diff --git a/static/resources.go b/static/resources.go
index 56c331fc..9053b9b4 100644
--- a/static/resources.go
+++ b/static/resources.go
@@ -60,8 +60,8 @@ var Resources = []cke.ResourceDefinition{
 		Namespace:  "kube-system",
 		Name:       "node-dns",
 		Revision:   4,
-		Image:      "quay.io/cybozu/unbound:1.17.1.4,quay.io/cybozu/unbound_exporter:0.4.1.5",
-		Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n  name: node-dns\n  namespace: kube-system\n  annotations:\n    cke.cybozu.com/image: \"quay.io/cybozu/unbound:1.17.1.4,quay.io/cybozu/unbound_exporter:0.4.1.5\"\n    cke.cybozu.com/revision: \"4\"\nspec:\n  selector:\n    matchLabels:\n      cke.cybozu.com/appname: node-dns\n  updateStrategy:\n    type: RollingUpdate\n    rollingUpdate:\n      maxSurge: 35%\n      maxUnavailable: 0\n  template:\n    metadata:\n      labels:\n        cke.cybozu.com/appname: node-dns\n    spec:\n      priorityClassName: system-node-critical\n      nodeSelector:\n        kubernetes.io/os: linux\n      hostNetwork: true\n      tolerations:\n        - operator: Exists\n      terminationGracePeriodSeconds: 1\n      containers:\n        - name: unbound\n          image: quay.io/cybozu/unbound:1.17.1.4\n          args:\n            - -c\n            - /etc/unbound/unbound.conf\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              add:\n              - NET_BIND_SERVICE\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          readinessProbe:\n            tcpSocket:\n              port: 53\n              host: localhost\n            periodSeconds: 1\n          livenessProbe:\n            tcpSocket:\n              port: 53\n              host: localhost\n            periodSeconds: 1\n            initialDelaySeconds: 1\n            failureThreshold: 6\n          volumeMounts:\n            - name: config-volume\n              mountPath: /etc/unbound\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n        - name: reload\n          image: quay.io/cybozu/unbound:1.17.1.4\n          command:\n          - /usr/local/bin/reload-unbound\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          volumeMounts:\n            - name: config-volume\n              mountPath: /etc/unbound\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n        - name: exporter\n          image: quay.io/cybozu/unbound_exporter:0.4.1.5\n          args:\n          # must be same with the path written in /op/nodedns/nodedns.go\n          - --unbound.host=unix:///var/run/unbound/unbound.sock\n          - --web.reuse-port=true\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          volumeMounts:\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n      volumes:\n        - name: config-volume\n          configMap:\n            name: node-dns\n            items:\n            - key: unbound.conf\n              path: unbound.conf\n        - name: var-run-unbound\n          emptyDir: {}\n"),
+		Image:      "quay.io/cybozu/unbound:1.18.0.1,quay.io/cybozu/unbound_exporter:0.4.4.1",
+		Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n  name: node-dns\n  namespace: kube-system\n  annotations:\n    cke.cybozu.com/image: \"quay.io/cybozu/unbound:1.18.0.1,quay.io/cybozu/unbound_exporter:0.4.4.1\"\n    cke.cybozu.com/revision: \"4\"\nspec:\n  selector:\n    matchLabels:\n      cke.cybozu.com/appname: node-dns\n  updateStrategy:\n    type: RollingUpdate\n    rollingUpdate:\n      maxSurge: 35%\n      maxUnavailable: 0\n  template:\n    metadata:\n      labels:\n        cke.cybozu.com/appname: node-dns\n    spec:\n      priorityClassName: system-node-critical\n      nodeSelector:\n        kubernetes.io/os: linux\n      hostNetwork: true\n      tolerations:\n        - operator: Exists\n      terminationGracePeriodSeconds: 1\n      containers:\n        - name: unbound\n          image: quay.io/cybozu/unbound:1.18.0.1\n          args:\n            - -c\n            - /etc/unbound/unbound.conf\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              add:\n              - NET_BIND_SERVICE\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          readinessProbe:\n            tcpSocket:\n              port: 53\n              host: localhost\n            periodSeconds: 1\n          livenessProbe:\n            tcpSocket:\n              port: 53\n              host: localhost\n            periodSeconds: 1\n            initialDelaySeconds: 1\n            failureThreshold: 6\n          volumeMounts:\n            - name: config-volume\n              mountPath: /etc/unbound\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n        - name: reload\n          image: quay.io/cybozu/unbound:1.18.0.1\n          command:\n          - /usr/local/bin/reload-unbound\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          volumeMounts:\n            - name: config-volume\n              mountPath: /etc/unbound\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n        - name: exporter\n          image: quay.io/cybozu/unbound_exporter:0.4.4.1\n          args:\n          # must be same with the path written in /op/nodedns/nodedns.go\n          - --unbound.host=unix:///var/run/unbound/unbound.sock\n          - --web.reuse-port=true\n          securityContext:\n            allowPrivilegeEscalation: false\n            capabilities:\n              drop:\n              - all\n            readOnlyRootFilesystem: true\n          volumeMounts:\n            - name: var-run-unbound\n              mountPath: /var/run/unbound\n      volumes:\n        - name: config-volume\n          configMap:\n            name: node-dns\n            items:\n            - key: unbound.conf\n              path: unbound.conf\n        - name: var-run-unbound\n          emptyDir: {}\n"),
 	},
 	{
 		Key:        "Deployment/kube-system/cluster-dns",
@@ -69,8 +69,8 @@ var Resources = []cke.ResourceDefinition{
