diff --git a/device-plugins/README.md b/device-plugins/README.md
new file mode 100644
index 0000000..098d40d
--- /dev/null
+++ b/device-plugins/README.md
@@ -0,0 +1,28 @@
+# Device Plugins
+
+Kubernetes [Device Plugins][0] are processes that map device nodes into
+unprivileged containers.  They provide an alternative to manually bind-mounting
+devices using pod volumes, which typically requires granting container
+processes more privileges than they would otherwise need.
+
+
+## `fuse-device-plugin`
+
+The [fuse-device-plugin][1] is a simple plugin that maps the `/dev/fuse` device
+node into a container.  This device node is required in order to use [FUSE][2]
+filesystems.  [Buildah][3], for example, used an FUSE implementation of
+OverlayFS when building container images in an unprivileged container.
+
+As of October 2023, Upsteam development of the `fuse-device-plugin` appears to
+have stalled, and its "official" container image is several years old at this
+point.  While the project itself is simple and probably does not need much
+maintenance, running a container based on an operating system that old is quite
+dangerous.  As such, I've created created [my own container image][4] for it
+that gets rebuilt and updated automatically.
+
+
+[0]: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/
+[1]: https://github.com/kuberenetes-learning-group/fuse-device-plugin/tree/master
+[2]: https://en.wikipedia.org/wiki/Filesystem_in_Userspace
+[3]: https://buildah.io/
+[4]: https://git.pyrocufflink.net/ContainerImages/fuse-device-plugin
diff --git a/device-plugins/fuse-device-plugin.yaml b/device-plugins/fuse-device-plugin.yaml
new file mode 100644
index 0000000..a4be29f
--- /dev/null
+++ b/device-plugins/fuse-device-plugin.yaml
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: fuse-device-plugin
+ namespace: kube-system
+spec:
+ selector:
+   matchLabels:
+     name: fuse-device-plugin
+ template:
+   metadata:
+     labels:
+       name: fuse-device-plugin
+   spec:
+     containers:
+     - image: git.pyrocufflink.net/containerimages/fuse-device-plugin
+       name: fuse-device-plugin
+       securityContext:
+         allowPrivilegeEscalation: false
+         capabilities:
+           drop:
+           - ALL
+       volumeMounts:
+       - name: device-plugin
+         mountPath: /var/lib/kubelet/device-plugins
+     hostNetwork: true
+     volumes:
+     - name: device-plugin
+       hostPath:
+         path: /var/lib/kubelet/device-plugins