💥 HighFive May 2021 content update

"Modules" are now named "parts".
When there are more than 9 subparts in a part, the titles will
be smooched together in the TOC so that they fit on a single
page. Otherwise, line breaks are added (like before) so that
the text can breathe a little bit.

k8s/consul-2.yaml

@@ -62,11 +62,8 @@ spec:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             - labelSelector:
-                matchExpressions:
-                  - key: app
-                    operator: In
-                    values:
-                      - consul
+                matchLabels:
+                  app: consul
               topologyKey: kubernetes.io/hostname
       terminationGracePeriodSeconds: 10
       containers:
@@ -88,7 +85,4 @@ spec:
           lifecycle:
             preStop:
               exec:
-                command:
-                - /bin/sh
-                - -c
-                - consul leave
+                command: [ "sh", "-c", "consul leave" ]

k8s/consul-3.yaml

@@ -69,11 +69,8 @@ spec:
         podAntiAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             - labelSelector:
-                matchExpressions:
-                  - key: app
-                    operator: In
-                    values:
-                      - persistentconsul
+                matchLabels:
+                  app: consul
               topologyKey: kubernetes.io/hostname
       terminationGracePeriodSeconds: 10
       containers:
@@ -98,7 +95,4 @@ spec:
           lifecycle:
             preStop:
               exec:
-                command:
-                - /bin/sh
-                - -c
-                - consul leave
+                command: [ "sh", "-c", "consul leave" ]

k8s/efk.yaml

@@ -5,7 +5,7 @@ metadata:
   name: fluentd
   namespace: default
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: fluentd
@@ -21,7 +21,7 @@ rules:
   - watch
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: fluentd
 roleRef:

k8s/elasticsearch-operator.yaml

@@ -11,7 +11,7 @@ metadata:
   name: elasticsearch-operator
   namespace: elasticsearch-operator
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: elasticsearch-operator
@@ -41,7 +41,7 @@ rules:
   resources: ["elasticsearchclusters"]
   verbs: ["*"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: elasticsearch-operator
@@ -55,13 +55,16 @@ subjects:
   name: elasticsearch-operator
   namespace: elasticsearch-operator
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: elasticsearch-operator
   namespace: elasticsearch-operator
 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      name: elasticsearch-operator
   template:
     metadata:
       labels:

k8s/filebeat.yaml

@@ -131,7 +131,7 @@ spec:
           path: /var/lib/filebeat-data
           type: DirectoryOrCreate
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: filebeat
@@ -144,7 +144,7 @@ roleRef:
   name: filebeat
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: filebeat

k8s/grant-admin-to-dashboard.yaml

@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kubernetes-dashboard
@@ -11,4 +11,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: kubernetes-dashboard
-  namespace: kube-system
+  namespace: kube-system

k8s/hackthecluster.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: hackthecluster
+spec:
+  selector:
+    matchLabels:
+      app: hackthecluster
+  template:
+    metadata:
+      labels:
+        app: hackthecluster
+    spec:
+      volumes:
+      - name: slash
+        hostPath:
+          path: /
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      containers:
+      - name: alpine
+        image: alpine
+        volumeMounts:
+        - name: slash
+          mountPath: /hostfs
+        command:
+        - sleep
+        - infinity
+        securityContext:
+          #privileged: true
+          capabilities:
+            add:
+            - SYS_CHROOT

k8s/ingress-v1.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whatever
+spec:
+  #tls:
+  #- secretName: whatever.A.B.C.D.nip.io
+  #  hosts:
+  #  - whatever.A.B.C.D.nip.io
+  rules:
+  - host: whatever.A.B.C.D.nip.io
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: whatever
+            port:
+              number: 1234

k8s/ingress-v1beta1.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: whatever
+spec:
+  #tls:
+  #- secretName: whatever.A.B.C.D.nip.io
+  #  hosts:
+  #  - whatever.A.B.C.D.nip.io
+  rules:
+  - host: whatever.A.B.C.D.nip.io
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: whatever
+          servicePort: 1234

k8s/ingress.yaml

@@ -1,17 +0,0 @@
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  name: whatever
-spec:
-  #tls:
-  #- secretName: whatever.A.B.C.D.nip.io
-  #  hosts:
-  #  - whatever.A.B.C.D.nip.io
-  rules:
-  - host: whatever.A.B.C.D.nip.io
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: whatever
-          servicePort: 1234

k8s/ingress.yaml

@@ -0,0 +1 @@
+ingress-v1beta1.yaml

k8s/local-path-storage.yaml

@@ -1,49 +1,50 @@
 # This is a local copy of:
 # https://github.com/rancher/local-path-provisioner/blob/master/deploy/local-path-storage.yaml
----
 apiVersion: v1
 kind: Namespace
 metadata:
   name: local-path-storage
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: local-path-provisioner-service-account
   namespace: local-path-storage
+
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: local-path-provisioner-role
-  namespace: local-path-storage
 rules:
-- apiGroups: [""]
-  resources: ["nodes", "persistentvolumeclaims"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["endpoints", "persistentvolumes", "pods"]
-  verbs: ["*"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: [ "" ]
+    resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints", "persistentvolumes", "pods" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "create", "patch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: local-path-provisioner-bind
-  namespace: local-path-storage
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: local-path-provisioner-role
 subjects:
-- kind: ServiceAccount
-  name: local-path-provisioner-service-account
-  namespace: local-path-storage
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -62,27 +63,28 @@ spec:
     spec:
       serviceAccountName: local-path-provisioner-service-account
       containers:
-      - name: local-path-provisioner
-        image: rancher/local-path-provisioner:v0.0.8
-        imagePullPolicy: Always
-        command:
-        - local-path-provisioner
-        - --debug
-        - start
-        - --config
-        - /etc/config/config.json
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/config/
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
+        - name: local-path-provisioner
+          image: rancher/local-path-provisioner:v0.0.19
+          imagePullPolicy: IfNotPresent
+          command:
+            - local-path-provisioner
+            - --debug
+            - start
+            - --config
+            - /etc/config/config.json
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/config/
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
       volumes:
         - name: config-volume
           configMap:
             name: local-path-config
+
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
@@ -91,6 +93,7 @@ metadata:
 provisioner: rancher.io/local-path
 volumeBindingMode: WaitForFirstConsumer
 reclaimPolicy: Delete
+
 ---
 kind: ConfigMap
 apiVersion: v1
@@ -99,12 +102,59 @@ metadata:
   namespace: local-path-storage
 data:
   config.json: |-
-        {
-                "nodePathMap":[
-                {
-                        "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
-                        "paths":["/opt/local-path-provisioner"]
-                }
-                ]
-        }
+    {
+            "nodePathMap":[
+            {
+                    "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
+                    "paths":["/opt/local-path-provisioner"]
+            }
+            ]
+    }
+  setup: |-
+    #!/bin/sh
+    while getopts "m:s:p:" opt
+    do
+        case $opt in
+            p)
+            absolutePath=$OPTARG
+            ;;
+            s)
+            sizeInBytes=$OPTARG
+            ;;
+            m)
+            volMode=$OPTARG
+            ;;
+        esac
+    done
+
+    mkdir -m 0777 -p ${absolutePath}
+  teardown: |-
+    #!/bin/sh
+    while getopts "m:s:p:" opt
+    do
+        case $opt in
+            p)
+            absolutePath=$OPTARG
+            ;;
+            s)
+            sizeInBytes=$OPTARG
+            ;;
+            m)
+            volMode=$OPTARG
+            ;;
+        esac
+    done
+
+    rm -rf ${absolutePath}
+  helperPod.yaml: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: helper-pod
+    spec:
+      containers:
+      - name: helper-pod
+        image: busybox
+
+
 

k8s/metrics-server.yaml

@@ -1,32 +1,61 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+# This file is https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+# But with the following arguments added to metrics-server:
+#   args:
+#   - --kubelet-insecure-tls
+#   - --metric-resolution=5s
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  name: system:aggregated-metrics-reader
   labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-- apiGroups: ["metrics.k8s.io"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: metrics-server:system:auth-delegator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
+    k8s-app: metrics-server
   name: metrics-server
   namespace: kube-system
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  - namespaces
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  labels:
+    k8s-app: metrics-server
   name: metrics-server-auth-reader
   namespace: kube-system
 roleRef:
@@ -38,95 +67,26 @@ subjects:
   name: metrics-server
   namespace: kube-system
 ---
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
-  name: v1beta1.metrics.k8s.io
-spec:
-  service:
-    name: metrics-server
-    namespace: kube-system
-  group: metrics.k8s.io
-  version: v1beta1
-  insecureSkipTLSVerify: true
-  groupPriorityMinimum: 100
-  versionPriority: 100
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: metrics-server
-  namespace: kube-system
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    k8s-app: metrics-server
-spec:
-  selector:
-    matchLabels:
-      k8s-app: metrics-server
-  template:
-    metadata:
-      name: metrics-server
-      labels:
-        k8s-app: metrics-server
-    spec:
-      serviceAccountName: metrics-server
-      volumes:
-      # mount in tmp so we can safely use from-scratch images and/or read-only containers
-      - name: tmp-dir
-        emptyDir: {}
-      containers:
-      - name: metrics-server
-        image: k8s.gcr.io/metrics-server-amd64:v0.3.3
-        imagePullPolicy: Always
-        volumeMounts:
-        - name: tmp-dir
-          mountPath: /tmp
-        args:
-        - --kubelet-preferred-address-types=InternalIP
-        - --kubelet-insecure-tls
-        - --metric-resolution=5s
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    kubernetes.io/name: "Metrics-server"
-spec:
-  selector:
-    k8s-app: metrics-server
-  ports:
-  - port: 443
-    protocol: TCP
-    targetPort: 443
----
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: ClusterRoleBinding
 metadata:
-  name: system:metrics-server
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - nodes
-  - nodes/stats
-  verbs:
-  - get
-  - list
-  - watch
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  labels:
+    k8s-app: metrics-server
   name: system:metrics-server
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -136,3 +96,98 @@ subjects:
 - kind: ServiceAccount
   name: metrics-server
   namespace: kube-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    k8s-app: metrics-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        k8s-app: metrics-server
+    spec:
+      containers:
+      - args:
+        - --cert-dir=/tmp
+        - --secure-port=4443
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-use-node-status-port
+        - --kubelet-insecure-tls
+        - --metric-resolution=5s
+        image: k8s.gcr.io/metrics-server/metrics-server:v0.4.3
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        name: metrics-server
+        ports:
+        - containerPort: 4443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      volumes:
+      - emptyDir: {}
+        name: tmp-dir
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: true
+  service:
+    name: metrics-server
+    namespace: kube-system
+  version: v1beta1
+  versionPriority: 100

