diff --git a/Dockerfile b/Dockerfile
index bb5f202e1..fdc966567 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,14 @@ ARG GOPROXY
 ARG KUBE_GIT_VERSION
 ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
 
+# This will be set by buildkit automatically (e.g. to "linux").
+# Useful for building multi-arch container images.
+ARG TARGETOS
+
+# This will be set by buildkit automatically (e.g. to "amd64" or "arm64").
+# Useful for building multi-arch container images.
+ARG TARGETARCH
+
 # Build the executable binary (CGO_ENABLED=0 means static linking)
 # Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
 # can be re-used between image builds.
@@ -19,7 +27,7 @@ RUN \
   --mount=type=cache,target=/cache/gocache \
   --mount=type=cache,target=/cache/gomodcache \
   mkdir out && \
-  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml
index bd1c690f4..312fe707d 100644
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -245,6 +245,10 @@ spec:
           effect: NoSchedule
         - key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24.
           effect: NoSchedule
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running these pods on arm64 nodes.
       #! This will help make sure our multiple pods run on different nodes, making
       #! our deployment "more" "HA".
       affinity:
diff --git a/deploy/local-user-authenticator/deployment.yaml b/deploy/local-user-authenticator/deployment.yaml
index 5098422aa..f0aeaf99b 100644
--- a/deploy/local-user-authenticator/deployment.yaml
+++ b/deploy/local-user-authenticator/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -76,6 +76,11 @@ spec:
             #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
             seccompProfile:
               type: "RuntimeDefault"
+      tolerations:
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running these pods on arm64 nodes.
 ---
 apiVersion: v1
 kind: Service
diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml
index 30791a1bb..309a673f3 100644
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -1,4 +1,4 @@
-#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
 #@ load("@ytt:data", "data")
@@ -190,6 +190,11 @@ spec:
         - name: socket
           emptyDir: {}
         #@ end
+      tolerations:
+        - key: kubernetes.io/arch
+          effect: NoSchedule
+          operator: Equal
+          value: arm64 #! Also allow running these pods on arm64 nodes.
       #! This will help make sure our multiple pods run on different nodes, making
       #! our deployment "more" "HA".
       affinity: