5321c7d@sha256:8e57384c78a3b31cbe31d41656dbcbb8ee7279d96630a33936a2098afabb1317
+        image: index.docker.io/sourcegraph/blobstore:216430_2023-05-02_5.0-3cc9006de32c@sha256:ae1cf541f65441809f3495c037af4f9df1d049defdf0309a65d685f579c7e594
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 9000
diff --git a/base/cadvisor/cadvisor.DaemonSet.yaml b/base/cadvisor/cadvisor.DaemonSet.yaml
index b586043184ad..3afd1fab4b26 100644
--- a/base/cadvisor/cadvisor.DaemonSet.yaml
+++ b/base/cadvisor/cadvisor.DaemonSet.yaml
@@ -26,7 +26,7 @@ spec:
       serviceAccountName: cadvisor
       containers:
       - name: cadvisor
-        image: index.docker.io/sourcegraph/cadvisor:187572_2022-12-06_cbecc5321c7d@sha256:755748f2f9b00d8f70bd65349e85235585bdf1a663e26198c8eaf91dfd5636e1
+        image: index.docker.io/sourcegraph/cadvisor:216430_2023-05-02_5.0-3cc9006de32c@sha256:6ea7f53807e4a559ee825ba2a0c4c3b3f721275f0b5ce0e979f4fdad8a4e478a
         args:
         # Kubernetes-specific flags below (other flags are baked into the Docker image)
         #
diff --git a/base/codeinsights-db/codeinsights-db.Deployment.yaml b/base/codeinsights-db/codeinsights-db.Deployment.yaml
index 56173f7ad5cb..74679f4d3ae8 100644
--- a/base/codeinsights-db/codeinsights-db.Deployment.yaml
+++ b/base/codeinsights-db/codeinsights-db.Deployment.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       initContainers:
       - name: correct-data-dir-permissions
-        image: index.docker.io/sourcegraph/alpine-3.14:187572_2022-12-06_cbecc5321c7d@sha256:4d8085acb2267d94c2099be8265352ceef7095b245482b603569ad8cd7563a90
+        image: index.docker.io/sourcegraph/alpine-3.14:216430_2023-05-02_5.0-3cc9006de32c@sha256:923c803fb975e905424b347e19839ae0077c0dec6eea0cb71c62acd910e8e9c8
         command: ["sh", "-c", "if [ -d /var/lib/postgresql/data/pgdata ]; then chmod 750 /var/lib/postgresql/data/pgdata; fi"]
         volumeMounts:
         - mountPath: /var/lib/postgresql/data/
@@ -42,7 +42,7 @@ spec:
             memory: "50Mi"
       containers:
       - name: codeinsights
-        image: index.docker.io/sourcegraph/codeinsights-db:187572_2022-12-06_cbecc5321c7d@sha256:4dd89a1279e7d55ddcb5b570d0bb544422dd1ecb0e3662f23d22f9643837c2b5
+        image: index.docker.io/sourcegraph/codeinsights-db:216430_2023-05-02_5.0-3cc9006de32c@sha256:910e98d4ddb6e5fef28be69f6395e567bbfab3f29f9d340dcdf45e83ca84cdd3
         env:
         - name: POSTGRES_DB
           value: postgres
@@ -75,7 +75,7 @@ spec:
           value: postgres://postgres:@localhost:5432/?sslmode=disable
         - name: PG_EXPORTER_EXTEND_QUERY_PATH
           value: /config/code_insights_queries.yaml
-        image: index.docker.io/sourcegraph/postgres_exporter:187572_2022-12-06_cbecc5321c7d@sha256:85d9ca134db535f0482e6e5cacf194ea118bf24d0fd52e36ba6714802d59c30a
+        image: index.docker.io/sourcegraph/postgres_exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:0d88b491e837616f563fd3097cd4113338728e857ffee6d57b4c48ba1350af9f
         terminationMessagePolicy: FallbackToLogsOnError
         name: pgsql-exporter
         resources:
diff --git a/base/codeintel-db/codeintel-db.Deployment.yaml b/base/codeintel-db/codeintel-db.Deployment.yaml
index fd5f667609d1..cbc1d3137188 100644
--- a/base/codeintel-db/codeintel-db.Deployment.yaml
