Cherrypick tweaks from @soulshake

slides/containers/Container_Network_Model.md

@@ -474,7 +474,7 @@ When creating a network, extra options can be provided.
 
 * `--ip-range` (in CIDR notation) indicates the subnet to allocate from.
 
-* `--aux-address` allows to specify a list of reserved addresses (which won't be allocated to containers).
+* `--aux-address` allows specifying a list of reserved addresses (which won't be allocated to containers).
 
 ---
 
@@ -556,7 +556,7 @@ General idea:
 
 * So far, we have specified which network to use when starting the container.
 
-* The Docker Engine also allows to connect and disconnect while the container runs.
+* The Docker Engine also allows connecting and disconnecting while the container is running.
 
 * This feature is exposed through the Docker API, and through two Docker CLI commands:
 

slides/containers/Namespaces_Cgroups.md

@@ -86,13 +86,13 @@ class: extra-details, deep-dive
 
   - the `unshare()` system call.
 
-- The Linux tool `unshare` allows to do that from a shell.
+- The Linux tool `unshare` allows doing that from a shell.
 
 - A new process can re-use none / all / some of the namespaces of its parent.
 
 - It is possible to "enter" a namespace with the `setns()` system call.
 
-- The Linux tool `nsenter` allows to do that from a shell.
+- The Linux tool `nsenter` allows doing that from a shell.
 
 ---
 
@@ -138,11 +138,11 @@ class: extra-details, deep-dive
 
 - gethostname / sethostname
 
-- Allows to set a custom hostname for a container.
+- Allows setting a custom hostname for a container.
 
 - That's (mostly) it!
 
-- Also allows to set the NIS domain.
+- Also allows setting the NIS domain.
 
   (If you don't know what a NIS domain is, you don't have to worry about it!)
 
@@ -392,13 +392,13 @@ class: extra-details
 
 - Processes can have their own root fs (à la chroot).
 
-- Processes can also have "private" mounts. This allows to:
+- Processes can also have "private" mounts. This allows:
 
-  - isolate `/tmp` (per user, per service...)
+  - isolating `/tmp` (per user, per service...)
 
-  - mask `/proc`, `/sys` (for processes that don't need them)
+  - masking `/proc`, `/sys` (for processes that don't need them)
 
-  - mount remote filesystems or sensitive data,
+  - mounting remote filesystems or sensitive data,
     <br/>but make it visible only for allowed processes
 
 - Mounts can be totally private, or shared.
@@ -570,7 +570,7 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details.
 
 ## User namespace
 
-- Allows to map UID/GID; e.g.:
+- Allows mapping UID/GID; e.g.:
 
   - UID 0→1999 in container C1 is mapped to UID 10000→11999 on host
   - UID 0→1999 in container C2 is mapped to UID 12000→13999 on host
@@ -947,7 +947,7 @@ Killed
 
   (i.e., "this group of process used X seconds of CPU0 and Y seconds of CPU1".)
 
-- Allows to set relative weights used by the scheduler.
+- Allows setting relative weights used by the scheduler.
 
 ---
 
@@ -1101,9 +1101,9 @@ See `man capabilities` for the full list and details.
 
 - Original seccomp only allows `read()`, `write()`, `exit()`, `sigreturn()`.
 
-- The seccomp-bpf extension allows to specify custom filters with BPF rules.
+- The seccomp-bpf extension allows specifying custom filters with BPF rules.
 
-- This allows to filter by syscall, and by parameter.
+- This allows filtering by syscall, and by parameter.
 
 - BPF code can perform arbitrarily complex checks, quickly, and safely.
 

slides/containers/Resource_Limits.md

@@ -72,7 +72,7 @@
 
 - For memory usage, the mechanism is part of the *cgroup* subsystem.
 
-- This subsystem allows to limit the memory for a process or a group of processes.
+- This subsystem allows limiting the memory for a process or a group of processes.
 
 - A container engine leverages these mechanisms to limit memory for a container.
 

slides/k8s/architecture.md

@@ -356,9 +356,9 @@ We demonstrated *update* and *watch* semantics.
 
   - we create a Deployment object
 
-  - the Deployment controller notices it, creates a ReplicaSet
+  - the Deployment controller notices it, and creates a ReplicaSet
 
-  - the ReplicaSet controller notices it, creates a Pod
+  - the ReplicaSet controller notices the ReplicaSet, and creates a Pod
 
 ---
 

slides/k8s/cni.md

@@ -26,7 +26,7 @@
 
 The reference plugins are available [here].
 
