diff --git a/manifests/function/cabpk/v0.3.3/manager/manager_auth_proxy_patch.yaml b/manifests/function/cabpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
index 61cb5e7cb..27f69c5b8 100644
--- a/manifests/function/cabpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
+++ b/manifests/function/cabpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+        image: ${CONTAINER_CABPK_AUTH_PROXY}
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
diff --git a/manifests/function/cabpk/v0.3.3/manager/manager_image_patch.yaml b/manifests/function/cabpk/v0.3.3/manager/manager_image_patch.yaml
index a6b620a9f..fe42af8f1 100644
--- a/manifests/function/cabpk/v0.3.3/manager/manager_image_patch.yaml
+++ b/manifests/function/cabpk/v0.3.3/manager/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-bootstrap-controller:v0.3.3
+        - image: ${CONTAINER_CABPK_MANAGER}
           name: manager
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
index 61cb5e7cb..bcfccd4ed 100644
--- a/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+        image: ${CONTAINER_CACPK_AUTH_PROXY}
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
index 52efc6131..760dee339 100644
--- a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-        - image: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-control-plane-controller:v0.3.3
+        - image: ${CONTAINER_CACPK_MANAGER}
           name: manager
diff --git a/manifests/function/capi/v0.3.3/manager/manager_auth_proxy_patch.yaml b/manifests/function/capi/v0.3.3/manager/manager_auth_proxy_patch.yaml
index a5a737f7b..3b74f310a 100644
--- a/manifests/function/capi/v0.3.3/manager/manager_auth_proxy_patch.yaml
+++ b/manifests/function/capi/v0.3.3/manager/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
         - name: kube-rbac-proxy
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+          image: ${CONTAINER_CAPI_AUTH_PROXY}
           args:
             - "--secure-listen-address=0.0.0.0:8443"
             - "--upstream=http://127.0.0.1:8080/"
diff --git a/manifests/function/capi/v0.3.3/manager/manager_image_patch.yaml b/manifests/function/capi/v0.3.3/manager/manager_image_patch.yaml
index 3ac912f26..c2bbf8cf8 100644
--- a/manifests/function/capi/v0.3.3/manager/manager_image_patch.yaml
+++ b/manifests/function/capi/v0.3.3/manager/manager_image_patch.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     spec:
       containers:
-      - image: us.gcr.io/k8s-artifacts-prod/cluster-api/cluster-api-controller:v0.3.3
+      - image: ${CONTAINER_CAPI_MANAGER}
         name: manager
diff --git a/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml b/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml
index 989d69887..64a47e6f9 100644
--- a/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml
+++ b/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml
@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+        image: ${CONTAINER_CAPM3_AUTH_PROXY}
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
diff --git a/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml
index 692b73bd7..96567a806 100644
--- a/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml
+++ b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml
@@ -8,5 +8,5 @@ spec:
     spec:
       containers:
       # Change the value of image field below to your controller image URL
-      - image: quay.io/metal3-io/cluster-api-provider-metal3:v0.3.1
+      - image: ${CONTAINER_CAPM3_MANAGER}
         name: manager
diff --git a/manifests/function/clusterctl/README.md b/manifests/function/clusterctl/README.md
new file mode 100644
index 000000000..6f01de11d
--- /dev/null
+++ b/manifests/function/clusterctl/README.md
@@ -0,0 +1,16 @@
+Function: k8scontrol
+====================
+
+This function defines a base Clusterctl config that includes a collection
+of available CAPI providers (under ``providers``) which are supported by
+``airshipctl``.  It also provides a selection of those for a default Metal3
+deployment (under ``init-options``).  The selected init-options may be
+patched/overridden at the Type level, etc.
+
+This function relies on CAPI variable substitution to supply versioned
+container images to the CAPI components.  The Clusterctl objects
+supplies defaults, and these can (optionally) be overridden either by
+simple Kustomize patching, or by applying the ``replacements``
+kustomization as a Kustomize transformer.  In the latter case,
+an airshipctl versions catalogue must be supplied; please see the
+``airshipctl-catalogues`` function for a base/example.