k8s/openebs-pod.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: openebs-local-hostpath-pod
+spec:
+  volumes:
+  - name: storage
+    persistentVolumeClaim:
+      claimName: local-hostpath-pvc
+  containers:
+  - name: better
+    image: alpine
+    command:
+       - sh
+       - -c
+       - |
+         while true; do
+           echo "$(date) [$(hostname)] Kubernetes is better with PVs." >> /mnt/storage/greet.txt
+           sleep $(($RANDOM % 5 + 20))
+         done
+    volumeMounts:
+    - mountPath: /mnt/storage
+      name: storage
+

k8s/traefik-v1.yaml

@@ -49,24 +49,8 @@ spec:
         - --kubernetes
         - --logLevel=INFO
 ---
-kind: Service
-apiVersion: v1
-metadata:
-  name: traefik-ingress-service
-  namespace: kube-system
-spec:
-  selector:
-    k8s-app: traefik-ingress-lb
-  ports:
-    - protocol: TCP
-      port: 80
-      name: web
-    - protocol: TCP
-      port: 8080
-      name: admin
----
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: traefik-ingress-controller
 rules:
@@ -90,7 +74,7 @@ rules:
       - watch
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: traefik-ingress-controller
 roleRef:

k8s/traefik-v2.yaml

@@ -55,28 +55,8 @@ spec:
         - --entrypoints.https.Address=:443
         - --entrypoints.https.http.tls.certResolver=default
 ---
-kind: Service
-apiVersion: v1
-metadata:
-  name: traefik-ingress-service
-  namespace: kube-system
-  annotations:
-    prometheus.io/scrape: "true"
-    prometheus.io/port: "8080"
-    prometheus.io/path: "/metrics"
-spec:
-  selector:
-    k8s-app: traefik-ingress-lb
-  ports:
-    - protocol: TCP
-      port: 80
-      name: web
-    - protocol: TCP
-      port: 8080
-      name: admin
----
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: traefik-ingress-controller
 rules:
@@ -109,7 +89,7 @@ rules:
       - watch
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: traefik-ingress-controller
 roleRef:

k8s/volumes-for-consul.yaml

@@ -3,8 +3,6 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: consul-node2
-  annotations:
-    node: node2
 spec:
   capacity:
     storage: 10Gi
@@ -26,8 +24,6 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: consul-node3
-  annotations:
-    node: node3
 spec:
   capacity:
     storage: 10Gi
@@ -49,8 +45,6 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: consul-node4
-  annotations:
-    node: node4
 spec:
   capacity:
     storage: 10Gi

prepare-eks/10_create_cluster.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+# Create an EKS cluster.
+# This is not idempotent (each time you run it, it creates a new cluster).
+
+eksctl create cluster \
+    --node-type=t3.large \
+    --nodes-max=10 \
+    --alb-ingress-access \
+    --asg-access \
+    --ssh-access \
+    --with-oidc \
+    #
+

prepare-eks/20_create_users.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+# For each user listed in "users.txt", create an IAM user.
+# Also create AWS API access keys, and store them in "users.keys".
+# This is idempotent (you can run it multiple times, it will only
+# create the missing users). However, it will not remove users.
+# Note that you can remove users from "users.keys" (or even wipe
+# that file out entirely) and then this script will delete their
+# keys and generate new keys for them (and add the new keys to
+# "users.keys".)
+
+echo "Getting list of existing users ..."
+aws iam list-users --output json | jq -r .Users[].UserName > users.tmp
+
+for U in $(cat users.txt); do
+    if ! grep -qw $U users.tmp; then
+        echo "Creating user $U..."
+        aws iam create-user --user-name=$U \
+            --tags=Key=container.training,Value=1
+    fi
+    if ! grep -qw $U users.keys; then
+        echo "Listing keys for user $U..."
+        KEYS=$(aws iam list-access-keys --user=$U | jq -r .AccessKeyMetadata[].AccessKeyId)
+        for KEY in $KEYS; do
+            echo "Deleting key $KEY for user $U..."
+            aws iam delete-access-key --user=$U --access-key-id=$KEY
+        done
+        echo "Creating access key for user $U..."
+        aws iam create-access-key --user=$U --output json \
+          | jq -r '.AccessKey | [ .UserName, .AccessKeyId, .SecretAccessKey ] | @tsv' \
+          >> users.keys
+    fi
+done

prepare-eks/30_create_or_update_policy.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+# Create an IAM policy to authorize users to do "aws eks update-kubeconfig".
+# This is idempotent, which allows to update the policy document below if
+# you want the users to do other things as well.
+# Note that each time you run this script, it will actually create a new
+# version of the policy, set that version as the default version, and
+# remove all non-default versions. (Because you can only have up to
+# 5 versions of a given policy, so you need to clean them up.)
+# After running that script, you will want to attach the policy to our
+# users (check the other scripts in that directory).
+
+POLICY_NAME=user.container.training
+POLICY_DOC='{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "eks:DescribeCluster"
+            ],
+            "Resource": "arn:aws:eks:*",
+            "Effect": "Allow"
+        }
+    ]
+}'
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+aws iam create-policy-version \
+  --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME \
+  --policy-document "$POLICY_DOC" \
+  --set-as-default
+
+# For reference, the command below creates a policy without versioning:
+#aws iam create-policy \
+#--policy-name user.container.training \
+#--policy-document "$JSON"
+
+for VERSION in $(
+  aws iam list-policy-versions \
+    --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME \
+    --query 'Versions[?!IsDefaultVersion].VersionId' \
+    --output text)
+do
+  aws iam delete-policy-version \
+    --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME \
+    --version-id "$VERSION"
+done
+
+# For reference, the command below shows all users using the policy:
+#aws iam list-entities-for-policy \
+#--policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME

prepare-eks/40_attach_policy.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+# Attach our user policy to all the users defined in "users.txt".
+# This should be idempotent, because attaching the same policy
+# to the same user multiple times doesn't do anything.
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+POLICY_NAME=user.container.training
+
+for U in $(cat users.txt); do
+  echo "Attaching policy to user $U ..."
+  aws iam attach-user-policy \
+    --user-name $U \
+    --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME
+done

prepare-eks/50_aws_auth.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+# Update the aws-auth ConfigMap to map our IAM users to Kubernetes users.
+# Each user defined in "users.txt" will be mapped to a Kubernetes user
+# with the same name, and put in the "container.training" group, too.
+# This is idempotent.
+# WARNING: this will wipe out the mapUsers component of the aws-auth
+# ConfigMap, removing all users that aren't in "users.txt".
+# It won't touch mapRoles, so it shouldn't break the role mappings
+# put in place by EKS.
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+
+rm -f users.map
+for U in $(cat users.txt); do
+echo "\
+- userarn: arn:aws:iam::$ACCOUNT:user/$U
+  username: $U
+  groups: [ container.training ]\
+" >> users.map
+done
+
+kubectl create --namespace=kube-system configmap aws-auth \
+  --dry-run=client --from-file=mapUsers=users.map -o yaml \
+  | kubectl apply -f-

prepare-eks/60_setup_rbac_and_ns.sh

@@ -0,0 +1,65 @@
+#!/bin/sh
+# Create a shared Kubernetes Namespace ("container-training") as well as
+# individual namespaces for every user in "users.txt", and set up a bunch
+# of permissions.
+# Specifically:
+# - each user gets "view" permissions in the "default" Namespace
+# - each user gets "edit" permissions in the "container-training" Namespace
+# - each user gets permissions to list Nodes and Namespaces
+# - each user gets "admin" permissions in their personal Namespace
+# Note that since Kubernetes Namespaces can't have dots in their names,
+# if a user has dots, dots will be mapped to dashes.
+# So user "ada.lovelace" will get namespace "ada-lovelace".
+# This is kind of idempotent (but will raise a bunch of errors for objects
+# that already exist).
+# TODO: if this needs to evolve, replace all the "create" operations by
+# "apply" operations. But this is good enough for now.
+
+kubectl create rolebinding --namespace default container.training \
+  --group=container.training --clusterrole=view
+
+kubectl create clusterrole view-nodes \
+  --verb=get,list,watch --resource=node
+kubectl create clusterrolebinding view-nodes \
+  --group=container.training --clusterrole=view-nodes
+
+kubectl create clusterrole view-namespaces \
+  --verb=get,list,watch --resource=namespace
+kubectl create clusterrolebinding view-namespaces \
+  --group=container.training --clusterrole=view-namespaces
+
+kubectl create namespace container-training
+kubectl create rolebinding --namespace container-training edit \
+  --group=container.training --clusterrole=edit
+
+# Note: API calls to EKS tend to be fairly slow. To optimize things a bit,
+# instead of running "kubectl" N times, we generate a bunch of YAML and
+# apply it. It will still generate a lot of API calls but it's much faster
+# than calling "kubectl" N times. It might be possible to make this even
+# faster by generating a "kind: List" (I don't know if this would issue
+# a single API calls or multiple ones; TBD!)
+for U in $(cat users.txt); do
+  NS=$(echo $U | tr . -)
+  cat <<EOF
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: $NS
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: admin
+  namespace: $NS
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: $U
+EOF
+done | kubectl create -f-
+

prepare-eks/70_oidc.sh

@@ -0,0 +1,76 @@
+#!/bin/sh
+# Create an IAM role to be used by a Kubernetes ServiceAccount.
+# The role isn't given any permissions yet (this has to be done by
+# another script in this series), but a properly configured Pod
+# should still be able to execute "aws sts get-caller-identity"
+# and confirm that it's using that role.
+# This requires the cluster to have an attached OIDC provider.
+# This should be the case if the cluster has been created with
+# the scripts in this directory; otherwise, this can be done with
+# the subsequent command, which is idempotent:
+# eksctl utils associate-iam-oidc-provider --cluster cluster-name-12341234 --approve
+# The policy document used below will authorize all ServiceAccounts
+# in the "container-training" Namespace to use that role.
+# This script will also annotate the container-training:default
+# ServiceAccount so that it can use that role.
+# This script is not quite idempotent: if you want to use a new
+# trust policy, some work will be required. (You can delete the role,
+# but that requires detaching the associated policies. There might also
+# be a way to update the trust policy directly; we didn't investigate this
+# further at this point.)
+
+if [ "$1" ]; then
+    CLUSTER="$1"
+else
+    echo "Please indicate cluster to use. Available clusters:"
+    aws eks list-clusters --output table
+    exit 1
+fi
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+OIDC=$(aws eks describe-cluster --name $CLUSTER --query cluster.identity.oidc.issuer --output text | cut -d/ -f3-)
+ROLE_NAME=s3-reader-container-training
+TRUST_POLICY=$(envsubst <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::${ACCOUNT}:oidc-provider/${OIDC}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringLike": {
+            "${OIDC}:sub": ["system:serviceaccount:container-training:*"]
+        }
+      }
+    }
+  ]
+}
+EOF
+)
+
+aws iam create-role \
+    --role-name "$ROLE_NAME" \
+    --assume-role-policy-document "$TRUST_POLICY"
+
+kubectl annotate serviceaccounts \
+    --namespace container-training default \
+    "eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT:role/$ROLE_NAME" \
+    --overwrite
+
+exit
+
+# Here are commands to delete the role:
+for POLICY_ARN in $(aws iam list-attached-role-policies --role-name $ROLE_NAME --query 'AttachedPolicies[*].PolicyArn' --output text); do aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn $POLICY_ARN; done
+aws iam delete-role --role-name $ROLE_NAME
+
+# Merging the policy with the existing policies:
+{
+aws iam get-role --role-name s3-reader-container-training | jq -r .Role.AssumeRolePolicyDocument.Statement[]
+echo "$TRUST_POLICY" | jq -r .Statement[]
+} | jq -s '{"Version": "2012-10-17", "Statement": .}' > /tmp/policy.json
+aws iam update-assume-role-policy \
+  --role-name $ROLE_NAME \
+  --policy-document file:///tmp/policy.json

prepare-eks/80_s3_bucket.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Create an S3 bucket with two objects in it:
+# - public.txt (world-readable)
+# - private.txt (private)
+# Also create an IAM policy granting read-only access to the bucket
+# (and therefore, to the private object).
+# Finally, attach the policy to an IAM role (for instance, the role
+# created by another script in this directory).
+# This isn't idempotent, but it can be made idempotent by replacing the
+# "aws iam create-policy" call with "aws iam create-policy-version" and
+# a bit of extra elbow grease. (See other scripts in this directory for
+# an example).
+
+ACCOUNT=$(aws sts get-caller-identity | jq -r .Account)
+BUCKET=container.training
+ROLE_NAME=s3-reader-container-training
+POLICY_NAME=s3-reader-container-training
+POLICY_DOC=$(envsubst <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetObject*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::$BUCKET",
+        "arn:aws:s3:::$BUCKET/*"
+      ]
+    }
+  ]
+}
+EOF
+)
+
+aws iam create-policy \
+--policy-name $POLICY_NAME \
+--policy-doc "$POLICY_DOC"
+
+aws s3 mb s3://container.training
+
+echo "this is a public object" \
+| aws s3 cp - s3://container.training/public.txt \
+--acl public-read
+
+echo "this is a private object" \
+| aws s3 cp - s3://container.training/private.txt \
+--acl private
+
+aws iam attach-role-policy \
+    --role-name "$ROLE_NAME" \
+    --policy-arn arn:aws:iam::$ACCOUNT:policy/$POLICY_NAME

prepare-eks/users.txt

@@ -0,0 +1,50 @@
+ada.lovelace
+adele.goldstine
+amanda.jones
+anita.borg
+ann.kiessling
+barbara.mcclintock
+beatrice.worsley
+bessie.blount
+betty.holberton
+beulah.henry
+carleen.hutchins
+caroline.herschel
+dona.bailey
+dorothy.hodgkin
+ellen.ochoa
+edith.clarke
+elisha.collier
+elizabeth.feinler
+emily.davenport
+erna.hoover
+frances.spence
+gertrude.blanch
+grace.hopper
+grete.hermann
+giuliana.tesoro
+harriet.tubman
+hedy.lamarr
+irma.wyman
+jane.goodall
+jean.bartik
+joy.mangano
+josephine.cochrane
+katherine.blodgett
+kathleen.antonelli
+lynn.conway
+margaret.hamilton
+maria.beasley
+marie.curie
+marjorie.joyner
+marlyn.meltzer
+mary.kies
+melitta.bentz
+milly.koss
+radia.perlman
+rosalind.franklin
+ruth.teitelbaum
+sarah.mather
+sophie.wilson
+stephanie.kwolek
+yvonne.brill

prepare-vms/README.md

@@ -4,7 +4,11 @@ These tools can help you to create VMs on:
 
 - Azure
 - EC2
+- Hetzner
+- Linode
 - OpenStack
+- OVHcloud
+- Scaleway
 
 ## Prerequisites
 
@@ -13,7 +17,8 @@ These tools can help you to create VMs on:
 - [Parallel SSH](https://code.google.com/archive/p/parallel-ssh/) (on a Mac: `brew install pssh`) 
 
 Depending on the infrastructure that you want to use, you also need to install
-the Azure CLI, the AWS CLI, or terraform (for OpenStack deployment).
+the CLI that is specific to that cloud. For OpenStack deployments, you will
+need Terraform.
 
 And if you want to generate printable cards:
 
@@ -90,6 +95,9 @@ You're all set!
 
 ## `./workshopctl` Usage
 
+If you run `./workshopctl` without arguments, it will show a list of
+available commands, looking like this:
+
 ```
 workshopctl - the orchestration workshop swiss army knife
 Commands:
@@ -98,32 +106,7 @@ cards                Generate ready-to-print cards for a group of VMs
 deploy               Install Docker on a bunch of running VMs
 disableaddrchecks    Disable source/destination IP address checks
 disabledocker        Stop Docker Engine and don't restart it automatically
-helmprom             Install Helm and Prometheus
-help                 Show available commands
-ids                  (FIXME) List the instance IDs belonging to a given tag or token
-kubebins             Install Kubernetes and CNI binaries but don't start anything
-kubereset            Wipe out Kubernetes configuration on all nodes
-kube                 Setup kubernetes clusters with kubeadm (must be run AFTER deploy)
-kubetest             Check that all nodes are reporting as Ready
-listall              List VMs running on all configured infrastructures
-list                 List available groups for a given infrastructure
-netfix               Disable GRO and run a pinger job on the VMs
-opensg               Open the default security group to ALL ingress traffic
-ping                 Ping VMs in a given tag, to check that they have network access
-pssh                 Run an arbitrary command on all nodes
-pull_images          Pre-pull a bunch of Docker images
-quotas               Check our infrastructure quotas (max instances)
-remap_nodeports      Remap NodePort range to 10000-10999
-retag                (FIXME) Apply a new tag to a group of VMs
-ssh                  Open an SSH session to the first node of a tag
-start                Start a group of VMs
-stop                 Stop (terminate, shutdown, kill, remove, destroy...) instances
-tags                 List groups of VMs known locally
-test                 Run tests (pre-flight checks) on a group of VMs
-weavetest            Check that weave seems properly setup
-webssh               Install a WEB SSH server on the machines (port 1080)
-wrap                 Run this program in a container
-www                  Run a web server to access card HTML and PDF
+...
 ```
 
 ### Summary of What `./workshopctl` Does For You
@@ -138,7 +121,8 @@ www                  Run a web server to access card HTML and PDF
 
 ### Example Steps to Launch a group of AWS Instances for a Workshop
 
-- Run `./workshopctl start --infra infra/aws-us-east-2 --settings/myworkshop.yaml --count 60` to create 60 EC2 instances
+- Run `./workshopctl start --infra infra/aws-us-east-2 --settings/myworkshop.yaml --students 50` to create 50 clusters
+  - The number of instances will be `students × clustersize`
   - Your local SSH key will be synced to instances under `ubuntu` user
   - AWS instances will be created and tagged based on date, and IP's stored in `prepare-vms/tags/`
 - Run `./workshopctl deploy TAG` to run `lib/postprep.py` via parallel-ssh
@@ -248,12 +232,19 @@ If you don't have `wkhtmltopdf` installed, you will get a warning that it is a m
 
 #### List tags
 
-    $ ./workshopctl list infra/some-infra-file
-
-    $ ./workshopctl listall
-
     $ ./workshopctl tags
 
+    $ ./workshopctl inventory infra/some-infra-file
+
+    $ ./workshopctl inventory
+
+Note: the `tags` command will show only the VMs that you have provisioned
+and deployed on the current machine (i.e. listed in the `tags` subdirectory).
+The `inventory` command will try to list all existing VMs (including the
+ones not listed in the `tags` directory, and including VMs provisioned
+through other mechanisms). It is not supported across all platforms,
+however.
+
 #### Stop and destroy VMs
 
     $ ./workshopctl stop TAG

prepare-vms/infra/hetzner

@@ -1,5 +1,5 @@
 INFRACLASS=hetzner
 if ! [ -f ~/.config/hcloud/cli.toml ]; then
-  warn "~/.config/hcloud/cli.toml not found."
-  warn "Make sure that the Hetzner CLI (hcloud) is installed and configured."
+  warning "~/.config/hcloud/cli.toml not found."
+  warning "Make sure that the Hetzner CLI (hcloud) is installed and configured."
 fi

prepare-vms/lib/cli.sh

@@ -66,7 +66,7 @@ need_infra() {
 
 need_tag() {
     if [ -z "$TAG" ]; then
-        die "Please specify a tag or token. To see available tags and tokens, run: $0 list"
+        die "Please specify a tag. To see available tags, run: $0 tags"
     fi
     if [ ! -d "tags/$TAG" ]; then
         die "Tag $TAG not found (directory tags/$TAG does not exist)."