-Look into each plugin's directory for its documentation.
+Look in each plugin's directory for its documentation.
 
 [here]: https://github.com/containernetworking/plugins/tree/master/plugins
 
@@ -98,7 +98,7 @@ class: extra-details
 
   - CNI_NETNS: path to network namespace file
 
-  - CNI_IFNAME: how the network interface should be named
+  - CNI_IFNAME: what the network interface should be named
 
 - The network configuration must be provided to the plugin on stdin
 
@@ -193,7 +193,7 @@ class: extra-details
 - This DaemonSet will start one instance of kube-router on each node
 
 ---
-  
+
 ## Logging into the new cluster
 
 .exercise[
@@ -221,7 +221,7 @@ class: extra-details
 - It is similar to the one we used with the `kubenet` cluster
 
 - The API server is started with `--allow-privileged`
-  
+
   (because we will start kube-router in privileged pods)
 
 - The controller manager is started with extra flags too:
@@ -254,7 +254,7 @@ class: extra-details
 
 ---
 
-## The kube-router DaemonSet 
+## The kube-router DaemonSet
 
 - In the same directory, there is a `kuberouter.yaml` file
 
@@ -599,13 +599,13 @@ done
 
 ## Updating kube-router configuration
 
-- We need to add two command-line flags to the kube-router process
+- We need to pass two command-line flags to the kube-router process
 