+++ b/base/codeintel-db/codeintel-db.Deployment.yaml
@@ -27,7 +27,7 @@ spec:
     spec:
       initContainers:
       - name: correct-data-dir-permissions
-        image: index.docker.io/sourcegraph/alpine-3.14:187572_2022-12-06_cbecc5321c7d@sha256:4d8085acb2267d94c2099be8265352ceef7095b245482b603569ad8cd7563a90
+        image: index.docker.io/sourcegraph/alpine-3.14:216430_2023-05-02_5.0-3cc9006de32c@sha256:923c803fb975e905424b347e19839ae0077c0dec6eea0cb71c62acd910e8e9c8
         command: ["sh", "-c", "if [ -d /data/pgdata-12 ]; then chmod 750 /data/pgdata-12; fi"]
         volumeMounts:
         - mountPath: /data
@@ -43,7 +43,7 @@ spec:
             memory: "50Mi"
       containers:
       - name: pgsql
-        image: index.docker.io/sourcegraph/codeintel-db:187572_2022-12-06_cbecc5321c7d@sha256:7fb02a9392ce4dd3d4210dbd5792c09c4210a2dfc6dc389ed679137784359102
+        image: index.docker.io/sourcegraph/codeintel-db:216430_2023-05-02_5.0-3cc9006de32c@sha256:931a3b043d79f4cc7692a96810e18f0db231f36534a6748ea862903768ceeef0
         terminationMessagePolicy: FallbackToLogsOnError
         readinessProbe:
           exec:
@@ -80,7 +80,7 @@ spec:
           value: postgres://sg:@localhost:5432/?sslmode=disable
         - name: PG_EXPORTER_EXTEND_QUERY_PATH
           value: /config/code_intel_queries.yaml
-        image: index.docker.io/sourcegraph/postgres_exporter:187572_2022-12-06_cbecc5321c7d@sha256:85d9ca134db535f0482e6e5cacf194ea118bf24d0fd52e36ba6714802d59c30a
+        image: index.docker.io/sourcegraph/postgres_exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:0d88b491e837616f563fd3097cd4113338728e857ffee6d57b4c48ba1350af9f
         terminationMessagePolicy: FallbackToLogsOnError
         name: pgsql-exporter
         resources:
diff --git a/base/frontend/sourcegraph-frontend.Deployment.yaml b/base/frontend/sourcegraph-frontend.Deployment.yaml
index 0b718f56ef89..3ad5f245a79e 100644
--- a/base/frontend/sourcegraph-frontend.Deployment.yaml
+++ b/base/frontend/sourcegraph-frontend.Deployment.yaml
@@ -29,7 +29,7 @@ spec:
     spec:
       initContainers:
       - name: migrator
-        image: index.docker.io/sourcegraph/migrator:187572_2022-12-06_cbecc5321c7d@sha256:93fc175df594738a98a62f2057271824cdb674b0e63bedac9dc7cb0f04db76bb
+        image: index.docker.io/sourcegraph/migrator:216430_2023-05-02_5.0-3cc9006de32c@sha256:b8e48a03a546e955eec228843b76f44ca86211c914fc0685f81985a2c20e269b
         args: ["up"]
         resources:
           limits:
@@ -63,7 +63,7 @@ spec:
           value: sg
       containers:
       - name: frontend
-        image: index.docker.io/sourcegraph/frontend:187572_2022-12-06_cbecc5321c7d@sha256:73e64a8636e70ebbaf7f4a3300479529294f67e8cf644cdaea02435915aec869
+        image: index.docker.io/sourcegraph/frontend:216430_2023-05-02_5.0-3cc9006de32c@sha256:871772686b707f1e2d18524dc5d23837922eee244c91190ad8a636d88d3563df
         args:
         - serve
         env:
diff --git a/base/github-proxy/github-proxy.Deployment.yaml b/base/github-proxy/github-proxy.Deployment.yaml
index 69e6b72cacdf..43ebcca50cff 100644
--- a/base/github-proxy/github-proxy.Deployment.yaml
+++ b/base/github-proxy/github-proxy.Deployment.yaml
@@ -29,7 +29,7 @@ spec:
     spec:
       containers:
       - name: github-proxy