 		Namespace:  "kube-system",
 		Name:       "cluster-dns",
 		Revision:   4,
-		Image:      "quay.io/cybozu/coredns:1.10.1.1",
-		Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n  name: cluster-dns\n  namespace: kube-system\n  annotations:\n    cke.cybozu.com/image: \"quay.io/cybozu/coredns:1.10.1.1\"\n    cke.cybozu.com/revision: \"4\"\nspec:\n  replicas: 2\n  strategy:\n    type: RollingUpdate\n    rollingUpdate:\n      maxUnavailable: 1\n  selector:\n    matchLabels:\n      cke.cybozu.com/appname: cluster-dns\n  template:\n    metadata:\n      labels:\n        cke.cybozu.com/appname: cluster-dns\n        k8s-app: coredns # sonobuoy requires\n      annotations:\n        prometheus.io/port: \"9153\"\n    spec:\n      priorityClassName: system-cluster-critical\n      serviceAccountName: cke-cluster-dns\n      tolerations:\n        - key: node-role.kubernetes.io/master\n          effect: NoSchedule\n        - key: \"CriticalAddonsOnly\"\n          operator: \"Exists\"\n        - key: kubernetes.io/e2e-evict-taint-key\n          operator: Exists\n          # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n      containers:\n      - name: coredns\n        image: quay.io/cybozu/coredns:1.10.1.1\n        imagePullPolicy: IfNotPresent\n        resources:\n          requests:\n            cpu: 100m\n            memory: 70Mi\n        args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n        lifecycle:\n          preStop:\n            exec:\n              command: [\"sh\", \"-c\", \"sleep 5\"]\n        volumeMounts:\n        - name: config-volume\n          mountPath: /etc/coredns\n          readOnly: true\n        ports:\n        - containerPort: 1053\n          name: dns\n          protocol: UDP\n        - containerPort: 1053\n          name: dns-tcp\n          protocol: TCP\n        - containerPort: 9153\n          name: metrics\n          protocol: TCP\n        securityContext:\n          allowPrivilegeEscalation: false\n          capabilities:\n            drop:\n            - all\n          readOnlyRootFilesystem: true\n        readinessProbe:\n          httpGet:\n            path: /ready\n            port: 8181\n            scheme: HTTP\n        livenessProbe:\n          httpGet:\n            path: /health\n            port: 8080\n            scheme: HTTP\n          initialDelaySeconds: 60\n          timeoutSeconds: 5\n          successThreshold: 1\n          failureThreshold: 5\n      dnsPolicy: Default\n      volumes:\n        - name: config-volume\n          configMap:\n            name: cluster-dns\n            items:\n            - key: Corefile\n              path: Corefile\n      affinity:\n        podAntiAffinity:\n          requiredDuringSchedulingIgnoredDuringExecution:\n          - labelSelector:\n              matchLabels:\n                cke.cybozu.com/appname: cluster-dns\n            topologyKey: \"kubernetes.io/hostname\"\n"),
+		Image:      "quay.io/cybozu/coredns:1.11.1.1",
+		Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n  name: cluster-dns\n  namespace: kube-system\n  annotations:\n    cke.cybozu.com/image: \"quay.io/cybozu/coredns:1.11.1.1\"\n    cke.cybozu.com/revision: \"4\"\nspec:\n  replicas: 2\n  strategy:\n    type: RollingUpdate\n    rollingUpdate:\n      maxUnavailable: 1\n  selector:\n    matchLabels:\n      cke.cybozu.com/appname: cluster-dns\n  template:\n    metadata:\n      labels:\n        cke.cybozu.com/appname: cluster-dns\n        k8s-app: coredns # sonobuoy requires\n      annotations:\n        prometheus.io/port: \"9153\"\n    spec:\n      priorityClassName: system-cluster-critical\n      serviceAccountName: cke-cluster-dns\n      tolerations:\n        - key: node-role.kubernetes.io/master\n          effect: NoSchedule\n        - key: \"CriticalAddonsOnly\"\n          operator: \"Exists\"\n        - key: kubernetes.io/e2e-evict-taint-key\n          operator: Exists\n          # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n      containers:\n      - name: coredns\n        image: quay.io/cybozu/coredns:1.11.1.1\n        imagePullPolicy: IfNotPresent\n        resources:\n          requests:\n            cpu: 100m\n            memory: 70Mi\n        args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n        lifecycle:\n          preStop:\n            exec:\n              command: [\"sh\", \"-c\", \"sleep 5\"]\n        volumeMounts:\n        - name: config-volume\n          mountPath: /etc/coredns\n          readOnly: true\n        ports:\n        - containerPort: 1053\n          name: dns\n          protocol: UDP\n        - containerPort: 1053\n          name: dns-tcp\n          protocol: TCP\n        - containerPort: 9153\n          name: metrics\n          protocol: TCP\n        securityContext:\n          allowPrivilegeEscalation: false\n          capabilities:\n            drop:\n            - all\n          readOnlyRootFilesystem: true\n        readinessProbe:\n          httpGet:\n            path: /ready\n            port: 8181\n            scheme: HTTP\n        livenessProbe:\n          httpGet:\n            path: /health\n            port: 8080\n            scheme: HTTP\n          initialDelaySeconds: 60\n          timeoutSeconds: 5\n          successThreshold: 1\n          failureThreshold: 5\n      dnsPolicy: Default\n      volumes:\n        - name: config-volume\n          configMap:\n            name: cluster-dns\n            items:\n            - key: Corefile\n              path: Corefile\n      affinity:\n        podAntiAffinity:\n          requiredDuringSchedulingIgnoredDuringExecution:\n          - labelSelector:\n              matchLabels:\n                cke.cybozu.com/appname: cluster-dns\n            topologyKey: \"kubernetes.io/hostname\"\n"),
 	},
 	{
 		Key:        "PodDisruptionBudget/kube-system/cluster-dns-pdb",