diff --git a/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml b/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
index 83be0437660a2..959cb5e34cece 100644
--- a/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
+++ b/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
@@ -25,7 +25,7 @@ spec:
   {{- toYaml $updater.annotations.pod | nindent 8 }}
 {{- end }}
       labels:
-        app: {{ .Release.Name }}
+        app: {{ .Release.Name }}-updater
 {{- if $updater.extraLabels.pod }}
   {{- toYaml $updater.extraLabels.pod | nindent 8 }}
 {{- end }}
@@ -66,7 +66,7 @@ spec:
           - "--agent-namespace={{ .Release.Namespace }}"
           - "--base-image={{ include "teleport-kube-agent.baseImage" . }}"
           - "--version-server={{ $updater.versionServer }}"
-          - "--release-channel={{ $updater.releaseChannel }}"
+          - "--version-channel={{ $updater.releaseChannel }}"
 {{- if $updater.securityContext }}
         securityContext: {{- toYaml $updater.securityContext | nindent 10 }}
 {{- end }}
diff --git a/examples/chart/teleport-kube-agent/templates/updater/role.yaml b/examples/chart/teleport-kube-agent/templates/updater/role.yaml
index 63da891a03cdd..12608478fdb9b 100644
--- a/examples/chart/teleport-kube-agent/templates/updater/role.yaml
+++ b/examples/chart/teleport-kube-agent/templates/updater/role.yaml
@@ -36,11 +36,23 @@ rules:
   resources:
     - secrets
   verbs:
-    - get
     - watch
     - list
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+  verbs:
+    - get
   resourceNames:
     - {{ .Release.Name }}-shared-state
+- apiGroups:
+    - ""
+  resources:
+    - events
+  verbs:
+    - create
+    - patch
 # the controller in the updater must be able to watch deployments and
 # statefulsets and get the one it should reconcile
 - apiGroups:
@@ -64,5 +76,20 @@ rules:
     - update
   resourceNames:
     - {{ .Release.Name }}
+- apiGroups:
+    - coordination.k8s.io
+  resources:
+    - leases
+  verbs:
+    - create
+- apiGroups:
+    - coordination.k8s.io
+  resourceNames:
+    - {{ .Release.Name }}
+  resources:
+    - leases
+  verbs:
+    - get
+    - update
 {{- end -}}
 {{- end -}}
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
index 1d1850b0d2386..e88836db6813d 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_deployment_test.yaml.snap
@@ -26,7 +26,7 @@ sets the affinity:
       - --agent-namespace=NAMESPACE
       - --base-image=public.ecr.aws/gravitational/teleport-distroless
       - --version-server=https://my-custom-version-server/v1
-      - --release-channel=custom/preview
+      - --version-channel=custom/preview
       image: public.ecr.aws/gravitational/teleport-kube-agent-updater:14.0.0-dev
       imagePullPolicy: IfNotPresent
       livenessProbe:
@@ -70,7 +70,7 @@ sets the tolerations:
       - --agent-namespace=NAMESPACE
       - --base-image=public.ecr.aws/gravitational/teleport-distroless
       - --version-server=https://my-custom-version-server/v1
-      - --release-channel=custom/preview
+      - --version-channel=custom/preview
       image: public.ecr.aws/gravitational/teleport-kube-agent-updater:14.0.0-dev
       imagePullPolicy: IfNotPresent
       livenessProbe:
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap
index 831bcc9c7c23d..0c1e6a6268c30 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/updater_role_test.yaml.snap
@@ -17,6 +17,13 @@ sets the correct role rules:
       - get
       - watch
       - list
+    - apiGroups:
+      - ""
+      resources:
+      - secrets
+      verbs:
+      - watch
+      - list
     - apiGroups:
       - ""
       resourceNames:
@@ -25,8 +32,13 @@ sets the correct role rules:
       - secrets
       verbs:
       - get
-      - watch
-      - list
+    - apiGroups:
+      - ""
+      resources:
+      - events
+      verbs:
+      - create
+      - patch
     - apiGroups:
       - apps
       resources:
@@ -47,3 +59,18 @@ sets the correct role rules:
       - statefulsets
       verbs:
       - update
+    - apiGroups:
+      - coordination.k8s.io
+      resources:
+      - leases
+      verbs:
+      - create
+    - apiGroups:
+      - coordination.k8s.io
+      resourceNames:
+      - RELEASE-NAME
+      resources:
+      - leases
+      verbs:
+      - get
+      - update
diff --git a/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
index 0dc0fc73a4fe6..699be7c6e2049 100644
--- a/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
@@ -70,7 +70,7 @@ tests:
     asserts:
       - contains:
           path: spec.template.spec.containers[0].args
-          content: "--release-channel=custom/preview"
+          content: "--version-channel=custom/preview"
   #
   # Kubernetes-related tests
   #
diff --git a/integrations/kube-agent-updater/DEBUG.md b/integrations/kube-agent-updater/DEBUG.md
index 2156f080f353c..765a8989fe6ec 100644
--- a/integrations/kube-agent-updater/DEBUG.md
+++ b/integrations/kube-agent-updater/DEBUG.md
@@ -16,7 +16,7 @@ specific cases.
   ```
 - open a new terminal, create a new temporary directory and create your new kubeconfig
   ```shell
-  export kubeconfig="$(mktemp)"
+  export KUBECONFIG="$(mktemp)"
   kubectl config set-credentials myself --username=foo
   kubectl config set-cluster local-server --server=http://localhost:8001
   kubectl config set-context default-context --cluster=local-server --user=myself
diff --git a/integrations/kube-agent-updater/Dockerfile b/integrations/kube-agent-updater/Dockerfile
index 3a468c8456774..e2ad45c20bae0 100644
--- a/integrations/kube-agent-updater/Dockerfile
+++ b/integrations/kube-agent-updater/Dockerfile
@@ -22,7 +22,7 @@ ARG TARGETARCH
 
 # Build the program. We rely on golang's cross-compilation capabilities for multiarch building.
 RUN echo "Targeting $TARGETOS/$TARGETARCH" && \
-    GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 \
     go build -a -o /go/bin/teleport-kube-agent-updater github.com/gravitational/teleport/integrations/kube-agent-updater/cmd/teleport-kube-agent-updater
 
 # Create the image with the build operator on the $TARGETPLATFORM
diff --git a/integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go b/integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go
index 6e913c1d6b4c8..d44eb32206398 100644
--- a/integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go
+++ b/integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go
@@ -32,6 +32,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	"github.com/gravitational/teleport/integrations/kube-agent-updater/pkg/controller"
@@ -172,6 +173,15 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		ctrl.Log.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		ctrl.Log.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
 	if err := mgr.Start(ctx); err != nil {
 		ctrl.Log.Error(err, "failed to start manager, exiting")
 		os.Exit(1)