-        image: index.docker.io/sourcegraph/github-proxy:187572_2022-12-06_cbecc5321c7d@sha256:b4739adfced18f2a8883da931da681f444b489f6606052246f7c8d536f22e425
+        image: index.docker.io/sourcegraph/github-proxy:216430_2023-05-02_5.0-3cc9006de32c@sha256:30d4550f51febc1e32ec8af175ef8cce4d1706fd75468572da86f6da451f546f
         env:
         # OTEL_AGENT_HOST must be defined before OTEL_EXPORTER_OTLP_ENDPOINT to substitute the node IP on which the DaemonSet pod instance runs in the latter variable
         - name: OTEL_AGENT_HOST
diff --git a/base/gitserver/gitserver.StatefulSet.yaml b/base/gitserver/gitserver.StatefulSet.yaml
index 9a7f0086fb1c..c56480f6499f 100644
--- a/base/gitserver/gitserver.StatefulSet.yaml
+++ b/base/gitserver/gitserver.StatefulSet.yaml
@@ -35,7 +35,7 @@ spec:
               fieldPath: status.hostIP
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: http://$(OTEL_AGENT_HOST):4317
-        image: index.docker.io/sourcegraph/gitserver:187572_2022-12-06_cbecc5321c7d@sha256:87642b2f0cccbdcd661e470c8f7aa6c022ab03065a2c8ab565afc4b8829a4531
+        image: index.docker.io/sourcegraph/gitserver:216430_2023-05-02_5.0-3cc9006de32c@sha256:c8f62c859b789be15ecc78c16e9fbf21cb818262b3880d87e48b05ff8bf2c684
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           initialDelaySeconds: 5
diff --git a/base/grafana/grafana.StatefulSet.yaml b/base/grafana/grafana.StatefulSet.yaml
index c369c2a0b907..ee7bd8e1ce5a 100644
--- a/base/grafana/grafana.StatefulSet.yaml
+++ b/base/grafana/grafana.StatefulSet.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
       - name: grafana
-        image: index.docker.io/sourcegraph/grafana:187572_2022-12-06_cbecc5321c7d@sha256:cf295a1dada50607a364390a54744dbc9142aa99b42c07f1bb623ca251639d2c
+        image: index.docker.io/sourcegraph/grafana:216430_2023-05-02_5.0-3cc9006de32c@sha256:63baeadda6d33195ccd7d742670e500a80bacace3ed5cf0eb7d3a6c276ef7c34
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 3370
diff --git a/base/indexed-search/indexed-search.StatefulSet.yaml b/base/indexed-search/indexed-search.StatefulSet.yaml
index 3c4432378189..9bbbc795e2a0 100644
--- a/base/indexed-search/indexed-search.StatefulSet.yaml
+++ b/base/indexed-search/indexed-search.StatefulSet.yaml
@@ -33,7 +33,7 @@ spec:
           value: http://$(OTEL_AGENT_HOST):4317
         - name: OPENTELEMETRY_DISABLED
           value: "false"
-        image: index.docker.io/sourcegraph/indexed-searcher:187572_2022-12-06_cbecc5321c7d@sha256:79bec59c17482e4039931ed083113bd8723d74c42b96c3c489062f6b33b806f0
+        image: index.docker.io/sourcegraph/indexed-searcher:216430_2023-05-02_5.0-3cc9006de32c@sha256:818a6d607f8ff35631a98d56ef8feb2a4257b6398473128132d85901c60b8b9d
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 6070
@@ -67,7 +67,7 @@ spec:
           value: http://$(OTEL_AGENT_HOST):4317
         - name: OPENTELEMETRY_DISABLED
           value: "false"
-        image: index.docker.io/sourcegraph/search-indexer:187572_2022-12-06_cbecc5321c7d@sha256:a3ae20e4130b4846e2c3078b9ba942854890348da37c8fa7ee385c081b7d1666
+        image: index.docker.io/sourcegraph/search-indexer:216430_2023-05-02_5.0-3cc9006de32c@sha256:42e4dbd82a7038c8cc46f2748e897bdf8d8d0dea9d365151dec7946fabfef687
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 6072
