diff --git a/distroless-build/Makefile b/distroless-build/Makefile
index 3047688a7..cfb0c9d4a 100644
--- a/distroless-build/Makefile
+++ b/distroless-build/Makefile
@@ -35,6 +35,8 @@ KEY ?= melange.rsa
 REPO ?= packages
 TEMPLATE ?= melange/nginx-templates.json
 MELANGE_OPTS ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS}
+MELANGE_INGRESS_OPT ?= -k ${KEY}.pub --signing-key ${KEY} --arch ${ARCHS} --empty-workspace
+APKO_OPTS ?= -k ${KEY}.pub --debug --build-arch ${ARCHS} ${APKO_DIR}/${FILE}.yaml
 KEY ?= melange.rsa
 REPO ?= $(shell pwd)/packages
 ARCHS?="amd64,arm64,arm/v6,arm/v7,s390x"
@@ -50,14 +52,17 @@ keygen: ## Generate Key pair for use with signing apks
 melange: ## Build melange $FILE
 	${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
 
+ingress-melange:
+	${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml ${MELANGE_INGRESS_OPT} --template '$(shell cat ${TEMPLATE})'
+
 nginx-melange:
 	${MELANGE} build ${MELANGE_DIR}/${FILE}.yaml --source-dir ${MELANGE_DIR}/${FILE}  ${MELANGE_OPTS} --template '$(shell cat ${TEMPLATE})'
 
 apko-build: ## Build an apko pipeline with $KEY and $FILE
-	${APKO} build -k ${KEY}.pub --debug ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG) $(IMAGE)-$(TAG).tar
+	${APKO} build ${APKO_OPTS} $(IMAGE):$(TAG) $(IMAGE)-$(TAG).tar
 
 apko-push: ## Push apko built container $IMAGE:$TAG to $REGISTRY
-	${APKO} publish -k ${KEY}.pub --debug  ${APKO_DIR}/${FILE}.yaml $(IMAGE):$(TAG)
+	${APKO} publish ${APKO_OPTS} $(IMAGE):$(TAG)
 
 load: ## Load apko built image into docker
 	docker load < $(IMAGE)-$(TAG).tar
@@ -68,10 +73,10 @@ load: ## Load apko built image into docker
 build-all: clean-packages all-packages nginx-package ingress-packages ## Fresh build of all melange pipelines and apko files, default is all $ARCHS
 
 nginx-test: ## Start $IMAGE:$TAG container and drop into bash shell
-	docker run --rm -it --entrypoint bash --env-file .env $(IMAGE):$(TAG)
+	docker run --rm -it --entrypoint bash --env-file .env $(REGISTRY)/$(IMAGE):$(TAG)
 
 shell: ## Start Alpine base container, mount PWD and drop into sh
-	docker run -it --rm -v "${PWD}":/work --entrypoint sh distroless.dev/alpine-base:latest
+	docker run -it --rm -v "${PWD}":/work --env-file .env --group-add www-data --entrypoint sh distroless.dev/alpine-base:latest
 
 check_clean:
 	@echo -n "Are you sure? [y/N] " && read ans && [ $${ans:-N} = y ]
diff --git a/distroless-build/apko/ingress.yaml b/distroless-build/apko/ingress.yaml
index 1cd27b3a3..ea3d87ba5 100644
--- a/distroless-build/apko/ingress.yaml
+++ b/distroless-build/apko/ingress.yaml
@@ -44,46 +44,17 @@ accounts:
   run-as: 101
 
 environments:
-  PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin"
+  PATH: "$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/luajit/bin"
   LUA_PATH: "/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;"
   LUA_CPATH: "/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
-  LUA_INCLUDE_DIR: "/usr/local/include/luajit-2.1"
+  :u: "/usr/local/include/luajit-2.1"
+  LUAJIT_INC: "/usr/local/include/luajit-2.1"
   LUAJIT_LIB: "/usr/local/lib"
+  LUA_LIB_DIR: "/usr/local/lib/lua"
 