prepare-vms/lib/commands.sh

@@ -1,5 +1,9 @@
 export AWS_DEFAULT_OUTPUT=text
 
+# Ignore SSH key validation when connecting to these remote hosts.
+# (Otherwise, deployment scripts break when a VM IP address reuse.)
+SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
+
 HELP=""
 _cmd() {
     HELP="$(printf "%s\n%-20s %s\n" "$HELP" "$1" "$2")"
@@ -69,11 +73,14 @@ _cmd_deploy() {
     echo deploying > tags/$TAG/status
     sep "Deploying tag $TAG"
 
-    # Wait for cloudinit to be done
+    # If this VM image is using cloud-init,
+    # wait for cloud-init to be done
     pssh "
-    while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
-        sleep 1
-    done"
+    if [ -d /var/lib/cloud ]; then
+        while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
+            sleep 1
+        done
+    fi"
 
     # Special case for scaleway since it doesn't come with sudo
     if [ "$INFRACLASS" = "scaleway" ]; then
@@ -102,6 +109,12 @@ _cmd_deploy() {
     sudo apt-get update &&
     sudo apt-get install -y python-yaml"
 
+    # If there is no "python" binary, symlink to python3
+    #pssh "
+    #if ! which python; then
+    #    ln -s $(which python3) /usr/local/bin/python
+    #fi"
+
     # Copy postprep.py to the remote machines, and execute it, feeding it the list of IP addresses
     pssh -I tee /tmp/postprep.py <lib/postprep.py
     pssh --timeout 900 --send-input "python /tmp/postprep.py >>/tmp/pp.out 2>>/tmp/pp.err" <tags/$TAG/ips.txt
@@ -113,7 +126,7 @@ _cmd_deploy() {
     # If /home/docker/.ssh/id_rsa doesn't exist, copy it from the first node
     pssh "
     sudo -u docker [ -f /home/docker/.ssh/id_rsa ] ||
-    ssh -o StrictHostKeyChecking=no \$(cat /etc/name_of_first_node) sudo -u docker tar -C /home/docker -cvf- .ssh |
+    ssh $SSHOPTS \$(cat /etc/name_of_first_node) sudo -u docker tar -C /home/docker -cvf- .ssh |
     sudo -u docker tar -C /home/docker -xf-"
 
     # if 'docker@' doesn't appear in /home/docker/.ssh/authorized_keys, copy it there
@@ -208,7 +221,14 @@ _cmd_kube() {
     echo 'alias k=kubectl' | sudo tee /etc/bash_completion.d/k &&
     echo 'complete -F __start_kubectl k' | sudo tee -a /etc/bash_completion.d/k"
 
-    # Initialize kube master
+    # Disable swap
+    # (note that this won't survive across node reboots!)
+    if [ "$INFRACLASS" = "linode" ]; then
+        pssh "
+        sudo swapoff -a"
+    fi
+
+    # Initialize kube control plane
     pssh --timeout 200 "
     if i_am_first_node && [ ! -f /etc/kubernetes/admin.conf ]; then
         kubeadm token generate > /tmp/token &&
@@ -236,7 +256,7 @@ _cmd_kube() {
     pssh --timeout 200 "
     if ! i_am_first_node && [ ! -f /etc/kubernetes/kubelet.conf ]; then
         FIRSTNODE=\$(cat /etc/name_of_first_node) &&
-        TOKEN=\$(ssh -o StrictHostKeyChecking=no \$FIRSTNODE cat /tmp/token) &&
+        TOKEN=\$(ssh $SSHOPTS \$FIRSTNODE cat /tmp/token) &&
         sudo kubeadm join --discovery-token-unsafe-skip-ca-verification --token \$TOKEN \$FIRSTNODE:6443
     fi"
 
@@ -403,8 +423,8 @@ _cmd_ips() {
     done < tags/$TAG/ips.txt
 }
 
-_cmd list "List all VMs on a given infrastructure (or all infras if no arg given)"
-_cmd_list() {
+_cmd inventory "List all VMs on a given infrastructure (or all infras if no arg given)"
+_cmd_inventory() {
     case "$1" in
     "")
         for INFRA in infra/*; do
@@ -421,21 +441,6 @@ _cmd_list() {
     esac
 }
 
-_cmd listall "List VMs running on all configured infrastructures"
-_cmd_listall() {
-    for infra in infra/*; do
-        case $infra in
-        infra/example.*)
-            ;;
-        *)
-            info "Listing infrastructure $infra:"
-            need_infra $infra
-            infra_list
-            ;;
-        esac
-    done
-}
-
 _cmd maketag "Generate a quasi-unique tag for a group of instances"
 _cmd_maketag() {
     if [ -z $USER ]; then
@@ -573,7 +578,8 @@ _cmd_ssh() {
     need_tag
     IP=$(head -1 tags/$TAG/ips.txt)
     info "Logging into $IP"
-    ssh docker@$IP
+    ssh $SSHOPTS docker@$IP
+
 }
 
 _cmd start "Start a group of VMs"
@@ -582,7 +588,7 @@ _cmd_start() {
         case "$1" in
         --infra) INFRA=$2; shift 2;;
         --settings) SETTINGS=$2; shift 2;;
-        --count) COUNT=$2; shift 2;;
+        --count) die "Flag --count is deprecated; please use --students instead." ;;
         --tag) TAG=$2; shift 2;;
         --students) STUDENTS=$2; shift 2;;
         *) die "Unrecognized parameter: $1."
@@ -712,7 +718,7 @@ _cmd_tmux() {
     IP=$(head -1 tags/$TAG/ips.txt)
     info "Opening ssh+tmux with $IP"
     rm -f /tmp/tmux-$UID/default
-    ssh -t -L /tmp/tmux-$UID/default:/tmp/tmux-1001/default docker@$IP tmux new-session -As 0
+    ssh $SSHOPTS -t -L /tmp/tmux-$UID/default:/tmp/tmux-1001/default docker@$IP tmux new-session -As 0
 }
 
 _cmd helmprom "Install Helm and Prometheus"
@@ -731,6 +737,31 @@ _cmd_helmprom() {
     fi"
 }
 
+_cmd passwords "Set individual passwords for each cluster"
+_cmd_passwords() {
+    TAG=$1
+    need_tag
+    PASSWORDS_FILE="tags/$TAG/passwords"
+    if ! [ -f "$PASSWORDS_FILE" ]; then
+        error "File $PASSWORDS_FILE not found. Please create it first."
+        error "It should contain one password per line."
+        error "It should have as many lines as there are clusters."
+        die "Aborting."
+    fi
+    N_CLUSTERS=$($0 ips "$TAG" | wc -l)
+    N_PASSWORDS=$(wc -l < "$PASSWORDS_FILE")
+    if [ "$N_CLUSTERS" != "$N_PASSWORDS" ]; then
+        die "Found $N_CLUSTERS clusters and $N_PASSWORDS passwords. Aborting."
+    fi
+    $0 ips "$TAG" | paste "$PASSWORDS_FILE" - | while read password nodes; do
+        info "Setting password for $nodes..."
+        for node in $nodes; do
+            echo docker:$password | ssh $SSHOPTS ubuntu@$node sudo chpasswd
+        done
+    done
+    info "Done."
+}
+
 # Sometimes, weave fails to come up on some nodes.
 # Symptom: the pods on a node are unreachable (they don't even ping).
 # Remedy: wipe out Weave state and delete weave pod on that node.
@@ -859,10 +890,7 @@ test_vm() {
         "ls -la /home/docker/.ssh"; do
         sep "$cmd"
         echo "$cmd" \
-            | ssh -A -q \
-                -o "UserKnownHostsFile /dev/null" \
-                -o "StrictHostKeyChecking=no" \
-                $user@$ip sudo -u docker -i \
+            | ssh -A $SSHOPTS $user@$ip sudo -u docker -i \
             || {
                 status=$?
                 error "$cmd exit status: $status"

prepare-vms/lib/infra/aws.sh

@@ -1,5 +1,5 @@
 if ! command -v aws >/dev/null; then
-    warn "AWS CLI (aws) not found."
+    warning "AWS CLI (aws) not found."
 fi
 
 infra_list() {
@@ -217,7 +217,7 @@ aws_tag_instances() {
 
 aws_get_ami() {
     ##VERSION##
-    find_ubuntu_ami -r $AWS_DEFAULT_REGION -a amd64 -v 18.04 -t hvm:ebs -N -q
+    find_ubuntu_ami -r $AWS_DEFAULT_REGION -a ${AWS_ARCHITECTURE-amd64} -v 18.04 -t hvm:ebs -N -q
 }
 
 aws_greet() {

prepare-vms/lib/infra/hetzner.sh

@@ -1,8 +1,8 @@
 if ! command -v hcloud >/dev/null; then
-  warn "Hetzner CLI (hcloud) not found."
+  warning "Hetzner CLI (hcloud) not found."
 fi
 if ! [ -f ~/.config/hcloud/cli.toml ]; then
-  warn "~/.config/hcloud/cli.toml not found."
+  warning "~/.config/hcloud/cli.toml not found."
 fi
 
 infra_list() {

prepare-vms/lib/infra/linode.sh

@@ -0,0 +1,58 @@
+if ! command -v linode-cli >/dev/null; then
+  warning "Linode CLI (linode-cli) not found."
+fi
+if ! [ -f ~/.config/linode-cli ]; then
+  warning "~/.config/linode-cli not found."
+fi
+
+# To view available regions: "linode-cli regions list"
+LINODE_REGION=${LINODE_REGION-us-west}
+
+# To view available types: "linode-cli linodes types"
+LINODE_TYPE=${LINODE_TYPE-g6-standard-2}
+
+infra_list() {
+    linode-cli linodes list --json |
+        jq -r '.[] | [.id, .label, .status, .type] | @tsv'
+}
+
+infra_start() {
+    COUNT=$1
+
+    for I in $(seq 1 $COUNT); do
+        NAME=$(printf "%s-%03d" $TAG $I)
+        sep "Starting instance $I/$COUNT"
+        info "          Zone: $LINODE_REGION"
+        info "          Name: $NAME"
+        info " Instance type: $LINODE_TYPE"
+        ROOT_PASS="$(base64 /dev/urandom | cut -c1-20 | head -n 1)"
+        linode-cli linodes create \
+            --type=${LINODE_TYPE} --region=${LINODE_REGION} \
+            --image=linode/ubuntu18.04 \
+            --authorized_keys="${LINODE_SSHKEY}" \
+            --root_pass="${ROOT_PASS}" \
+            --tags=${TAG} --label=${NAME}
+    done
+    sep
+
+    linode_get_ips_by_tag $TAG > tags/$TAG/ips.txt
+}
+
+infra_stop() {
+    info "Counting instances..."
+    linode_get_ids_by_tag $TAG | wc -l
+    info "Deleting instances..."
+    linode_get_ids_by_tag $TAG | 
+        xargs -n1 -P10 \
+        linode-cli linodes delete
+}
+
+linode_get_ids_by_tag() {
+    TAG=$1
+    linode-cli linodes list --tags $TAG --json | jq -r ".[].id"
+}
+
+linode_get_ips_by_tag() {
+    TAG=$1
+    linode-cli linodes list --tags $TAG --json | jq -r ".[].ipv4[0]"
+}