diff --git a/base/node-exporter/node-exporter.DaemonSet.yaml b/base/node-exporter/node-exporter.DaemonSet.yaml
index 50be339c1a98..a529269dd0fa 100644
--- a/base/node-exporter/node-exporter.DaemonSet.yaml
+++ b/base/node-exporter/node-exporter.DaemonSet.yaml
@@ -24,7 +24,7 @@ spec:
     spec:
       containers:
       - name: node-exporter
-        image: index.docker.io/sourcegraph/node-exporter:187572_2022-12-06_cbecc5321c7d@sha256:2d9dcdf0b2226f0c3d550a64d2667710265462350a3ba9ebe37d0302bc64af0f
+        image: index.docker.io/sourcegraph/node-exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:fa8e5700b7762fffe0674e944762f44bb787a7e44d97569fe55348260453bf80
         imagePullPolicy: IfNotPresent
         resources:
           limits:
diff --git a/base/otel-collector/otel-agent.DaemonSet.yaml b/base/otel-collector/otel-agent.DaemonSet.yaml
index 8fb64d658b65..a7b04645d538 100644
--- a/base/otel-collector/otel-agent.DaemonSet.yaml
+++ b/base/otel-collector/otel-agent.DaemonSet.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
         - name: otel-agent
-          image: index.docker.io/sourcegraph/opentelemetry-collector:187572_2022-12-06_cbecc5321c7d@sha256:113a84fcef33f06f7e529961d5eb64400488953b23ac07ea8a3d628db6789ef0
+          image: index.docker.io/sourcegraph/opentelemetry-collector:216430_2023-05-02_5.0-3cc9006de32c@sha256:7783e0a2676813f955f45debc10099ee97e104c42fe27cd315848ba58de86cd4
           command:
             - "/bin/otelcol-sourcegraph"
             - "--config=/etc/otel-agent/config.yaml"
diff --git a/base/otel-collector/otel-collector.Deployment.yaml b/base/otel-collector/otel-collector.Deployment.yaml
index 21889c5bfb71..be801c5cc6d6 100644
--- a/base/otel-collector/otel-collector.Deployment.yaml
+++ b/base/otel-collector/otel-collector.Deployment.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
         - name: otel-collector
-          image: index.docker.io/sourcegraph/opentelemetry-collector:187572_2022-12-06_cbecc5321c7d@sha256:113a84fcef33f06f7e529961d5eb64400488953b23ac07ea8a3d628db6789ef0
+          image: index.docker.io/sourcegraph/opentelemetry-collector:216430_2023-05-02_5.0-3cc9006de32c@sha256:7783e0a2676813f955f45debc10099ee97e104c42fe27cd315848ba58de86cd4
           command:
             - "/bin/otelcol-sourcegraph"
             # To use a custom configuration, edit otel-collector.ConfigMap.yaml
diff --git a/base/pgsql/pgsql.Deployment.yaml b/base/pgsql/pgsql.Deployment.yaml
index ccb115ca6b50..215dc3ccc342 100644
--- a/base/pgsql/pgsql.Deployment.yaml
+++ b/base/pgsql/pgsql.Deployment.yaml
@@ -27,7 +27,7 @@ spec:
     spec:
       initContainers:
       - name: correct-data-dir-permissions
-        image: index.docker.io/sourcegraph/alpine-3.14:187572_2022-12-06_cbecc5321c7d@sha256:4d8085acb2267d94c2099be8265352ceef7095b245482b603569ad8cd7563a90
+        image: index.docker.io/sourcegraph/alpine-3.14:216430_2023-05-02_5.0-3cc9006de32c@sha256:923c803fb975e905424b347e19839ae0077c0dec6eea0cb71c62acd910e8e9c8
         command: ["sh", "-c", "if [ -d /data/pgdata-12 ]; then chmod 750 /data/pgdata-12; fi"]
         volumeMounts:
         - mountPath: /data
@@ -43,7 +43,7 @@ spec:
             memory: "50Mi"
       containers:
       - env:
-        image: index.docker.io/sourcegraph/postgres-12-alpine:187572_2022-12-06_cbecc5321c7d@sha256:44f6e9a51fafb99573cbd767f20f68913db5a02920c5974e4fa560735d745328
+        image: index.docker.io/sourcegraph/postgres-12-alpine:216430_2023-05-02_5.0-3cc9006de32c@sha256:931a3b043d79f4cc7692a96810e18f0db231f36534a6748ea862903768ceeef0
         terminationMessagePolicy: FallbackToLogsOnError
         readinessProbe:
           exec:
@@ -83,7 +83,7 @@ spec:
           value: postgres://sg:@localhost:5432/?sslmode=disable
         - name: PG_EXPORTER_EXTEND_QUERY_PATH
           value: /config/queries.yaml
-        image: index.docker.io/sourcegraph/postgres_exporter:187572_2022-12-06_cbecc5321c7d@sha256:85d9ca134db535f0482e6e5cacf194ea118bf24d0fd52e36ba6714802d59c30a
+        image: index.docker.io/sourcegraph/postgres_exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:0d88b491e837616f563fd3097cd4113338728e857ffee6d57b4c48ba1350af9f
         terminationMessagePolicy: FallbackToLogsOnError
         name: pgsql-exporter
         resources:
diff --git a/base/precise-code-intel/worker.Deployment.yaml b/base/precise-code-intel/worker.Deployment.yaml
index bff6201c7f34..b8234b3bae75 100644
--- a/base/precise-code-intel/worker.Deployment.yaml
+++ b/base/precise-code-intel/worker.Deployment.yaml
@@ -46,7 +46,7 @@ spec:
               fieldPath: status.hostIP
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: http://$(OTEL_AGENT_HOST):4317
-        image: index.docker.io/sourcegraph/precise-code-intel-worker:187572_2022-12-06_cbecc5321c7d@sha256:d1b1546d784fec8c90928a40e1b7eafc33202a53e4fcd501001d3f4a73e5c8ce
+        image: index.docker.io/sourcegraph/precise-code-intel-worker:216430_2023-05-02_5.0-3cc9006de32c@sha256:6194050008a585b34e841f51529475312c24b17cbe36851d2a4988a5d1defb69
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           httpGet:
diff --git a/base/prometheus/prometheus.Deployment.yaml b/base/prometheus/prometheus.Deployment.yaml
index eabfc7dee38b..ad3aa4c4ae06 100644
--- a/base/prometheus/prometheus.Deployment.yaml
+++ b/base/prometheus/prometheus.Deployment.yaml
@@ -25,7 +25,7 @@ spec:
     spec:
       containers:
       - name: prometheus
-        image: index.docker.io/sourcegraph/prometheus:187572_2022-12-06_cbecc5321c7d@sha256:2113ccab80409e995ee7ed9a3d386051f4ca73186375a3a0d7e3d55c90fa2007
+        image: index.docker.io/sourcegraph/prometheus:216430_2023-05-02_5.0-3cc9006de32c@sha256:da67ba5c797a7b7752cebd6507e903a2726c172c01cab7ce0e7deadff288bab8
         terminationMessagePolicy: FallbackToLogsOnError
         readinessProbe:
           httpGet:
diff --git a/base/redis/redis-cache.Deployment.yaml b/base/redis/redis-cache.Deployment.yaml
index 4a49b9d8531c..256795437d91 100644
--- a/base/redis/redis-cache.Deployment.yaml
+++ b/base/redis/redis-cache.Deployment.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       containers:
       - name: redis-cache
-        image: index.docker.io/sourcegraph/redis-cache:187572_2022-12-06_cbecc5321c7d@sha256:bb62b6d761513b1651e8499532570068a4509d5d0cf5131f0dd8b8e2ef74c72d
+        image: index.docker.io/sourcegraph/redis-cache:216430_2023-05-02_5.0-3cc9006de32c@sha256:60d9265507efe5b9ae51087bc7433932dfcd84d7e75c2513800baeb93fa9ea0f
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           initialDelaySeconds: 30
