diff --git a/Gemfile b/Gemfile
index 09077c19..ecf5e511 100644
--- a/Gemfile
+++ b/Gemfile
@@ -30,7 +30,7 @@ group :development do
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "bcrypt_pbkdf", '= 1.0.1',                 require: false
   gem "kitchen-puppet"
-  gem "kitchen-docker", '~> 3.0.0',              require: false
+  gem "kitchen-docker", '>= 3.0', '< 4.0',       require: false
   gem "kitchen-verifier-serverspec"
   gem "rexml", '~> 3.4.0',                       require: false
   gem "mixlib-shellout", "~> 2.2.7",             platforms: [:ruby]
diff --git a/Gemfile.lock b/Gemfile.lock
index 8ecffe46..7297ec08 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -21,10 +21,10 @@ GEM
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.11.0)
       aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
     bcrypt_pbkdf (1.0.1)
     bcrypt_pbkdf (1.0.1-x64-mingw32)
-    bigdecimal (3.1.9)
+    bigdecimal (3.2.3)
     bindata (2.5.0)
     bolt (4.0.0)
       CFPropertyList (>= 2.2)
@@ -50,7 +50,7 @@ GEM
       winrm (~> 2.0)
       winrm-fs (~> 1.3)
     builder (3.3.0)
-    chef-utils (18.6.2)
+    chef-utils (18.8.11)
       concurrent-ruby
     coderay (1.1.3)
     colored2 (3.1.2)
@@ -69,7 +69,7 @@ GEM
       excon (>= 0.64.0)
       multi_json
     domain_name (0.6.20240107)
-    ed25519 (1.3.0)
+    ed25519 (1.4.0)
     erubi (1.13.1)
     excon (1.2.3)
     facter (4.10.0)
@@ -91,7 +91,7 @@ GEM
       net-http-persistent (>= 4.0.4, < 5)
     fast_gettext (2.4.0)
       prime
-    ffi (1.17.1)
+    ffi (1.17.2)
     forwardable (1.3.3)
     getoptlong (0.2.1)
     gettext (3.5.1)
@@ -118,7 +118,8 @@ GEM
     http-accept (1.7.0)
     http-cookie (1.0.8)
       domain_name (~> 0.5)
-    httpclient (2.8.3)
+    httpclient (2.9.0)
+      mutex_m
     io-console (0.7.2)
     jgrep (1.5.4)
     jmespath (1.6.2)
@@ -174,7 +175,8 @@ GEM
     mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
     molinillo (0.8.0)
-    multi_json (1.15.0)
+    multi_json (1.17.0)
+    mutex_m (0.3.0)
     net-http (0.6.0)
       uri
     net-http-persistent (4.0.5)
@@ -332,7 +334,7 @@ GEM
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
     retryable (3.0.5)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rgen (0.10.2)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
@@ -423,10 +425,10 @@ GEM
     table_print (1.5.7)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    test-kitchen (3.7.0)
+    test-kitchen (3.7.2)
       bcrypt_pbkdf (~> 1.0)
       chef-utils (>= 16.4.35)
-      ed25519 (~> 1.2)
+      ed25519 (~> 1.3)
       license-acceptance (>= 1.0.11, < 3.0)
       mixlib-install (~> 3.6)
       mixlib-shellout (>= 1.2, < 4.0)
@@ -506,6 +508,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-22
+  arm64-darwin-23
   arm64-darwin-24
   x64-mingw32
   x86_64-linux
@@ -518,7 +521,7 @@ DEPENDENCIES
   facterdb (~> 3.4.0)
   io-console (= 0.7.2)
   json (= 2.6.3)
-  kitchen-docker (~> 3.0.0)
+  kitchen-docker (>= 3.0, < 4.0)
   kitchen-puppet
   kitchen-verifier-serverspec
   librarian-puppet (~> 5.0)
@@ -545,4 +548,4 @@ DEPENDENCIES
   voxpupuli-puppet-lint-plugins (~> 5.0)
 
 BUNDLED WITH
-   2.4.13
+   2.4.10
diff --git a/kitchen.yml b/kitchen.yml
index 805e8ba6..e6398cf2 100644
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -76,6 +76,7 @@ platforms:
 - name: centos-stream9-puppet-8
   driver:
     image: 'datadog/docker-library:chef_kitchen_systemd_centos_9'
+    dockerfile: 'kitchen/dockerfiles/centos9.Dockerfile'
     platform: centosstream
     docker_platform: linux/amd64
     privileged: true
@@ -106,6 +107,7 @@ platforms:
 - name: rocky-9-puppet-8
   driver:
     image: 'datadog/docker-library:chef_kitchen_systemd_rocky_9'
+    dockerfile: 'kitchen/dockerfiles/rocky9.Dockerfile'
     platform: rhel # kitchen-docker has issues installing packages otherwises
     docker_platform: linux/amd64
     privileged: true
diff --git a/kitchen/dockerfiles/centos9.Dockerfile b/kitchen/dockerfiles/centos9.Dockerfile
new file mode 100644
index 00000000..b80ae446
--- /dev/null
+++ b/kitchen/dockerfiles/centos9.Dockerfile
@@ -0,0 +1,29 @@
+FROM datadog/docker-library:chef_kitchen_systemd_centos_9
+
+# Base packages needed for SSH access from kitchen
+RUN yum clean all && \
+    yum install -y sudo openssh-server openssh-clients which
+
+# Generate supported SSH host keys (skip DSA which is removed in OpenSSH 9+)
+RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
+RUN [ -f "/etc/ssh/ssh_host_ecdsa_key" ] || ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ''
+RUN [ -f "/etc/ssh/ssh_host_ed25519_key" ] || ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
+
+# Inject Kitchen's public key for SSH access (driver provides insecure_key.pub in build context)
+ADD insecure_key.pub /tmp/insecure_key.pub
+RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh && \
+    touch /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys && \
+    cat /tmp/insecure_key.pub >> /root/.ssh/authorized_keys
+
+# Create the kitchen user if missing (kept for parity with default kitchen-docker behavior)
+RUN if ! getent passwd kitchen; then \
+      useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen; \
+    fi
+
+# Allow SSH key login for the kitchen user as well
+RUN mkdir -p /home/kitchen/.ssh && chmod 700 /home/kitchen/.ssh && \
+    touch /home/kitchen/.ssh/authorized_keys && chmod 600 /home/kitchen/.ssh/authorized_keys && \
+    cat /tmp/insecure_key.pub >> /home/kitchen/.ssh/authorized_keys && \
+    chown -R kitchen:kitchen /home/kitchen/.ssh
+
+
diff --git a/kitchen/dockerfiles/rocky9.Dockerfile b/kitchen/dockerfiles/rocky9.Dockerfile
new file mode 100644
index 00000000..42531e05
--- /dev/null
+++ b/kitchen/dockerfiles/rocky9.Dockerfile
@@ -0,0 +1,29 @@
+FROM datadog/docker-library:chef_kitchen_systemd_rocky_9
+
+# Base packages needed for SSH access from kitchen
+RUN yum clean all && \
+    yum install -y sudo openssh-server openssh-clients which
+
+# Generate supported SSH host keys (skip DSA which is removed in OpenSSH 9+)
+RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
+RUN [ -f "/etc/ssh/ssh_host_ecdsa_key" ] || ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ''
+RUN [ -f "/etc/ssh/ssh_host_ed25519_key" ] || ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
+
+# Inject Kitchen's public key for SSH access (driver provides insecure_key.pub in build context)
+ADD insecure_key.pub /tmp/insecure_key.pub
+RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh && \
+    touch /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys && \
+    cat /tmp/insecure_key.pub >> /root/.ssh/authorized_keys
+
+# Create the kitchen user if missing (kept for parity with default kitchen-docker behavior)
+RUN if ! getent passwd kitchen; then \
+      useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen; \
+    fi
+
+# Allow SSH key login for the kitchen user as well
+RUN mkdir -p /home/kitchen/.ssh && chmod 700 /home/kitchen/.ssh && \
+    touch /home/kitchen/.ssh/authorized_keys && chmod 600 /home/kitchen/.ssh/authorized_keys && \
+    cat /tmp/insecure_key.pub >> /home/kitchen/.ssh/authorized_keys && \
+    chown -R kitchen:kitchen /home/kitchen/.ssh
+
+