 .exercise[
 
 - Edit the `kuberouter.yaml` file
 
-- Add the following flags to the kube-router arguments,:
+- Add the following flags to the kube-router arguments:
   ```
   - "--peer-router-ips=`X.X.X.X`"
   - "--peer-router-asns=64512"

slides/k8s/concepts-k8s.md

@@ -177,7 +177,7 @@ class: extra-details
 
 - In that case, there is no "master node"
 
-*For this reason, it is more accurate to say "control plane" rather than "master".*
+*For this reason, it is more accurate to say "control plane" rather than "master."*
 
 ---
 

slides/k8s/configuration.md

@@ -22,7 +22,7 @@
 
 - There are many ways to pass configuration to code running in a container:
 
-  - baking it in a custom image
+  - baking it into a custom image
 
   - command-line arguments
 
@@ -125,7 +125,7 @@
 
 - We can also use a mechanism called the *downward API*
 
-- The downward API allows to expose pod or container information
+- The downward API allows exposing pod or container information
 
   - either through special files (we won't show that for now)
 
@@ -436,7 +436,7 @@ We should see connections served by Google, and others served by IBM.
 
 - We are going to store the port number in a configmap
 
-- Then we will expose that configmap to a container environment variable
+- Then we will expose that configmap as a container environment variable
 
 ---
 

slides/k8s/dmuc.md

@@ -584,7 +584,7 @@ Our pod is still `Pending`. 🤔
 
 Which is normal: it needs to be *scheduled*.
 
-(i.e., something needs to decide on which node it should go.)
+(i.e., something needs to decide which node it should go on.)
 
 ---
 
@@ -658,7 +658,7 @@ class: extra-details
 
 - This is actually how the scheduler works!
 
-- It watches pods, takes scheduling decisions, creates Binding objects
+- It watches pods, makes scheduling decisions, and creates Binding objects
 
 ---
 
@@ -686,7 +686,7 @@ We should see the `Welcome to nginx!` page.
 
 ## Exposing our Deployment
 
-- We can now create a Service associated to this Deployment
+- We can now create a Service associated with this Deployment
 
 .exercise[
 
@@ -711,11 +711,11 @@ This won't work. We need kube-proxy to enable internal communication.
 
 ## Starting kube-proxy
 
-- kube-proxy also needs to connect to API server
+- kube-proxy also needs to connect to the API server
 
 - It can work with the `--master` flag
 
-  (even though that will be deprecated in the future)
+  (although that will be deprecated in the future)
 
 .exercise[
 
@@ -832,6 +832,6 @@ class: extra-details
 
 - By default, the API server expects to be running directly on the nodes
 
-  (it could be as a bare process, or in a container/pod using host network)
+  (it could be as a bare process, or in a container/pod using the host network)
 
 - ... And it expects to be listening on port 6443 with TLS

slides/k8s/healthchecks.md

@@ -108,7 +108,7 @@
 
   (as opposed to merely started)
 
-- Containers in a broken state gets killed and restarted
+- Containers in a broken state get killed and restarted
 
   (instead of serving errors or timeouts)
 

slides/k8s/helm.md

@@ -158,7 +158,7 @@ Where do these `--set` options come from?
 
 ]
 
-The chart's metadata includes an URL to the project's home page.
+The chart's metadata includes a URL to the project's home page.
 
 (Sometimes it conveniently points to the documentation for the chart.)
 

slides/k8s/horizontal-pod-autoscaler.md

@@ -34,7 +34,7 @@
 
   `TargetNumOfPods = ceil(sum(CurrentPodsCPUUtilization) / Target)`
 
-- It scales up/down the related object to this target number of pods
+- It scales the related object up/down to this target number of pods
 
 ---
 

slides/k8s/ingress.md

@@ -88,7 +88,7 @@
 
   - the control loop watches over ingress resources, and configures the LB accordingly
 
-- Step 2: setup DNS
+- Step 2: set up DNS
 
   - associate DNS entries with the load balancer address
 
@@ -126,7 +126,7 @@
 
 - We could use pods specifying `hostPort: 80` 
 
-  ... but with most CNI plugins, this [doesn't work or require additional setup](https://github.com/kubernetes/kubernetes/issues/23920)
+  ... but with most CNI plugins, this [doesn't work or requires additional setup](https://github.com/kubernetes/kubernetes/issues/23920)
 
 - We could use a `NodePort` service
 
@@ -142,7 +142,7 @@
 
   (sometimes called sandbox or network sandbox)
 
-- An IP address is associated to the pod
+- An IP address is assigned to the pod
 
 - This IP address is routed/connected to the cluster network
 
@@ -239,7 +239,7 @@ class: extra-details
 
   - an error condition on the node
     <br/>
-    (for instance: "disk full", do not start new pods here!)
+    (for instance: "disk full," do not start new pods here!)
 
 - The `effect` can be:
 
@@ -501,11 +501,11 @@ spec:
 
   (as long as it has access to the cluster subnet)
 
-- This allows to use external (hardware, physical machines...) load balancers
+- This allows the use of external (hardware, physical machines...) load balancers
 
 - Annotations can encode special features
 
-  (rate-limiting, A/B testing, session stickiness, etc.) 
+  (rate-limiting, A/B testing, session stickiness, etc.)
 
 ---
 

slides/k8s/kubectlget.md

@@ -132,7 +132,7 @@ class: extra-details
 
   - short (e.g. `no`, `svc`, `deploy`)
 
-- Some resources do not have a short names
+- Some resources do not have a short name
 
 - `Endpoints` only have a plural form
 
@@ -466,4 +466,4 @@ class: extra-details
 - For more details, see [KEP-0009] or the [node controller documentation]
 
 [KEP-0009]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/0009-node-heartbeat.md
-[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller
+[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller

slides/k8s/kubectlproxy.md

@@ -77,9 +77,9 @@ If we wanted to talk to the API, we would need to:
 
 - This is a great tool to learn and experiment with the Kubernetes API
 
-- ... And for serious usages as well (suitable for one-shot scripts)
+- ... And for serious uses as well (suitable for one-shot scripts)
 
-- For unattended use, it is better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
+- For unattended use, it's better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
 
 ---
 

slides/k8s/kubenet.md

@@ -54,7 +54,7 @@
 
   (15 are listed in the Kubernetes documentation)
 
-- Pods have level 3 (IP) connectivity, but *services* are level 4
+- Pods have level 3 (IP) connectivity, but *services* are level 4 (TCP or UDP)
 
   (Services map to a single UDP or TCP port; no port ranges or arbitrary IP packets)
 

slides/k8s/kustomize.md

@@ -70,7 +70,7 @@
 
 - We need to run `ship init` in a new directory
 
-- `ship init` requires an URL to a remote repository containing Kubernetes YAML
+- `ship init` requires a URL to a remote repository containing Kubernetes YAML
 
 - It will clone that repository and start a web UI
 

slides/k8s/localkubeconfig.md

@@ -75,9 +75,9 @@ Platform:"linux/amd64"}
 
 ---
 
-## Moving away the existing `~/.kube/config`
+## Preserving the existing `~/.kube/config`
 
-- If you already have a `~/.kube/config` file, move it away
+- If you already have a `~/.kube/config` file, rename it
 
   (we are going to overwrite it in the following slides!)
 
@@ -192,4 +192,4 @@ class: extra-details
 
 ]
 
-We can now utilize the cluster exactly as we did before, ignoring that it's remote.
+We can now utilize the cluster exactly as we did before, except that it's remote.

slides/k8s/namespaces.md

@@ -26,7 +26,7 @@
 
 - We cannot have two resources *of the same kind* with the same name
 
-  (but it's OK to have a `rng` service, a `rng` deployment, and a `rng` daemon set)
+  (but it's OK to have an `rng` service, an `rng` deployment, and an `rng` daemon set)
 
 --
 

slides/k8s/prometheus.md

@@ -340,7 +340,7 @@ container_cpu_usage_seconds_total
 
   - that it's the total used since the container creation
 
-- Since it's a "total", it is an increasing quantity
+- Since it's a "total," it is an increasing quantity
 
   (we need to compute the derivative if we want e.g. CPU % over time)
 
@@ -495,7 +495,7 @@ class: extra-details
 
 ## Querying labels
 
-- What if we want to get metrics for containers belong to pod tagged `worker`?
+- What if we want to get metrics for containers belonging to a pod tagged `worker`?
 
 - The cAdvisor exporter does not give us Kubernetes labels
 

slides/k8s/resource-limits.md

@@ -392,7 +392,7 @@ These quotas will apply to the namespace where the ResourceQuota is created.
         count/roles.rbac.authorization.k8s.io: 10
   ```
 
