diff --git a/build/Dockerfile b/build/Dockerfile
index 12065f5..b893eec 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -37,8 +37,8 @@
 
 # Install Bazel binary
 RUN curl -o /usr/local/bin/bazel \
-	https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64 && \
-	echo 'b2f002ea0e6194a181af6ac84cd94bd8dc797722eb2354690bebac92dda233ff  /usr/local/bin/bazel' | sha256sum --check && \
+	https://releases.bazel.build/3.7.2/release/bazel-3.7.2-linux-x86_64 && \
+	echo '70dc0bee198a4c3d332925a32d464d9036a831977501f66d4996854ad4e4fc0d  /usr/local/bin/bazel' | sha256sum --check && \
 	chmod +x /usr/local/bin/bazel
 
 # Use a shared Go module cache for gazelle
diff --git a/build/bindata/bindata.bzl b/build/bindata/bindata.bzl
index 9420329..5903754 100644
--- a/build/bindata/bindata.bzl
+++ b/build/bindata/bindata.bzl
@@ -16,10 +16,6 @@
 
 load("@bazel_gazelle//:deps.bzl", "go_repository")
 load(
-    "@io_bazel_rules_go//go/private:rules/rule.bzl",
-    "go_rule",
-)
-load(
     "@io_bazel_rules_go//go:def.bzl",
     "GoLibrary",
     "go_context",
@@ -63,11 +59,23 @@
 
     return providers + [OutputGroupInfo(**output_groups)]
 
-bindata = go_rule(
-    _bindata_impl,
+bindata = rule(
+    implementation = _bindata_impl,
     attrs = {
-        "srcs": attr.label_list(mandatory = True, allow_files = True),
-        "package": attr.string(mandatory = True),
-        "bindata": attr.label(allow_single_file = True, default = Label("@com_github_kevinburke_go_bindata//go-bindata")),
+        "srcs": attr.label_list(
+            mandatory = True,
+            allow_files = True,
+         ),
+        "package": attr.string(
+            mandatory = True,
+         ),
+        "bindata": attr.label(
+            allow_single_file = True,
+            default = Label("@com_github_kevinburke_go_bindata//go-bindata"),
+        ),
+        "_go_context_data": attr.label(
+            default = "@io_bazel_rules_go//:go_context_data",
+        ),
     },
+    toolchains = ["@io_bazel_rules_go//go:toolchain"],
 )
diff --git a/build/fietsje/def.bzl b/build/fietsje/def.bzl
index 65997f6..f735797 100644
--- a/build/fietsje/def.bzl
+++ b/build/fietsje/def.bzl
@@ -17,7 +17,6 @@
 load(
     "@io_bazel_rules_go//go:def.bzl",
     _go_context = "go_context",
-    _go_rule = "go_rule",
 )
 load(
     "@bazel_skylib//lib:shell.bzl",
@@ -47,7 +46,7 @@
         executable = out_file,
     )]
 
-_fietsje_runner = _go_rule(
+_fietsje_runner = rule(
     implementation = _fietsje_runner_impl,
     attrs = {
         "fietsje": attr.label(
@@ -59,7 +58,11 @@
             default = "//build/fietsje:fietsje.bash.in",
             allow_single_file = True,
         ),
+        "_go_context_data": attr.label(
+            default = "@io_bazel_rules_go//:go_context_data",
+        ),
     },
+    toolchains = ["@io_bazel_rules_go//go:toolchain"],
 )
 
 def fietsje(name):
diff --git a/build/fietsje/dependency.go b/build/fietsje/dependency.go
index 8644bc4..6b75000 100644
--- a/build/fietsje/dependency.go
+++ b/build/fietsje/dependency.go
@@ -117,13 +117,6 @@
 	// And resolve its bazelName.
 	name := label.ImportPathToBazelRepoName(d.importpath)
 
-	// Hack for github.com/google/gvisor: it requests @com_github_opencontainers_runtime-spec.
-	// We fix the generated name for this repo so it conforms to what gvisor expects.
-	// TODO(q3k): instead of this, patch gvisor?
-	if name == "com_github_opencontainers_runtime_spec" {
-		name = "com_github_opencontainers_runtime-spec"
-	}
-
 	d.locked = &locked{
 		bazelName: name,
 		sum:       sum,
diff --git a/build/fietsje/deps_containerd.go b/build/fietsje/deps_containerd.go
index 5172ffe..09db846 100644
--- a/build/fietsje/deps_containerd.go
+++ b/build/fietsje/deps_containerd.go
@@ -18,7 +18,7 @@
 