prepare-vms/lib/infra/openstack-tf.sh

@@ -1,20 +1,28 @@
 infra_start() {
-	COUNT=$1
+        COUNT=$1
 
-	cp terraform/*.tf tags/$TAG
-	(
-		cd tags/$TAG
-		terraform init
-		echo prefix = \"$TAG\" >> terraform.tfvars
-		echo count = \"$COUNT\" >> terraform.tfvars
-		terraform apply -auto-approve
-		terraform output ip_addresses > ips.txt
-	)
+        cp terraform/*.tf tags/$TAG
+        (
+                cd tags/$TAG
+                if ! terraform init; then
+                        error "'terraform init' failed."
+                        error "If it mentions the following error message:"
+                        error "openpgp: signature made by unknown entity."
+                        error "Then you need to upgrade Terraform to 0.11.15"
+                        error "to upgrade its signing keys following the"
+                        error "codecov breach."
+                        die "Aborting."
+                fi
+                echo prefix = \"$TAG\" >> terraform.tfvars
+                echo count = \"$COUNT\" >> terraform.tfvars
+                terraform apply -auto-approve
+                terraform output ip_addresses > ips.txt
+        )
 }
 
 infra_stop() {
-	(
-		cd tags/$TAG
-		terraform destroy -auto-approve
-	)
-}
+        (
+                cd tags/$TAG
+                terraform destroy -auto-approve
+        )
+}

prepare-vms/lib/infra/scaleway.sh

@@ -1,8 +1,8 @@
 if ! command -v scw >/dev/null; then
-  warn "Scaleway CLI (scw) not found."
+  warning "Scaleway CLI (scw) not found."
 fi
 if ! [ -f ~/.config/scw/config.yaml ]; then
-  warn "~/.config/scw/config.yaml not found."
+  warning "~/.config/scw/config.yaml not found."
 fi
 
 SCW_INSTANCE_TYPE=${SCW_INSTANCE_TYPE-DEV1-M}

prepare-vms/lib/pssh.sh

@@ -18,11 +18,11 @@ pssh() {
     echo "[parallel-ssh] $@"
     export PSSH=$(which pssh || which parallel-ssh)
 
-    if [ "$INFRACLASS" = hetzner ]; then
-        LOGIN=root
-    else
-        LOGIN=ubuntu
-    fi
+    case "$INFRACLASS" in
+        hetzner) LOGIN=root ;;
+        linode)  LOGIN=root ;;
+        *)       LOGIN=ubuntu ;;
+    esac
 
     $PSSH -h $HOSTFILE -l $LOGIN \
         --par 100 \

prepare-vms/map-dns.py

@@ -26,16 +26,16 @@ apiurl = "https://dns.api.gandi.net/api/v5/domains"
 apikey = yaml.safe_load(open(config_file))["apirest"]["key"]
 
 # Figure out if we're called for a bunch of domains, or just one.
-first_arg = sys.argv[1]
-if os.path.isfile(first_arg):
-  domains = open(first_arg).read().split()
+domain_or_domain_file = sys.argv[1]
+if os.path.isfile(domain_or_domain_file):
+  domains = open(domain_or_domain_file).read().split()
   domains = [ d for d in domains if not d.startswith('#') ]
   tag = sys.argv[2]
   ips = open(f"tags/{tag}/ips.txt").read().split()
   settings_file = f"tags/{tag}/settings.yaml"
   clustersize = yaml.safe_load(open(settings_file))["clustersize"]
 else:
-  domains = [first_arg]
+  domains = [domain_or_domain_file]
   ips = sys.argv[2:]
   clustersize = len(ips)
 

prepare-vms/workshopctl

@@ -17,6 +17,7 @@ done
 DEPENDENCIES="
     ssh
     curl
+    fping
     jq
     pssh
     wkhtmltopdf

slides/1.yml

@@ -0,0 +1,69 @@
+title: |
+  Docker Intensif
+
+chat: "[Gitter](https://gitter.im/jpetazzo/training-202105-online)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2021-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- # DAY 1
+  #- containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  #- containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Initial_Images.md
+-
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+- # DAY 2
+  - containers/Container_Networking_Basics.md
+  - containers/Local_Development_Workflow.md
+  - containers/Start_And_Attach.md
+  - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+-
+  - containers/Container_Network_Model.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+- # DAY 3
+  - containers/Getting_Inside.md
+  - containers/Network_Drivers.md
+  - containers/Dockerfile_Tips.md
+  - containers/Advanced_Dockerfiles.md
+-
+  - containers/Orchestration_Overview.md
+  - containers/Multi_Stage_Builds.md
+  #- containers/Publishing_To_Docker_Hub.md
+  - containers/Exercise_Dockerfile_Advanced.md
+  #- containers/Docker_Machine.md
+  #- containers/Init_Systems.md
+  #- containers/Application_Configuration.md
+  #- containers/Logging.md
+  #- containers/Namespaces_Cgroups.md
+  #- containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+  #- containers/Container_Engines.md
+  #- containers/Pods_Anatomy.md
+  #- containers/Ecosystem.md
+  - shared/thankyou.md
+  #- containers/links.md

slides/2.yml

@@ -0,0 +1,103 @@
+title: |
+  Fondamentaux Kubernetes
+
+chat: "[Gitter](https://gitter.im/jpetazzo/training-202105-online)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2021-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/prereqs.md
+#- shared/webssh.md
+- shared/connecting.md
+- shared/toc.md
+- # 1
+  #- k8s/versions-k8s.md
+  - shared/sampleapp.md
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+  - k8s/kubectlget.md
+- # 2
+  - k8s/kubectl-run.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  - k8s/deploymentslideshow.md
+  - k8s/kubenet.md
+  - k8s/kubectlexpose.md
+  - k8s/shippingimages.md
+  #- k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+- # 3
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - k8s/namespaces.md
+  - k8s/yamldeploy.md
+  #- k8s/kubectlscale.md
+  - k8s/scalingdockercoins.md
+  - shared/hastyconclusions.md
+- # 4
+  - k8s/daemonset.md
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  - k8s/healthchecks-more.md
+- # 5
+  - k8s/localkubeconfig.md
+  - k8s/accessinternal.md
+  - k8s/kubectlproxy.md
+  - k8s/dashboard.md
+  - k8s/k9s.md
+  - k8s/tilt.md
+- # 6
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  - k8s/setup-managed.md
+  - k8s/setup-selfhosted.md
+- # 7
+  - k8s/ingress.md
+  - k8s/ingress-tls.md
+- # 8
+  - k8s/volumes.md
+  #- k8s/exercise-configmap.md
+  #- k8s/build-with-docker.md
+  #- k8s/build-with-kaniko.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/batch-jobs.md
+  #- k8s/logs-centralized.md
+  #- k8s/prometheus.md
+  #- k8s/statefulsets.md
+  #- k8s/local-persistent-volumes.md
+  #- k8s/portworx.md
+  #- k8s/extending-api.md
+  #- k8s/operators.md
+  #- k8s/operators-design.md
+  #- k8s/staticpods.md
+  #- k8s/owners-and-dependents.md
+  #- k8s/gitworkflows.md
+  #- k8s/whatsnext.md
+  #- k8s/lastwords.md
+  - shared/thankyou.md
+  - k8s/links.md
+#-
+#  - |
+#    # (Bonus)
+#  - k8s/record.md
+#  - k8s/dryrun.md

slides/3.yml

@@ -0,0 +1,44 @@
+title: |
+  Packaging d'applications
+  et CI/CD pour Kubernetes
+
+chat: "[Gitter](https://gitter.im/jpetazzo/training-202105-online)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2021-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+#- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/prereqs.md
+- shared/webssh.md
+- shared/connecting.md
+#- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- shared/toc.md
+-
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+-
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+-
+  - k8s/cert-manager.md
+  - k8s/gitlab.md
+-
+  - |
+    # (Extra content)
+  - k8s/prometheus.md
+  - k8s/prometheus-stack.md

slides/4.yml

@@ -0,0 +1,52 @@
+title: |
+  Kubernetes Avancé
+
+chat: "[Gitter](https://gitter.im/jpetazzo/training-202105-online)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2021-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- shared/prereqs.md
+- shared/webssh.md
+- shared/connecting.md
+- shared/toc.md
+- #1
+  - k8s/netpol.md
+  - k8s/authn-authz.md
+- #2
+  - k8s/extending-api.md
+  - k8s/operators.md
+  - k8s/sealed-secrets.md
+  - k8s/crd.md
+  - k8s/exercise-sealed-secrets.md
+- #3
+  - k8s/resource-limits.md
+  - k8s/metrics-server.md
+  - k8s/cluster-sizing.md
+  - k8s/horizontal-pod-autoscaler.md
+- #4
+  - k8s/aggregation-layer.md
+  - k8s/prometheus.md
+  - k8s/hpa-v2.md
+- #5
+  - k8s/admission.md
+  - k8s/kyverno.md
+- #6
+  - k8s/statefulsets.md
+  - k8s/local-persistent-volumes.md
+  - k8s/eck.md
+  #- k8s/portworx.md
+  - k8s/openebs.md

slides/5.yml

@@ -0,0 +1,56 @@
+title: |
+  Opérer Kubernetes
+
+chat: "[Gitter](https://gitter.im/jpetazzo/training-202105-online)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2021-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+# DAY 1
+-
+  - k8s/prereqs-admin.md
+  - k8s/architecture.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc.md
+-
+  - k8s/multinode.md
+  - k8s/cni.md
+  - k8s/interco.md
+-
+  - k8s/cni-internals.md
+  - k8s/apilb.md
+  - k8s/internal-apis.md
+  - k8s/staticpods.md
+  - k8s/cluster-upgrade.md
+  - k8s/cluster-backup.md
+  #- k8s/cloud-controller-manager.md
+-
+  - k8s/control-plane-auth.md
+  - k8s/user-cert.md
+  - k8s/csr-api.md
+  - k8s/openid-connect.md
+  - k8s/podsecuritypolicy.md
+  - shared/thankyou.md
+-
+  |
+  # (Extra content)
+  - k8s/apiserver-deepdive.md
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  - k8s/setup-managed.md
+  - k8s/setup-selfhosted.md

slides/_redirects

@@ -21,3 +21,5 @@
 
 # Survey form
 /please https://docs.google.com/forms/d/e/1FAIpQLSfIYSgrV7tpfBNm1hOaprjnBHgWKn5n-k5vtNXYJkOX1sRxng/viewform
+
+/ /highfive.html 200!