@@ -50,7 +50,7 @@ spec:
         - mountPath: /redis-data
           name: redis-data
       - name: redis-exporter
-        image: index.docker.io/sourcegraph/redis_exporter:187572_2022-12-06_cbecc5321c7d@sha256:edb0c9b19cacd90acc78f13f0908a7e6efd1df704e401805c24bffd241285f70
+        image: index.docker.io/sourcegraph/redis_exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:edb0c9b19cacd90acc78f13f0908a7e6efd1df704e401805c24bffd241285f70
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 9121
diff --git a/base/redis/redis-store.Deployment.yaml b/base/redis/redis-store.Deployment.yaml
index 422a7ab4d78a..fae53003efce 100644
--- a/base/redis/redis-store.Deployment.yaml
+++ b/base/redis/redis-store.Deployment.yaml
@@ -25,7 +25,7 @@ spec:
     spec:
       containers:
       - name: redis-store
-        image: index.docker.io/sourcegraph/redis-store:187572_2022-12-06_cbecc5321c7d@sha256:a3e4f611bcf1fe6f256a54b81f6ddb9fc2e45d7a038fa276b800b895eca09fe5
+        image: index.docker.io/sourcegraph/redis-store:216430_2023-05-02_5.0-3cc9006de32c@sha256:fd1640997cad4ce114b98a7885636e6f48483712cea754411cf4d47e770d9219
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           initialDelaySeconds: 30
@@ -49,7 +49,7 @@ spec:
         - mountPath: /redis-data
           name: redis-data
       - name: redis-exporter
-        image: index.docker.io/sourcegraph/redis_exporter:187572_2022-12-06_cbecc5321c7d@sha256:edb0c9b19cacd90acc78f13f0908a7e6efd1df704e401805c24bffd241285f70
+        image: index.docker.io/sourcegraph/redis_exporter:216430_2023-05-02_5.0-3cc9006de32c@sha256:edb0c9b19cacd90acc78f13f0908a7e6efd1df704e401805c24bffd241285f70
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 9121
diff --git a/base/repo-updater/repo-updater.Deployment.yaml b/base/repo-updater/repo-updater.Deployment.yaml
index 70a8f4972739..a231af484398 100644
--- a/base/repo-updater/repo-updater.Deployment.yaml
+++ b/base/repo-updater/repo-updater.Deployment.yaml
@@ -29,7 +29,7 @@ spec:
     spec:
       containers:
       - name: repo-updater
-        image: index.docker.io/sourcegraph/repo-updater:187572_2022-12-06_cbecc5321c7d@sha256:0bf2b95c73bceff8c3edb96299175fe36a550f57fd3f5256d38fa2c42992655a
+        image: index.docker.io/sourcegraph/repo-updater:216430_2023-05-02_5.0-3cc9006de32c@sha256:c91ae5f636b8a7a1b06d6c899da6a2b40f0be91aaf704116dac1c3a491db6517
         env:
         # OTEL_AGENT_HOST must be defined before OTEL_EXPORTER_OTLP_ENDPOINT to substitute the node IP on which the DaemonSet pod instance runs in the latter variable
         - name: OTEL_AGENT_HOST
diff --git a/base/searcher/searcher.Deployment.yaml b/base/searcher/searcher.Deployment.yaml
index 251267646756..99b46e756ba8 100644
--- a/base/searcher/searcher.Deployment.yaml
+++ b/base/searcher/searcher.Deployment.yaml
@@ -49,7 +49,7 @@ spec:
               fieldPath: status.hostIP
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: http://$(OTEL_AGENT_HOST):4317
-        image: index.docker.io/sourcegraph/searcher:187572_2022-12-06_cbecc5321c7d@sha256:c0d7b580c31e956dc586e3947edd2afb850cf5954e83010236294c57478256da
+        image: index.docker.io/sourcegraph/searcher:216430_2023-05-02_5.0-3cc9006de32c@sha256:4a40c10251454e5fda00f4b367f4f378e19b532bc93ba8a7dbfdefed27e10f05