-(The `count/` syntax allows to limit arbitrary objects, including CRDs.)
+(The `count/` syntax allows limiting arbitrary objects, including CRDs.)
 
 ---
 

slides/k8s/rollout.md

@@ -5,9 +5,9 @@
   - new pods are created
 
   - old pods are terminated
-  
+
   - ... all at the same time
-  
+
   - if something goes wrong, ¯\\\_(ツ)\_/¯
 
 ---
@@ -212,7 +212,7 @@ class: extra-details
 
 ## Checking the dashboard during the bad rollout
 
-If you haven't deployed the Kubernetes dashboard earlier, just skip this slide.
+If you didn't deploy the Kubernetes dashboard earlier, just skip this slide.
 
 .exercise[
 
@@ -255,7 +255,7 @@ Note the `3xxxx` port.
 ```
 -->
 
-- Cancel the deployment and wait for the dust to settle down:
+- Cancel the deployment and wait for the dust to settle:
   ```bash
   kubectl rollout undo deploy worker
   kubectl rollout status deploy worker

slides/k8s/volumes.md

@@ -28,11 +28,11 @@ class: extra-details
   <br/>
   but it refers to Docker 1.7, which was released in 2015!)
 
-- Docker volumes allow to share data between containers running on the same host
+- Docker volumes allow us to share data between containers running on the same host
 
 - Kubernetes volumes allow us to share data between containers in the same pod
 
-- Both Docker and Kubernetes volumes allow us access to storage systems
+- Both Docker and Kubernetes volumes enable access to storage systems
 
 - Kubernetes volumes are also used to expose configuration and secrets
 
@@ -60,7 +60,7 @@ class: extra-details
 
   - correspond to concrete volumes (e.g. on a SAN, EBS, etc.)
 
-  - cannot be associated to a Pod directly; but through a Persistent Volume Claim
+  - cannot be associated with a Pod directly; but through a Persistent Volume Claim
 
   - won't be discussed further in this section
 

slides/shared/connecting.md

@@ -84,14 +84,14 @@ You will need a Docker ID to use Play-With-Docker.
 
 - Unless instructed, **all commands must be run from the first VM, `node1`**
 
-- We will only checkout/copy the code on `node1`
+- We will only check out/copy the code on `node1`
 
 - During normal operations, we do not need access to the other nodes
 
 - If we had to troubleshoot issues, we would use a combination of:
 
   - SSH (to access system logs, daemon status...)
-  
+
   - Docker API (to check running containers and container engine status)
 
 ---

slides/shared/prereqs.md

@@ -90,7 +90,7 @@ class: in-person
 
 ## Why don't we run containers locally?
 
-- Installing that stuff can be hard on some machines
+- Installing this stuff can be hard on some machines
 
   (32 bits CPU or OS... Laptops without administrator access... etc.)
 

slides/shared/sampleapp.md

@@ -134,7 +134,7 @@ How does each service find out the address of the other ones?
 
 - We do not hard-code IP addresses in the code
 
-- We do not hard-code FQDN in the code, either
+- We do not hard-code FQDNs in the code, either
 
 - We just connect to a service name, and container-magic does the rest
 
@@ -173,7 +173,7 @@ class: extra-details
 
 - Compose file version 2+ makes each container reachable through its service name
 
-- Compose file version 1 did require "links" sections
+- Compose file version 1 required "links" sections to accomplish this
 
 - Network aliases are automatically namespaced