 work-dir:  /etc/nginx
 
-entrypoint:
-  command: "/usr/bin/dumb-init --"
-
-cmd: /nginx-ingress-controller
-
 paths:
-  - path: /var/log/nginx/error.log
-    type: symlink
-    source: /dev/stderr
-    permissions: 0o755
-  - path: /var/log/nginx/access.log
-    type: symlink
-    source: /dev/stdout
-    permissions: 0o755
-    recursive: true
-  - path: /usr/bin/nginx
-    type: hardlink
-    source: /usr/local/nginx/sbin/nginx
-    permissions: 0o755
-    recursive: true
-  - path: /var/lib/nginx/proxy
-    type: directory
-    permissions: 0o755
-    uid: 101
-    gid: 101
-    recursive: true
-  - path:   /etc/ingress-controller/auth
-    type: directory
-    permissions: 0o755
-    uid: 101
-    gid: 101
-    recursive: true
   - path: /usr/local/
     type: directory
     permissions: 0o755
@@ -97,12 +68,34 @@ paths:
     gid: 101
     recursive: true
   - path: /usr/local/bin/lua
-    type: hardlink
+    type: symlink
     source: /usr/local/bin/luajit
     permissions: 0o755
-  - path: /sbin/nginx
-    type: hardlink
+    uid: 101
+    gid: 101
+  - path: /usr/local/include/lua
+    type: symlink
+    source: /usr/local/include/luajit-2.1
+    uid: 101
+    gid: 101
+    permissions: 0o755
+  - path: /usr/include/lua5.1
+    type: symlink
+    source: /usr/local/include/luajit-2.1
+    uid: 101
+    gid: 101
+    permissions: 0o755
+  - path: /usr/local/nginx/sbin/nginx
+    type: symlink
+    source: /sbin/nginx
+    uid: 101
+    gid: 101
+    permissions: 0o755
+  - path: /usr/bin/nginx
+    type: symlink
     source: /usr/local/nginx/sbin/nginx
+    uid: 101
+    gid: 101
     permissions: 0o755
   - path: /var/lib/
     type: directory
@@ -212,7 +205,3 @@ paths:
     type: directory
     permissions: 0o755
     recursive: true
-archs:
-  - amd64
-  - aarch64
-  - armv7
diff --git a/distroless-build/apko/nginx.yaml b/distroless-build/apko/nginx.yaml
index 228866a85..f40c78e0c 100644
--- a/distroless-build/apko/nginx.yaml
+++ b/distroless-build/apko/nginx.yaml
@@ -5,6 +5,7 @@ contents:
   packages:
     - alpine-baselayout-data
     - geoip-dev
+    - bash
     - nginx@local
     - opentracing@local
     - msgpack-cpp@local
@@ -54,12 +55,14 @@ paths:
     gid: 101
     recursive: true
   - path: /usr/local/bin/lua
-    type: hardlink
+    type: symlink
     source: /usr/local/bin/luajit
     permissions: 0o755
-  - path: /sbin/nginx
-    type: hardlink
-    source: /usr/local/nginx/sbin/nginx
+  - path: /usr/local/nginx/sbin/nginx
+    type: symlink
+    source: /sbin/nginx
+    uid: 101
+    gid: 101
     permissions: 0o755
   - path: /var/lib/
     type: directory
diff --git a/distroless-build/melange/ingress-nginx-controller.yaml b/distroless-build/melange/ingress-nginx-controller.yaml
index ab14fb49e..9ebdb6c4e 100644
--- a/distroless-build/melange/ingress-nginx-controller.yaml
+++ b/distroless-build/melange/ingress-nginx-controller.yaml
@@ -30,6 +30,7 @@ environment:
       - git
       - openssh-client
       - make
+      - libcap
 pipeline:
   - uses: git-checkout
     with:
@@ -56,3 +57,9 @@ pipeline:
       -X {{ .PKG }}/version.COMMIT={{ .COMMIT_SHA }} \
       -X {{ .PKG }}/version.REPO={{ .REPO_INFO }}" \
       -o "${{targets.destdir}}/nginx-ingress-controller" {{ .PKG }}/cmd/nginx
+      
+      
+      setcap cap_net_bind_service=+ep ${{targets.destdir}}/nginx-ingress-controller \
+      && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/nginx-ingress-controller \
+      && setcap    cap_net_bind_service=+ep ${{targets.destdir}}/usr/bin/dumb-init \
+      && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/bin/dumb-init
diff --git a/distroless-build/melange/nginx.yaml b/distroless-build/melange/nginx.yaml
index 40ca87efa..f0b73bb6d 100644
--- a/distroless-build/melange/nginx.yaml
+++ b/distroless-build/melange/nginx.yaml
@@ -50,6 +50,7 @@ environment:
       - libxslt-dev
       - gd-dev
       - geoip-dev
+      - libcap
       - perl-dev
       - libedit-dev
       - mercurial
@@ -466,7 +467,9 @@ pipeline:
       echo "Clean up owasp-modsecurity-crs" 
       rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/.git
       rm -rf ${{targets.destdir}}/etc/nginx/owasp-modsecurity-crs/util/regression-tests
-  
+      
+      setcap    cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
+      && setcap -v cap_net_bind_service=+ep ${{targets.destdir}}/usr/local/nginx/sbin/nginx \
       echo "Clean up everything else"
       cd ${BUILD_PATH}
       rm -rf *.tar.gz ${BUILD_PATH}/ngx_devel_kit-{{ .NDK_VERSION }} \