diff --git a/manifests/function/clusterctl/clusterctl.yaml b/manifests/function/clusterctl/clusterctl.yaml
new file mode 100644
index 000000000..c43186831
--- /dev/null
+++ b/manifests/function/clusterctl/clusterctl.yaml
@@ -0,0 +1,45 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Clusterctl
+metadata:
+  labels:
+    airshipit.org/deploy-k8s: "false"
+  name: clusterctl-v1
+init-options:
+  core-provider: "cluster-api:v0.3.3"
+  bootstrap-providers:
+    - "kubeadm:v0.3.3"
+  infrastructure-providers:
+    - "metal3:v0.3.1"
+  control-plane-providers:
+    - "kubeadm:v0.3.3"
+providers:
+  - name: "metal3"
+    type: "InfrastructureProvider"
+    variable-substitution: true
+    versions:
+      v0.3.1: manifests/function/capm3/v0.3.1
+  - name: "kubeadm"
+    type: "BootstrapProvider"
+    variable-substitution: true
+    versions:
+      v0.3.3: manifests/function/cabpk/v0.3.3
+  - name: "cluster-api"
+    type: "CoreProvider"
+    variable-substitution: true
+    versions:
+      v0.3.3: manifests/function/capi/v0.3.3
+  - name: "kubeadm"
+    type: "ControlPlaneProvider"
+    variable-substitution: true
+    versions:
+      v0.3.3: manifests/function/cacpk/v0.3.3
+# These default images can be overridden via the `replacements/` entrypoint
+additional-vars:
+  CONTAINER_CAPM3_MANAGER: quay.io/metal3-io/cluster-api-provider-metal3:v0.3.1
+  CONTAINER_CACPK_MANAGER: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-control-plane-controller:v0.3.3
+  CONTAINER_CABPK_MANAGER: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-bootstrap-controller:v0.3.3
+  CONTAINER_CAPI_MANAGER:  us.gcr.io/k8s-artifacts-prod/cluster-api/cluster-api-controller:v0.3.3
+  CONTAINER_CAPM3_AUTH_PROXY: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+  CONTAINER_CACPK_AUTH_PROXY: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+  CONTAINER_CABPK_AUTH_PROXY: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+  CONTAINER_CAPI_AUTH_PROXY: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
diff --git a/manifests/site/test-site/shared/clusterctl/kustomization.yaml b/manifests/function/clusterctl/kustomization.yaml
similarity index 100%
rename from manifests/site/test-site/shared/clusterctl/kustomization.yaml
rename to manifests/function/clusterctl/kustomization.yaml
diff --git a/manifests/function/clusterctl/replacements/kustomization.yaml b/manifests/function/clusterctl/replacements/kustomization.yaml
new file mode 100644
index 000000000..1d43ee154
--- /dev/null
+++ b/manifests/function/clusterctl/replacements/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - versions.yaml
diff --git a/manifests/function/clusterctl/replacements/versions.yaml b/manifests/function/clusterctl/replacements/versions.yaml
new file mode 100644
index 000000000..d7f830503
--- /dev/null
+++ b/manifests/function/clusterctl/replacements/versions.yaml
@@ -0,0 +1,27 @@
+# These rules inject versioned artifacts into the k8scontrol function.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-versions-replacements
+replacements:
+# Replace the Kubernetes version in the KubeadmControlPlane
+- source:
+    objref:
+      name: versions-airshipctl
+    fieldref: kubernetes
+  target:
+    objref:
+      kind: KubeadmControlPlane
+      name: cluster-controlplane
+    fieldrefs: ["spec.version"]
+# Replace the controlplane disk image in the Metal3MachineTemplate
+- source:
+    objref:
+      name: versions-airshipctl
+    fieldref: files.k8scontrol.cluster_controlplane_image
+  target:
+    objref:
+      kind: Metal3MachineTemplate
+      name: cluster-controlplane
+    fieldrefs: ["spec.template.spec.image"]
+
diff --git a/manifests/site/test-site/ephemeral/initinfra/kustomization.yaml b/manifests/site/test-site/ephemeral/initinfra/kustomization.yaml
index 26b91c0af..123b2ef9c 100644
--- a/manifests/site/test-site/ephemeral/initinfra/kustomization.yaml
+++ b/manifests/site/test-site/ephemeral/initinfra/kustomization.yaml
@@ -1,6 +1,6 @@
 resources:
   - ../../../../composite/infra
-  - ../../shared/clusterctl
+  - ../../../../function/clusterctl
   - ../../../../function/airshipctl-catalogues
   - ../../../../function/baremetal-operator
 patchesStrategicMerge:
diff --git a/manifests/site/test-site/shared/clusterctl/clusterctl.yaml b/manifests/site/test-site/shared/clusterctl/clusterctl.yaml
deleted file mode 100644
index 5873ff506..000000000
--- a/manifests/site/test-site/shared/clusterctl/clusterctl.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: airshipit.org/v1alpha1
-kind: Clusterctl
-metadata:
-  labels:
-    airshipit.org/deploy-k8s: "false"
-  name: clusterctl-v1
-init-options:
-  core-provider: "cluster-api:v0.3.3"
-  bootstrap-providers:
-    - "kubeadm:v0.3.3"
-  infrastructure-providers:
-    - "metal3:v0.3.1"
-  control-plane-providers:
-    - "kubeadm:v0.3.3"
-providers:
-  - name: "metal3"
-    type: "InfrastructureProvider"
-    versions:
-      v0.3.1: manifests/function/capm3/v0.3.1
-  - name: "kubeadm"
-    type: "BootstrapProvider"
-    versions:
-      v0.3.3: manifests/function/cabpk/v0.3.3
-  - name: "cluster-api"
-    type: "CoreProvider"
-    versions:
-      v0.3.3: manifests/function/capi/v0.3.3
-  - name: "kubeadm"
-    type: "ControlPlaneProvider"
-    versions:
-      v0.3.3: manifests/function/cacpk/v0.3.3
diff --git a/manifests/site/test-site/target/initinfra/kustomization.yaml b/manifests/site/test-site/target/initinfra/kustomization.yaml
index 9756756dc..8c9838c70 100644
--- a/manifests/site/test-site/target/initinfra/kustomization.yaml
+++ b/manifests/site/test-site/target/initinfra/kustomization.yaml
@@ -1,6 +1,6 @@
 resources:
   - ../../../../composite/infra
-  - ../../shared/clusterctl
+  - ../../../../function/clusterctl
   - ../../../../function/airshipctl-catalogues
   - ../../../../function/baremetal-operator
   - ../../../../function/helm-operator