diff --git a/build/server-image/Dockerfile b/build/server-image/Dockerfile
index 78e01c36474..09d2cd1e691 100644
--- a/build/server-image/Dockerfile
+++ b/build/server-image/Dockerfile
@@ -19,4 +19,4 @@ ARG BINARY
 
 
 FROM "${BASEIMAGE}"
-COPY ${BINARY} /usr/local/bin/${BINARY}
+COPY --chmod=755 ${BINARY} /usr/local/bin/${BINARY}
diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile
index d5ac37d14f1..27129d29bd9 100644
--- a/build/server-image/kube-apiserver/Dockerfile
+++ b/build/server-image/kube-apiserver/Dockerfile
@@ -20,7 +20,7 @@ ARG SETCAP_IMAGE
 # to setup qemu for the builder.
 FROM --platform=linux/$BUILDARCH ${SETCAP_IMAGE}
 ARG BINARY
-COPY ${BINARY} /${BINARY}
+COPY --chmod=755 ${BINARY} /${BINARY}
 # We apply cap_net_bind_service so that kube-apiserver can be run as
 # non-root and still listen on port less than 1024
 RUN setcap cap_net_bind_service=+ep /${BINARY}
diff --git a/build/server-image/kubectl/Dockerfile b/build/server-image/kubectl/Dockerfile
index 0c93ca6a4e1..df6073c5456 100644
--- a/build/server-image/kubectl/Dockerfile
+++ b/build/server-image/kubectl/Dockerfile
@@ -19,5 +19,5 @@ ARG BINARY
 
 
 FROM "${BASEIMAGE}"
-COPY ${BINARY} /bin/
+COPY --chmod=755 ${BINARY} /bin/
 ENTRYPOINT ["/bin/kubectl"]