slides/containers/Background_Containers.md

@@ -44,6 +44,64 @@ Fri Feb 20 00:28:55 UTC 2015
 
 ---
 
+## When `^C` doesn't work...
+
+Sometimes, `^C` won't be enough.
+
+Why? And how can we stop the container in that case?
+
+---
+
+## What happens when we hit `^C`
+
+`SIGINT` gets sent to the container, which means:
+
+- `SIGINT` gets sent to PID 1 (default case)
+
+- `SIGINT` gets sent to *foreground processes* when running with `-ti`
+
+But there is a special case for PID 1: it ignores all signals!
+
+- except `SIGKILL` and `SIGSTOP`
+
+- except signals handled explicitly
+
+TL,DR: there are many circumstances when `^C` won't stop the container.
+
+---
+
+class: extra-details
+
+## Why is PID 1 special?
+
+- PID 1 has some extra responsibilities:
+
+  - it starts (directly or indirectly) every other process
+
+  - when a process exits, its processes are "reparented" under PID 1
+
+- When PID 1 exits, everything stops:
+
+  - on a "regular" machine, it causes a kernel panic
+
+  - in a container, it kills all the processes
+
+- We don't want PID 1 to stop accidentally
+
+- That's why it has these extra protections
+
+---
+
+## How to stop these containers, then?
+
+- Start another terminal and forget about them
+
+  (for now!)
+
+- We'll shortly learn about `docker kill`
+
+---
+
 ## Run a container in the background
 
 Containers can be started in the background, with the `-d` flag (daemon mode):

slides/containers/Building_Images_Interactively.md

@@ -131,7 +131,7 @@ root@fcfb62f0bfde:/# figlet hello
 |_| |_|\___|_|_|\___/ 
 ```
 
-It works! .emoji[🎉]
+It works! 🎉
 
 ---
 

slides/containers/Building_Images_With_Dockerfiles.md

@@ -89,6 +89,44 @@ To keep things simple for now: this is the directory where our Dockerfile is loc
 
 ## What happens when we build the image?
 
+It depends if we're using BuildKit or not!
+
+If there are lots of blue lines and the first line looks like this:
+```
+[+] Building 1.8s (4/6)
+```
+... then we're using BuildKit.
+
+If the output is mostly black-and-white and the first line looks like this:
+```
+Sending build context to Docker daemon  2.048kB
+```
+... then we're using the "classic" or "old-style" builder.
+
+---
+
+## To BuildKit or Not To BuildKit
+
+Classic builder:
+
+- copies the whole "build context" to the Docker Engine
+
+- linear (processes lines one after the other)
+
+- requires a full Docker Engine
+
+BuildKit:
+
+- only transfers parts of the "build context" when needed
+
+- will parallelize operations (when possible)
+
+- can run in non-privileged containers (e.g. on Kubernetes)
+
+---
+
+## With the classic builder
+
 The output of `docker build` looks like this:
 
 .small[
@@ -131,7 +169,7 @@ Sending build context to Docker daemon 2.048 kB
 
 * Be careful (or patient) if that directory is big and your link is slow.
 
-* You can speed up the process with a [`.dockerignore`](https://docs.docker.com/engine/reference/builder/#dockerignore-file) file 
+* You can speed up the process with a [`.dockerignore`](https://docs.docker.com/engine/reference/builder/#dockerignore-file) file
 
   * It tells docker to ignore specific files in the directory
 
@@ -161,6 +199,64 @@ Removing intermediate container e01b294dbffd
 
 ---
 
+## With BuildKit
+
+.small[
+```bash
+[+] Building 7.9s (7/7) FINISHED
+ => [internal] load build definition from Dockerfile                                                 0.0s
+ => => transferring dockerfile: 98B                                                                  0.0s
+ => [internal] load .dockerignore                                                                    0.0s
+ => => transferring context: 2B                                                                      0.0s
+ => [internal] load metadata for docker.io/library/ubuntu:latest                                     1.2s
+ => [1/3] FROM docker.io/library/ubuntu@sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386  3.2s
+ => => resolve docker.io/library/ubuntu@sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386  0.0s
+ => => sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88eb681d93 1.20kB / 1.20kB       0.0s
+ => => sha256:1de4c5e2d8954bf5fa9855f8b4c9d3c3b97d1d380efe19f60f3e4107a66f5cae 943B / 943B           0.0s
+ => => sha256:6a98cbe39225dadebcaa04e21dbe5900ad604739b07a9fa351dd10a6ebad4c1b 3.31kB / 3.31kB       0.0s
+ => => sha256:80bc30679ac1fd798f3241208c14accd6a364cb8a6224d1127dfb1577d10554f 27.14MB / 27.14MB     2.3s
+ => => sha256:9bf18fab4cfbf479fa9f8409ad47e2702c63241304c2cdd4c33f2a1633c5f85e 850B / 850B           0.5s
+ => => sha256:5979309c983a2adeff352538937475cf961d49c34194fa2aab142effe19ed9c1 189B / 189B           0.4s
+ => => extracting sha256:80bc30679ac1fd798f3241208c14accd6a364cb8a6224d1127dfb1577d10554f            0.7s
+ => => extracting sha256:9bf18fab4cfbf479fa9f8409ad47e2702c63241304c2cdd4c33f2a1633c5f85e            0.0s
+ => => extracting sha256:5979309c983a2adeff352538937475cf961d49c34194fa2aab142effe19ed9c1            0.0s
+ => [2/3] RUN apt-get update                                                                         2.5s
+ => [3/3] RUN apt-get install figlet                                                                 0.9s
+ => exporting to image                                                                               0.1s
+ => => exporting layers                                                                              0.1s
+ => => writing image sha256:3b8aee7b444ab775975dfba691a72d8ac24af2756e0a024e056e3858d5a23f7c         0.0s
+ => => naming to docker.io/library/figlet                                                            0.0s
+ ```
+ ]
+
+---
+
+## Understanding BuildKit output
+
+- BuildKit transfers the Dockerfile and the *build context*
+
+  (these are the first two `[internal]` stages)
+
+- Then it executes the steps defined in the Dockerfile
+
+  (`[1/3]`, `[2/3]`, `[3/3]`)
+
+- Finally, it exports the result of the build
+
+  (image definition + collection of layers)
+
+---
+
+class: extra-details
+
+## BuildKit plain output
+
+- When running BuildKit in e.g. a CI pipeline, its output will be different
+
+- We can see the same output format by using `--progress=plain`
+
+---
+
 ## The caching system
 
 If you run the same build again, it will be instantaneous. Why?
@@ -171,10 +267,10 @@ If you run the same build again, it will be instantaneous. Why?
 
 * Docker uses the exact strings defined in your Dockerfile, so:
 
-  * `RUN apt-get install figlet cowsay ` 
+  * `RUN apt-get install figlet cowsay`
     <br/> is different from
     <br/> `RUN apt-get install cowsay figlet`
-  
+
   * `RUN apt-get update` is not re-executed when the mirrors are updated
 
 You can force a rebuild with `docker build --no-cache ...`.
@@ -196,7 +292,7 @@ root@91f3c974c9a1:/# figlet hello
 ```
 
 
-Yay! .emoji[🎉]
+Yay! 🎉
 
 ---
 

slides/containers/Cmd_And_Entrypoint.md

@@ -272,6 +272,45 @@ $ docker run -it --entrypoint bash myfiglet
 root@6027e44e2955:/# 
 ```
 
+---
+
+## `CMD` and `ENTRYPOINT` recap
+
+- `docker run myimage` executes `ENTRYPOINT` + `CMD`
+
+- `docker run myimage args` executes `ENTRYPOINT` + `args` (overriding `CMD`)
+
+- `docker run --entrypoint prog myimage` executes `prog` (overriding both)
+
+.small[
+| Command                         | `ENTRYPOINT`       | `CMD`   | Result
+|---------------------------------|--------------------|---------|-------
+| `docker run figlet`             | none               | none    | Use values from base image (`bash`)
+| `docker run figlet hola`        | none               | none    | Error (executable `hola` not found)
+| `docker run figlet`             | `figlet -f script` | none    | `figlet -f script`
+| `docker run figlet hola`        | `figlet -f script` | none    | `figlet -f script hola`
+| `docker run figlet`             | none    | `figlet -f script` | `figlet -f script`
+| `docker run figlet hola`        | none    | `figlet -f script` | Error (executable `hola` not found)
+| `docker run figlet`             | `figlet -f script` | `hello` | `figlet -f script hello`
+| `docker run figlet hola`        | `figlet -f script` | `hello` | `figlet -f script hola`
+]
+
+---
+
+## When to use `ENTRYPOINT` vs `CMD`
+
+`ENTRYPOINT` is great for "containerized binaries".
+
+Example: `docker run consul --help`
+
+(Pretend that the `docker run` part isn't there!)
+
+`CMD` is great for images with multiple binaries.
+
+Example: `docker run busybox ifconfig`
+
+(It makes sense to indicate *which* program we want to run!)
+
 ???
 