         terminationMessagePolicy: FallbackToLogsOnError
         ports:
         - containerPort: 3181
diff --git a/base/symbols/symbols.Deployment.yaml b/base/symbols/symbols.Deployment.yaml
index af8398908661..8d31a02e69da 100644
--- a/base/symbols/symbols.Deployment.yaml
+++ b/base/symbols/symbols.Deployment.yaml
@@ -49,7 +49,7 @@ spec:
               fieldPath: status.hostIP
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: http://$(OTEL_AGENT_HOST):4317
-        image: index.docker.io/sourcegraph/symbols:187572_2022-12-06_cbecc5321c7d@sha256:75615a60f318dc898eae2e5037efcd53e63cf28c2b8fca388b6923d215ff9db9
+        image: index.docker.io/sourcegraph/symbols:216430_2023-05-02_5.0-3cc9006de32c@sha256:bcf074d381291574d9e34df9c31665981bd4dc3ca737412bbeedf8fedcc6372b
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           httpGet:
diff --git a/base/syntect-server/syntect-server.Deployment.yaml b/base/syntect-server/syntect-server.Deployment.yaml
index de8acdf37eba..f27bbdebd4b3 100644
--- a/base/syntect-server/syntect-server.Deployment.yaml
+++ b/base/syntect-server/syntect-server.Deployment.yaml
@@ -29,7 +29,7 @@ spec:
       containers:
       - name: syntect-server
         env:
-        image: index.docker.io/sourcegraph/syntax-highlighter:187572_2022-12-06_cbecc5321c7d@sha256:b88b20f56e942cc253109bb7f4b07746ebaecc2ff7393cdaf6415ffb8778fc45
+        image: index.docker.io/sourcegraph/syntax-highlighter:216430_2023-05-02_5.0-3cc9006de32c@sha256:d39a9234cf5f9128d5bf7430448efd4284c505fab6a310c1ec08a62a9d396fea
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           httpGet:
diff --git a/base/worker/worker.Deployment.yaml b/base/worker/worker.Deployment.yaml
index 6df8879bc133..e6d94e0e2c64 100644
--- a/base/worker/worker.Deployment.yaml
+++ b/base/worker/worker.Deployment.yaml
@@ -44,7 +44,11 @@ spec:
               fieldPath: status.hostIP
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: http://$(OTEL_AGENT_HOST):4317
-        image: index.docker.io/sourcegraph/worker:187572_2022-12-06_cbecc5321c7d@sha256:0092211fee815b82d426ccf0a30999f8fb40749811e3a83c7570e576f028da74
+        image: index.docker.io/sourcegraph/worker:216430_2023-05-02_5.0-3cc9006de32c@sha256:d3d9e1d684a1a4a337810dc0a9caa95bd9caa17120527be227ca3b5cae622b59
+        envFrom:
+        - configMapRef:
+            name: embeddings-backend
+            optional: true
         terminationMessagePolicy: FallbackToLogsOnError
         livenessProbe:
           httpGet:
diff --git a/configure/embeddings/embeddings.ConfigMap.yaml b/configure/embeddings/embeddings.ConfigMap.yaml
new file mode 100644
index 000000000000..b8dd14fe8228
--- /dev/null
+++ b/configure/embeddings/embeddings.ConfigMap.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: embeddings
+    app.kubernetes.io/component: embeddings
+    deploy: sourcegraph
+    sourcegraph-resource-requires: no-cluster-admin
+  name: embeddings-backend
+data:
+  # EMBEDDINGS_UPLOAD_BACKEND: blobstore
+  # EMBEDDINGS_UPLOAD_AWS_ENDPOINT: http://blobstore:9000
+  # Add env vars for `embeddings`, `worker` services below
+  # See [storing-embeddings-indexes](https://docs.sourcegraph.com/cody/explanations/code_graph_context#storing-embedding-indexes) for more details
+  # EMBEDDINGS_UPLOAD_MANAGE_BUCKET: "true"
+  # EMBEDDINGS_REPO_INDEX_CACHE_SIZE: "5"
