diff --git a/build.assets/charts/Dockerfile b/build.assets/charts/Dockerfile
index ec7ec3a33435c..64b4bc41f843d 100644
--- a/build.assets/charts/Dockerfile
+++ b/build.assets/charts/Dockerfile
@@ -1,12 +1,23 @@
-FROM ubuntu:18.10
+FROM ubuntu:18.04
 
-RUN apt-get update && apt-get install -y \
+# Install dumb-init and ca-certificate. The dumb-init package is to ensure
+# signals and orphaned processes are are handled correctly. The ca-certificate
+# package is installed because the base Ubuntu image does not come with any
+# certificate authorities.
+#
+# Note that /var/lib/apt/lists/* is cleaned up in the same RUN command as
+# "apt-get update" to reduce the size of the image.
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get install --no-install-recommends -y \
     dumb-init \
- && rm -rf /var/lib/apt/lists/*
+    ca-certificates \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 
-# Bundle teleport and control binary
+# Bundle "teleport", "tctl", and "tsh" binaries into image.
 ADD teleport /usr/local/bin/teleport
 ADD tctl /usr/local/bin/tctl
+ADD tsh /usr/local/bin/tsh
 
-# By setting this entry point, we expose make target as command
+# By setting this entry point, we expose make target as command.
 ENTRYPOINT ["/usr/bin/dumb-init", "teleport", "start", "-c", "/etc/teleport/teleport.yaml"]