 :EN:- CMD and ENTRYPOINT

slides/containers/Compose_For_Dev_Stacks.md

@@ -1,51 +1,40 @@
 # Compose for development stacks
 
-Dockerfiles are great to build container images.
+Dockerfile = great to build *one* container image.
 
-But what if we work with a complex stack made of multiple containers?
+What if we have multiple containers?
 
-Eventually, we will want to write some custom scripts and automation to build, run, and connect
-our containers together.
+What if some of them require particular `docker run` parameters?
 
-There is a better way: using Docker Compose.
+How do we connect them all together?
 
-In this section, you will use Compose to bootstrap a development environment.
+... Compose solves these use-cases (and a few more).
 
 ---
 
-## What is Docker Compose?
+## Life before Compose
 
-Docker Compose (formerly known as `fig`) is an external tool.
+Before we had Compose, we would typically write custom scripts to:
 
-Unlike the Docker Engine, it is written in Python. It's open source as well.
+- build container images,
 
-The general idea of Compose is to enable a very simple, powerful onboarding workflow:
+- run containers using these images,
 
-1. Checkout your code.
+- connect the containers together,
+
+- rebuild, restart, update these images and containers.
+
+---
+
+## Life with Compose
+
+Compose enables a simple, powerful onboarding workflow:
+
+1. Checkout our code.
 
 2. Run `docker-compose up`.
 
-3. Your app is up and running!
-
----
-
-## Compose overview
-
-This is how you work with Compose:
-
-* You describe a set (or stack) of containers in a YAML file called `docker-compose.yml`.
-
-* You run `docker-compose up`.
-
-* Compose automatically pulls images, builds containers, and starts them.
-
-* Compose can set up links, volumes, and other Docker options for you.
-
-* Compose can run the containers in the background, or in the foreground.
-
-* When containers are running in the foreground, their aggregated output is shown.
-
-Before diving in, let's see a small example of Compose in action.
+3. Our app is up and running!
 
 ---
 
@@ -55,20 +44,61 @@ class: pic
 
 ---
 
-## Checking if Compose is installed
+## Life after Compose
 
-If you are using the official training virtual machines, Compose has been
-pre-installed.
+(Or: when do we need something else?)
 
-If you are using Docker for Mac/Windows or the Docker Toolbox, Compose comes with them.
+- Compose is *not* an orchestrator
 
-If you are on Linux (desktop or server environment), you will need to install Compose from its [release page](https://github.com/docker/compose/releases) or with `pip install docker-compose`.
+- It isn't designed to need to run containers on multiple nodes
 
-You can always check that it is installed by running:
+  (it can, however, work with Docker Swarm Mode)
 
-```bash
-$ docker-compose --version
-```
+- Compose isn't ideal if we want to run containers on Kubernetes
+
+  - it uses different concepts (Compose services ≠ Kubernetes services)
+
+  - it needs a Docker Engine (althought containerd support might be coming)
+
+---
+
+## First rodeo with Compose
+
+1. Write Dockerfiles
+
+2. Describe our stack of containers in a YAML file called `docker-compose.yml`
+
+3. `docker-compose up` (or `docker-compose up -d` to run in the background)
+
+4. Compose pulls and builds the required images, and starts the containers
+
+5. Compose shows the combined logs of all the containers
+
+   (if running in the background, use `docker-compose logs`)
+
+6. Hit Ctrl-C to stop the whole stack
+
+   (if running in the background, use `docker-compose stop`)
+
+---
+
+## Iterating
+
+After making changes to our source code, we can:
+
+1. `docker-compose build` to rebuild container images
+
+2. `docker-compose up` to restart the stack with the new images
+
+We can also combine both with `docker-compose up --build`
+
+Compose will be smart, and only recreate the containers that have changed.
+
+When working with interpreted languages:
+
+- dont' rebuild each time
+
+- leverage a `volumes` section instead
 
 ---
 
@@ -77,38 +107,37 @@ $ docker-compose --version
 First step: clone the source code for the app we will be working on.
 
 ```bash
-$ cd
-$ git clone https://github.com/jpetazzo/trainingwheels
-...
-$ cd trainingwheels
+git clone https://github.com/jpetazzo/trainingwheels
+cd trainingwheels
 ```
 
-
-Second step: start your app.
+Second step: start the app.
 
 ```bash
-$ docker-compose up
+docker-compose up
 ```
 
-Watch Compose build and run your app with the correct parameters,
-including linking the relevant containers together.
+Watch Compose build and run the app.
+
+That Compose stack exposes a web server on port 8000; try connecting to it.
 
 ---
 
 ## Launching Our First Stack with Compose
 
-Verify that the app is running at `http://<yourHostIP>:8000`.
+We should see a web page like this:
 
 ![composeapp](images/composeapp.png)
 
+Each time we reload, the counter should increase.
+
 ---
 
 ## Stopping the app
 
-When you hit `^C`, Compose tries to gracefully terminate all of the containers.
+When we hit Ctrl-C, Compose tries to gracefully terminate all of the containers.
 
-After ten seconds (or if you press `^C` again) it will forcibly kill
-them.
+After ten seconds (or if we press `^C` again) it will forcibly kill them.
 
 ---
 
@@ -118,13 +147,13 @@ Here is the file used in the demo:
 
 .small[
 ```yaml
-version: "2"
+version: "3"
 
 services:
   www:
     build: www
     ports:
-      - 8000:5000
+      - ${PORT-8000}:5000
     user: nobody
     environment:
       DEBUG: 1
@@ -143,9 +172,9 @@ services:
 
 A Compose file has multiple sections:
 
-* `version` is mandatory. (We should use `"2"` or later; version 1 is deprecated.)
+* `version` is mandatory. (Typically use "3".)
 
-* `services` is mandatory. A service is one or more replicas of the same image running as containers.
+* `services` is mandatory. Each service corresponds to a container.
 
 * `networks` is optional and indicates to which networks containers should be connected.
   <br/>(By default, containers will be connected on a private, per-compose-file network.)
@@ -164,6 +193,8 @@ A Compose file has multiple sections:
 
 * Version 3 added support for deployment options (scaling, rolling updates, etc).
 
+* Typically use `version: "3"`.
+
 The [Docker documentation](https://docs.docker.com/compose/compose-file/)
 has excellent information about the Compose file format if you need to know more about versions.
 
@@ -201,34 +232,45 @@ For the full list, check: https://docs.docker.com/compose/compose-file/
 
 ---
 
-## Compose commands
+## Environment variables
 
-We already saw `docker-compose up`, but another one is `docker-compose build`.
+- We can use environment variables in Compose files
 
-It will execute `docker build` for all containers mentioning a `build` path.
+  (like `$THIS` or `${THAT}`)
 
-It can also be invoked automatically when starting the application:
+- We can provide default values, e.g. `${PORT-8000}`
 
-```bash
-docker-compose up --build
-```
+- Compose will also automatically load the environment file `.env`
 
-Another common option is to start containers in the background:
+  (it should contain `VAR=value`, one per line)
 
-```bash
-docker-compose up -d
-```
+- This is a great way to customize build and run parameters
+
+  (base image versions to use, build and run secrets, port numbers...)
 
 ---
 
-## Check container status
+## Running multiple copies of a stack
 
-It can be tedious to check the status of your containers with `docker ps`,
-especially when running multiple apps at the same time.
+- Copy the stack in two different directories, e.g. `front` and `frontcopy`
 
-Compose makes it easier; with `docker-compose ps` you will see only the status of the
-containers of the current stack:
+- Compose prefixes images and containers with the directory name:
 
+  `front_www`, `front_www_1`, `front_db_1`
+
+  `frontcopy_www`, `frontcopy_www_1`, `frontcopy_db_1`
+
+- Alternatively, use `docker-compose -p frontcopy` 
+
+  (to set the `--project-name` of a stack, which default to the dir name)
+
+- Each copy is isolated from the others (runs on a different network)
+
+---
+
+## Checking stack status
+
+We have `ps`, `docker ps`, and similarly, `docker-compose ps`:
 
 ```bash
 $ docker-compose ps
@@ -238,6 +280,10 @@ trainingwheels_redis_1   /entrypoint.sh red   Up      6379/tcp
 trainingwheels_www_1     python counter.py    Up      0.0.0.0:8000->5000/tcp 
 ```
 
+Shows the status of all the containers of our stack.
+
+Doesn't show the other containers.
+
 ---
 
 ## Cleaning up (1)
@@ -281,47 +327,39 @@ Use `docker-compose down -v` to remove everything including volumes.
 
 ## Special handling of volumes
 
-Compose is smart. If your container uses volumes, when you restart your
-application, Compose will create a new container, but carefully re-use
-the volumes it was using previously.
+- When an image gets updated, Compose automatically creates a new container
 
-This makes it easy to upgrade a stateful service, by pulling its
-new image and just restarting your stack with Compose.
+- The data in the old container is lost...
+
+- ... Except if the container is using a *volume*
+
+- Compose will then re-attach that volume to the new container
+
+  (and data is then retained across database upgrades)
+
+- All good database images use volumes
+
+  (e.g. all official images)
 
 ---
 
-## Compose project name
+class: extra-details
 
-* When you run a Compose command, Compose infers the "project name" of your app.
+## A bit of history and trivia
 
-* By default, the "project name" is the name of the current directory.
+- Compose was initially named "Fig"
 
-* For instance, if you are in `/home/zelda/src/ocarina`, the project name is `ocarina`.
+- Compose is one of the only components of Docker written in Python
 
-* All resources created by Compose are tagged with this project name.
+  (almost everything else is in Go)
 
-* The project name also appears as a prefix of the names of the resources.
+- In 2020, Docker introduced "Compose CLI":
 
-  E.g. in the previous example, service `www` will create a container `ocarina_www_1`.
+  - `docker compose` command to deploy Compose stacks to some clouds
 
-* The project name can be overridden with `docker-compose -p`.
+  - progressively getting feature parity with `docker-compose`
 
----
-
-## Running two copies of the same app
-
-If you want to run two copies of the same app simultaneously, all you have to do is to
-make sure that each copy has a different project name.
-
-You can:
-
-* copy your code in a directory with a different name
-
-* start each copy with `docker-compose -p myprojname up`
-
-Each copy will run in a different network, totally isolated from the other.
-
-This is ideal to debug regressions, do side-by-side comparisons, etc.
+  - also provides numerous improvements (e.g. leverages BuildKit by default)
 
 ???
 
@@ -329,4 +367,4 @@ This is ideal to debug regressions, do side-by-side comparisons, etc.
 :EN:- Connecting services together with a *Compose file*
 
 :FR:- Utiliser Compose pour décrire son environnement
-:FR:- Écrire un *Compose file* pour connecter les services entre eux
+:FR:- Écrire un *Compose file* pour connecter les services entre eux

slides/containers/Container_Network_Model.md

@@ -27,9 +27,9 @@ We will also explain the principle of overlay networks and network plugins.
 
 ## The Container Network Model
 
-The CNM was introduced in Engine 1.9.0 (November 2015).
+Docker has "networks".
 
-The CNM adds the notion of a *network*, and a new top-level command to manipulate and see those networks: `docker network`.
+We can manage them with the `docker network` commands; for instance:
 