+
+  ############
+  ##   S3   ##
+  ############
+  # EMBEDDINGS_UPLOAD_BACKEND: S3
+  # EMBEDDINGS_UPLOAD_BUCKET: <my bucket name>
+  # EMBEDDINGS_UPLOAD_AWS_ENDPOINT: https://s3.us-east-1.amazonaws.com
+  # EMBEDDINGS_UPLOAD_AWS_ACCESS_KEY_ID: <your access key>
+  # EMBEDDINGS_UPLOAD_AWS_SECRET_ACCESS_KEY: <your secret key>
+  # EMBEDDINGS_UPLOAD_AWS_SESSION_TOKEN: <your session token> # (optional)
+  # EMBEDDINGS_UPLOAD_AWS_USE_EC2_ROLE_CREDENTIALS: "true" # (optional; set to use EC2 metadata API over static credentials)
+  # EMBEDDINGS_UPLOAD_AWS_REGION: us-east-1
+
+  #############
+  ##   GCS   ##
+  #############
+  # EMBEDDINGS_UPLOAD_BACKEND: GCS
+  # EMBEDDINGS_UPLOAD_BUCKET: <my bucket name>
+  # EMBEDDINGS_UPLOAD_GCP_PROJECT_ID: <my project id>
+  # EMBEDDINGS_UPLOAD_GOOGLE_APPLICATION_CREDENTIALS_FILE: </path/to/file>
+  # EMBEDDINGS_UPLOAD_GOOGLE_APPLICATION_CREDENTIALS_FILE_CONTENT: <{"my": "content"}>
diff --git a/configure/embeddings/embeddings.Deployment.yaml b/configure/embeddings/embeddings.Deployment.yaml
new file mode 100644
index 000000000000..d4b881490509
--- /dev/null
+++ b/configure/embeddings/embeddings.Deployment.yaml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    description: Handles embeddings searches
+  name: embeddings
+  labels:
+    deploy: sourcegraph
+    sourcegraph-resource-requires: no-cluster-admin
+    app.kubernetes.io/component: embeddings
+spec:
+  minReadySeconds: 10
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: embeddings
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        deploy: sourcegraph
+        app: embeddings
+    spec:
+      containers:
+        - name: embeddings
+          image: index.docker.io/sourcegraph/embeddings:216430_2023-05-02_5.0-3cc9006de32c@sha256:c8cd7c5abca562d6a79bb524c49b9d0e76a3cb119226baa29ca0508faf652f03
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OTEL_AGENT_HOST
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: http://$(OTEL_AGENT_HOST):4317
+          envFrom:
+            - configMapRef:
+                name: embeddings-backend
+          ports:
+            - containerPort: 9991
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: "8"
+              memory: 64G
+            requests:
+              cpu: "4"
+              memory: 32G
diff --git a/configure/embeddings/embeddings.Service.yaml b/configure/embeddings/embeddings.Service.yaml
new file mode 100644
index 000000000000..6075b453823d
--- /dev/null
+++ b/configure/embeddings/embeddings.Service.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "6060"
+    sourcegraph.prometheus/scrape: "true"
+  labels:
+    app: embeddings
+    deploy: sourcegraph
+    sourcegraph-resource-requires: no-cluster-admin
+    app.kubernetes.io/component: embeddings
+  name: embeddings
+spec:
+  ports:
+    - name: http
+      port: 9991
+      targetPort: http
+  selector:
+    app: embeddings
+  type: ClusterIP
diff --git a/tests/integration/restricted/nonroot-policy.yaml b/tests/integration/restricted/nonroot-policy.yaml
index af9b1629fd73..bfe123d73222 100644
--- a/tests/integration/restricted/nonroot-policy.yaml
+++ b/tests/integration/restricted/nonroot-policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodSecurityPolicy
 metadata:
   name: nonroot-policy