diff --git a/cmd/buildtools/k0s.go b/cmd/buildtools/k0s.go
index 536dfc859..3f135b9b8 100644
--- a/cmd/buildtools/k0s.go
+++ b/cmd/buildtools/k0s.go
@@ -21,6 +21,7 @@ var k0sImageComponents = map[string]string{
 	"registry.k8s.io/metrics-server/metrics-server": "metrics-server",
 	"quay.io/k0sproject/kube-proxy":                 "kube-proxy",
 	"quay.io/k0sproject/envoy-distroless":           "envoy-distroless",
+	"registry.k8s.io/pause":                         "pause",
 }
 
 var k0sComponents = map[string]addonComponent{
@@ -59,6 +60,9 @@ var k0sComponents = map[string]addonComponent{
 			return fmt.Sprintf("envoy-%d.%d", opts.upstreamVersion.Major(), opts.upstreamVersion.Minor())
 		},
 	},
+	"pause": {
+		useUpstreamImage: true,
+	},
 }
 
 var updateK0sImagesCommand = &cli.Command{
@@ -90,11 +94,11 @@ var updateK0sImagesCommand = &cli.Command{
 			upstreamVersion = strings.TrimPrefix(upstreamVersion, "v")
 			upstreamVersion = strings.Split(upstreamVersion, "-")[0]
 
-			image = RemoveTagFromImage(image)
+			imageNoTag := RemoveTagFromImage(image)
 
-			componentName, ok := k0sImageComponents[image]
+			componentName, ok := k0sImageComponents[imageNoTag]
 			if !ok {
-				return fmt.Errorf("no component found for image %s", image)
+				return fmt.Errorf("no component found for image %s", imageNoTag)
 			}
 
 			component, ok := k0sComponents[componentName]
@@ -102,6 +106,19 @@ var updateK0sImagesCommand = &cli.Command{
 				return fmt.Errorf("no component found for component name %s", componentName)
 			}
 
+			if component.useUpstreamImage {
+				logrus.Infof("fetching digest for image %s", image)
+				sha, err := GetImageDigest(c.Context, image)
+				if err != nil {
+					return fmt.Errorf("failed to get image %s digest: %w", image, err)
+				}
+				logrus.Infof("image %s digest: %s", image, sha)
+				tag := TagFromImage(image)
+				image = RemoveTagFromImage(image)
+				newmeta.Images[FamiliarImageName(image)] = fmt.Sprintf("%s@%s", tag, sha)
+				continue
+			}
+
 			packageName, packageVersion, err := component.getPackageNameAndVersion(wolfiAPKIndex, upstreamVersion)
 			if err != nil {
 				return fmt.Errorf("failed to get package name and version for %s: %w", componentName, err)
diff --git a/pkg/config/images.go b/pkg/config/images.go
index 2c7e5a79b..14c236151 100644
--- a/pkg/config/images.go
+++ b/pkg/config/images.go
@@ -71,7 +71,8 @@ func overrideK0sImages(cfg *k0sv1beta1.ClusterConfig) {
 	cfg.Spec.Images.KubeProxy.Image = helpers.AddonImageFromComponentName("kube-proxy")
 	cfg.Spec.Images.KubeProxy.Version = Metadata.Images["kube-proxy"]
 
-	cfg.Spec.Images.Pause.Image = fmt.Sprintf("proxy.replicated.com/anonymous/%s", cfg.Spec.Images.Pause.Image)
+	cfg.Spec.Images.Pause.Image = "proxy.replicated.com/anonymous/registry.k8s.io/pause"
+	cfg.Spec.Images.Pause.Version = Metadata.Images["registry.k8s.io/pause"]
 
 	// TODO (salah): remove the following and uncomment when upstream PR for digest support is released: https://github.com/k0sproject/k0s/pull/4792
 	if cfg.Spec.Network != nil &&
diff --git a/pkg/config/static/metadata.yaml b/pkg/config/static/metadata.yaml
index 42eba7068..5bfe0c7c8 100644
--- a/pkg/config/static/metadata.yaml
+++ b/pkg/config/static/metadata.yaml
@@ -13,4 +13,4 @@ images:
     envoy-distroless: 1.29.6-r0@sha256:70b84e4366a692ec5a5bd9751ce95e89a2182b2f83d207338b76c980ac92738e
     kube-proxy: 1.29.5-r0@sha256:2eedefa76a33aa075e8b2260c26353060fa2a3fa74754bad6e0b9ebfe91b43f3
     metrics-server: 0.6.4-r9@sha256:58516a4f46ba645f4e0f367af41df6506951c3cd7903efd5f4ae3e17fd753e4a
-    pause: 1.29.5-r0@sha256:7a91a872a0a72a6a5576489744958b670871ac6a58ef606d668ef193d96fbce3
+    registry.k8s.io/pause: 3.9@sha256:8d4106c88ec0bd28001e34c975d65175d994072d65341f62a8ab0754b0fafe10