diff --git a/roles/kubelet/files/crictl-image-prune.service b/roles/kubelet/files/crictl-image-prune.service
new file mode 100644
index 0000000..b71de3e
--- /dev/null
+++ b/roles/kubelet/files/crictl-image-prune.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Prune unused container images
+After=crio.service
+Requires=crio.service
+StartLimitBurst=10
+StartLimitIntervalSec=10s
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/crictl rmi --prune
+Restart=on-failure
+RestartSec=2s
+CapabilityBoundingSet=
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
diff --git a/roles/kubelet/files/crictl-image-prune.timer b/roles/kubelet/files/crictl-image-prune.timer
new file mode 100644
index 0000000..82e1c8e
--- /dev/null
+++ b/roles/kubelet/files/crictl-image-prune.timer
@@ -0,0 +1,6 @@
+[Unit]
+Description=periodically prune unused container images
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=8h
diff --git a/roles/kubelet/handlers/main.yml b/roles/kubelet/handlers/main.yml
index 7525c9a..18c8b86 100644
--- a/roles/kubelet/handlers/main.yml
+++ b/roles/kubelet/handlers/main.yml
@@ -14,3 +14,8 @@
   service:
     name: kubelet
     state: restarted
+
+- name: restart crictl-image-prune.timer
+  systemd:
+    name: crictl-image-prune.timer
+    state: restarted
diff --git a/roles/kubelet/tasks/main.yml b/roles/kubelet/tasks/main.yml
index 27b4ca6..19d6421 100644
--- a/roles/kubelet/tasks/main.yml
+++ b/roles/kubelet/tasks/main.yml
@@ -112,3 +112,42 @@
     enabled: true
   tags:
   - service
+
+- block:
+  - name: ensure crictl-image-prune systemd timer unit file is in place
+    copy:
+      src: crictl-image-prune.timer
+      dest: /etc/systemd/system/
+      owner: root
+      group: root
+      mode: u=rw,go=r
+    notify:
+    - reload systemd
+    - restart crictl-image-prune.timer
+    tags:
+    - systemd
+  - name: ensure crictl-image-prune systemd service unit file is in place
+    copy:
+      src: crictl-image-prune.service
+      dest: /etc/systemd/system/
+      owner: root
+      group: root
+      mode: u=rw,go=r
+    notify:
+    - reload systemd
+    tags:
+    - systemd
+  - name: ensure crictl-image-prune timer starts automatically
+    systemd:
+      name: crictl-image-prune.timer
+      enabled: true
+    tags:
+    - timer
+  - name: ensure crictl-image-prune timer is running
+    systemd:
+      name: crictl-image-prune.timer
+      state: started
+    tags:
+    - timer
+  tags:
+  - auto-prune-images