 func depsContainerd(p *planner) {
 	p.collectOverride(
-		"github.com/containerd/containerd", "v1.4.0-beta.2",
+		"github.com/containerd/containerd", "v1.4.3",
 		buildTags("no_zfs", "no_aufs", "no_devicemapper", "no_btrfs"),
 		disabledProtoBuild,
 	).use(
@@ -35,7 +35,6 @@
 		"github.com/containerd/go-runc",
 		"github.com/containerd/imgcrypt",
 		"github.com/containers/ocicrypt",
-		"github.com/containerd/ttrpc",
 		"github.com/containerd/typeurl",
 		"github.com/containernetworking/cni",
 		"github.com/coreos/go-systemd/v22",
@@ -72,7 +71,6 @@
 		"github.com/prometheus/common",
 		"github.com/prometheus/procfs",
 		"github.com/russross/blackfriday/v2",
-		"github.com/seccomp/libseccomp-golang",
 		"github.com/shurcooL/sanitized_anchor_name",
 		"github.com/sirupsen/logrus",
 		"github.com/syndtr/gocapability",
@@ -83,7 +81,6 @@
 		"golang.org/x/crypto",
 		"golang.org/x/oauth2",
 		"golang.org/x/sync",
-		"golang.org/x/sys",
 		"google.golang.org/genproto",
 		"gopkg.in/inf.v0",
 		"gopkg.in/yaml.v2",
@@ -96,6 +93,37 @@
 		"github.com/gogo/googleapis",
 	).with(buildTags("selinux")).use(
 		"github.com/opencontainers/selinux",
+		"github.com/willf/bitset",
+	).with(patches(
+		"ttrpc-hacks.patch",
+	)).use(
+		"github.com/containerd/ttrpc",
+	).replace(
+		// ttrpc is broken by go protobuf v2, this is a tentative PR that's
+		// not yet merged by upstream.
+		// See: https://github.com/containerd/ttrpc/pull/67
+		//
+		// It also contains our own fix that builds up on the above and allows
+		// services to return the original status error library values. This is
+		// required for ttrpc to actually work from runsc and for results to be
+		// correctly interpreted by containerd.
+		// See: https://github.com/monogon-dev/ttrpc/commit/222b428f008e3ecb11cfff12e3fd92e3143a2f01
+		//
+		// Note: this is not a good fix, and has known issues, like not being
+		// able to return Details in gRPC status errors. However, with the
+		// limited usage within gvisor/containerd it works. In the future
+		// upstream will have to resolve this properly, eg. port ttrpc away
+		// from gogo, or fix gogo to work with the new protobuf APU.
+		"github.com/containerd/ttrpc",
+		"github.com/monogon-dev/ttrpc", "222b428f008e3ecb11cfff12e3fd92e3143a2f01",
+	)
+
+	// This is depended on by github.com/containerd/containerd, but not mentioned in their
+	// vendor.conf. They seem to be moving off of vendoring to gomod, so this should be
+	// reverted on the next containerd bump (when fietsje will panic about vendor.conf
+	// missing).
+	p.collectOverride(
+		"github.com/checkpoint-restore/go-criu/v4", "v4.1.0",
 	)
 
 	// containernetworking/plugins
diff --git a/build/fietsje/deps_gvisor.go b/build/fietsje/deps_gvisor.go
index 1856aa7..3209aa4 100644
--- a/build/fietsje/deps_gvisor.go
+++ b/build/fietsje/deps_gvisor.go
@@ -18,24 +18,20 @@
 
