We currently import relevant .deb pkgs into reprepro. But we don't have strict controls on what's installed into VMs.
Right now, if you upgrade, for example, kubeadm in the repo, VMs would probably update it by means of unattended-upgrades. Which will mess future upgrades.
Same affects other key packages, like kubelet, kubectl, etc.
We need to introduce more robust controls for this. Probably simple apt-pinning configuration should be enough.