 func depsGVisor(p *planner) {
 	p.collect(
-		"github.com/google/gvisor", "release-20200511.0",
-		patches("gvisor.patch"),
+		"github.com/google/gvisor", "release-20201216.0",
+		patches(
+			"gvisor.patch",
+			"gvisor-build-against-newer-runtime-specs.patch",
+		),
 	).use(
 		"github.com/cenkalti/backoff",
 		"github.com/gofrs/flock",
 		"github.com/google/subcommands",
 		"github.com/kr/pretty",
 		"github.com/kr/pty",
+		"github.com/mohae/deepcopy",
 		"golang.org/x/time",
 	)
 	// gRPC is used by gvisor's bazel machinery, but not present in go.sum. Include it manually.
-	p.collect("github.com/grpc/grpc", "v1.26.0")
-
-	p.collect(
-		"github.com/google/gvisor-containerd-shim", "v0.0.4",
-		patches(
-			"gvisor-containerd-shim.patch", "gvisor-containerd-shim-build.patch",
-			"gvisor-containerd-shim-nogo.patch", "gvisor-shim-root.patch",
-		),
-	)
+	p.collect("github.com/grpc/grpc", "v1.29.1")
 }
diff --git a/build/fietsje/deps_kubernetes.go b/build/fietsje/deps_kubernetes.go
index 3626f68..13b425d 100644
--- a/build/fietsje/deps_kubernetes.go
+++ b/build/fietsje/deps_kubernetes.go
@@ -33,7 +33,7 @@
 		),
 	).inject(
 		// repo infra, not requested by k8s, but used with bazel
-		"k8s.io/repo-infra", "df02ded38f9506e5bbcbf21702034b4fef815f2f",
+		"k8s.io/repo-infra", "a3483874bd37251c629c92df6d82a226b0e6ad92",
 	).with(prePatches("k8s-client-go.patch")).use(
 		"k8s.io/client-go",
 	).with(patches("k8s-native-mounter.patch")).use(
@@ -72,7 +72,6 @@
 		"github.com/bgentry/speakeasy",
 		"github.com/blang/semver",
 		"github.com/chai2010/gettext-go",
-		"github.com/checkpoint-restore/go-criu/v4",
 		"github.com/container-storage-interface/spec",
 		"github.com/coreos/go-oidc",
 		"github.com/coreos/go-semver",
diff --git a/build/fietsje/main.go b/build/fietsje/main.go
index 7be1107..247379a 100644
--- a/build/fietsje/main.go
+++ b/build/fietsje/main.go
@@ -53,10 +53,10 @@
 		shelf: shelf,
 	}
 
-	// gRPC/proto deps (https://github.com/bazelbuild/rules_go/blob/master/go/workspace.rst#id8)
-	// bump down from 1.28.1 to 1.26.0 because https://github.com/etcd-io/etcd/issues/11563
+	// Currently can't bump past v1.30.0, as that removes the old balancer.Picker API that
+	// go-etcd depends upon. See https://github.com/etcd-io/etcd/pull/12398 .
 	p.collect(
-		"google.golang.org/grpc", "v1.26.0",
+		"google.golang.org/grpc", "v1.29.1",
 	).use(
 		"golang.org/x/net",
 		"golang.org/x/text",
diff --git a/build/fietsje/render.go b/build/fietsje/render.go
index 16fd089..3374e8f 100644
--- a/build/fietsje/render.go
+++ b/build/fietsje/render.go
@@ -80,14 +80,13 @@
 		if d.patches != nil || d.prePatches != nil {
 			fmt.Fprintf(w, "        patch_args = [%q],\n", "-p1")
 		}
-		if d.buildExtraArgs != nil {
-			fmt.Fprintf(w, "        build_extra_args = [\n")
-			for _, arg := range d.buildExtraArgs {
-				fmt.Fprintf(w, "            %q,\n", arg)
-			}
-			fmt.Fprintf(w, "        ],\n")
+		fmt.Fprintf(w, "        build_extra_args = [\n")
+		fmt.Fprintf(w, "            %q,\n", "-go_naming_convention=go_default_library")
+		fmt.Fprintf(w, "            %q,\n", "-go_naming_convention_external=go_default_library")
+		for _, arg := range d.buildExtraArgs {
+			fmt.Fprintf(w, "            %q,\n", arg)
 		}
-
+		fmt.Fprintf(w, "        ],\n")
 		fmt.Fprintf(w, "    )\n")
 	}
 	return nil
diff --git a/build/toolchain/BUILD b/build/toolchain/BUILD
index 541f011..bd8c307 100644
--- a/build/toolchain/BUILD
+++ b/build/toolchain/BUILD
@@ -48,8 +48,6 @@
 
 cc_toolchain(
     name = "host_cc_k8_toolchain",
-    toolchain_identifier = "host-k8-toolchain",
-    toolchain_config = ":host_cc_k8_toolchain_config",
     all_files = ":empty",
     compiler_files = ":empty",
     dwp_files = ":empty",
@@ -57,6 +55,8 @@
     objcopy_files = ":empty",
     strip_files = ":empty",
     supports_param_files = 0,
+    toolchain_config = ":host_cc_k8_toolchain_config",
+    toolchain_identifier = "host-k8-toolchain",
 )
 
 host_cc_toolchain_config(name = "host_cc_k8_toolchain_config")
diff --git a/build/toolchain/musl-host-gcc/sysroot/BUILD b/build/toolchain/musl-host-gcc/sysroot/BUILD
index 62260ae..2979ee1 100644
--- a/build/toolchain/musl-host-gcc/sysroot/BUILD
+++ b/build/toolchain/musl-host-gcc/sysroot/BUILD
@@ -18,7 +18,7 @@
 
 musl_gcc_tarball(
     name = "sysroot",
+    linux_headers = ":linux_headers",
     musl = "//third_party/musl",
     musl_headers = ":musl_headers",
-    linux_headers = ":linux_headers",
 )