 ```bash
 $ docker network ls
@@ -41,59 +41,79 @@ eb0eeab782f4        host                host
 228a4355d548        blog-prod           overlay
 ```
 
----
+New networks can be created (with `docker network create`).
 
-## What's in a network?
-
-* Conceptually, a network is a virtual switch.
-
-* It can be local (to a single Engine) or global (spanning multiple hosts).
-
-* A network has an IP subnet associated to it.
-
-* Docker will allocate IP addresses to the containers connected to a network.
-
-* Containers can be connected to multiple networks.
-
-* Containers can be given per-network names and aliases.
-
-* The names and aliases can be resolved via an embedded DNS server.
+(Note: networks `none` and `host` are special; let's set them aside for now.)
 
 ---
 
-## Network implementation details
+## What's a network?
 
-* A network is managed by a *driver*.
+- Conceptually, a Docker "network" is a virtual switch
 
-* The built-in drivers include:
+  (we can also think about it like a VLAN, or a WiFi SSID, for instance)
 
-  * `bridge` (default)
+- By default, containers are connected to a single network
 
-  * `none`
+  (but they can be connected to zero, or many networks, even dynamically)
 
-  * `host`
+- Each network has its own subnet (IP address range)
 
-  * `macvlan`
+- A network can be local (to a single Docker Engine) or global (span multiple hosts)
 
-* A multi-host driver, *overlay*, is available out of the box (for Swarm clusters).
+- Containers can have *network aliases* providing DNS-based service discovery
 
-* More drivers can be provided by plugins (OVS, VLAN...)
-
-* A network can have a custom IPAM (IP allocator).
+  (and each network has its own "domain", "zone", or "scope")
 
 ---
 
-class: extra-details
+## Service discovery
 
-## Differences with the CNI
+- A container can be given a network alias
 
-* CNI = Container Network Interface
+  (e.g. with `docker run --net some-network --net-alias db ...`)
 
-* CNI is used notably by Kubernetes
+- The containers running in the same network can resolve that network alias
 
-* With CNI, all the nodes and containers are on a single IP network
+  (i.e. if they do a DNS lookup on `db`, it will give the container's address)
 
-* Both CNI and CNM offer the same functionality, but with very different methods
+- We can have a different `db` container in each network
+
+  (this avoids naming conflicts between different stacks)
+
+- When we name a container, it automatically adds the name as a network alias
+
+  (i.e. `docker run --name xyz ...` is like `docker run --net-alias xyz ...`
+
+---
+
+## Network isolation
+
+- Networks are isolated
+
+- By default, containers in network A cannot reach those in network B
+
+- A container connected to both networks A and B can act as a router or proxy
+
+- Published ports are always reachable through the Docker host address
+
+  (`docker run -P ...` makes a container port available to everyone)
+
+---
+
+## How to use networks
+
+- We typically create one network per "stack" or app that we deploy
+
+- More complex apps or stacks might require multiple networks
+
+  (e.g. `frontend`, `backend`, ...)
+
+- Networks allow us to deploy multiple copies of the same stack
+
+  (e.g. `prod`, `dev`, `pr-442`, ....)
+
+- If we use Docker Compose, this is managed automatically for us
 
 ---
 
@@ -121,6 +141,30 @@ class: pic
 
 ---
 
+class: extra-details
+
+## CNM vs CNI
+
+- CNM is the model used by Docker
+
+- Kubernetes uses a different model, architectured around CNI
+
+  (CNI is a kind of API between a container engine and *CNI plugins*)
+
+- Docker model:
+
+  - multiple isolated networks
+  - per-network service discovery
+  - network interconnection requires extra steps
+
+- Kubernetes model:
+
+  - single flat network
+  - per-namespace service discovery
+  - network isolation requires extra steps (Network Policies)
+
+---
+
 ## Creating a network
 
 Let's create a network called `dev`.
@@ -190,8 +234,12 @@ class: extra-details
 
 ## Resolving container addresses
 
-In Docker Engine 1.9, name resolution is implemented with `/etc/hosts`, and
-updating it each time containers are added/removed.
+Since Docker Engine 1.10, name resolution is implemented by a dynamic resolver.
+
+Archeological note: when CNM was intoduced (in Docker Engine 1.9, November 2015)
+name resolution was implemented with `/etc/hosts`, and it was updated each time
+CONTAINERs were added/removed. This could cause interesting race conditions
+since `/etc/hosts` was a bind-mount (and couldn't be updated atomically).
 
 .small[
 ```bash
@@ -208,10 +256,6 @@ ff02::2 ip6-allrouters
 ```
 ]
 
-In Docker Engine 1.10, this has been replaced by a dynamic resolver.
-
-(This avoids race conditions when updating `/etc/hosts`.)
-
 ---
 
 # Service discovery with containers
@@ -265,12 +309,12 @@ Note: we're not using a FQDN or an IP address here; just `redis`.
 
 * That container must be on the same network as the web server.
 
-* It must have the right name (`redis`) so the application can find it.
+* It must have the right network alias (`redis`) so the application can find it.
 
 Start the container:
 
 ```bash
-$ docker run --net dev --name redis -d redis
+$ docker run --net dev --net-alias redis -d redis
 ```
 
 ---
@@ -287,36 +331,19 @@ $ docker run --net dev --name redis -d redis
 
 ## A few words on *scope*
 
-* What if we want to run multiple copies of our application?
+- Container names are unique (there can be only one `--name redis`)
 
-* Since names are unique, there can be only one container named `redis` at a time.
+- Network aliases are not unique
 
-* However, we can specify the network name of our container with `--net-alias`.
+- We can have the same network alias in different networks:
+  ```bash
+  docker run --net dev --net-alias redis ...
+  docker run --net prod --net-alias redis ...
+  ```
 
-* `--net-alias` is scoped per network, and independent from the container name.
+- We can even have multiple containers with the same alias in the same network
 
----
-
-class: extra-details
-
-## Using a network alias instead of a name
-
-Let's remove the `redis` container:
-
-```bash
-$ docker rm -f redis
-```
-
-* `-f`: Force the removal of a running container (uses SIGKILL)
-
-And create one that doesn't block the `redis` name:
-
-```bash
-$ docker run --net dev --net-alias redis -d redis
-```
-
-Check that the app still works (but the counter is back to 1,
-since we wiped out the old Redis container).
+  (in that case, we get multiple DNS entries, aka "DNS round robin")
 
 ---
 
@@ -349,7 +376,9 @@ A container can have multiple network aliases.
 
 Network aliases are *local* to a given network (only exist in this network).
 
-Multiple containers can have the same network alias (even on the same network). In Docker Engine 1.11, resolving a network alias yields the IP addresses of all containers holding this alias.
+Multiple containers can have the same network alias (even on the same network).
+
+Since Docker Engine 1.11, resolving a network alias yields the IP addresses of all containers holding this alias.
 
 ---
 
@@ -502,6 +531,24 @@ b2887adeb5578a01fd9c55c435cad56bbbe802350711d2743691f95743680b09
 
 ---
 
+## Network drivers
+
+* A network is managed by a *driver*.
+
+* The built-in drivers include:
+
+  * `bridge` (default)
+  * `none`
+  * `host`
+  * `macvlan`
+  * `overlay` (for Swarm clusters)
+
+* More drivers can be provided by plugins (OVS, VLAN...)
+
+* A network can have a custom IPAM (IP allocator).
+
+---
+
 ## Overlay networks
 
 * The features we've seen so far only work when all containers are on a single host.
@@ -742,3 +789,15 @@ class: extra-details
 * This may be used to access an internal package repository.
 
   (But try to use a multi-stage build instead, if possible!)
+
+???
+
+:EN:Container networking essentials
+:EN:- The Container Network Model
+:EN:- Container isolation
+:EN:- Service discovery
+
+:FR:Mettre ses conteneurs en réseau
+:FR:- Le "Container Network Model"
+:FR:- Isolation des conteneurs
+:FR:- *Service discovery*

slides/containers/Container_Networking_Basics.md

@@ -15,53 +15,84 @@ At the end of this section, you will be able to:
 
 * Run a network service in a container.
 
-* Manipulate container networking basics.
+* Connect to that network service.
 
 * Find a container's IP address.
 
-We will also explain the different network models used by Docker.
+---
+
+## Running a very simple service
+
+- We need something small, simple, easy to configure
+
+  (or, even better, that doesn't require any configuration at all)
+
+- Let's use the official NGINX image (named `nginx`)
+
+- It runs a static web server listening on port 80
+
+- It serves a default "Welcome to nginx!" page
 
 ---
 
-## A simple, static web server
-
-Run the Docker Hub image `nginx`, which contains a basic web server:
+## Runing an NGINX server
 
 ```bash
 $ docker run -d -P nginx
 66b1ce719198711292c8f34f84a7b68c3876cf9f67015e752b94e189d35a204e
 ```
 
-* Docker will download the image from the Docker Hub.
+- Docker will automatically pull the `nginx` image from the Docker Hub
 
-* `-d` tells Docker to run the image in the background.
+- `-d` / `--detach` tells Docker to run it in the background
 
-* `-P` tells Docker to make this service reachable from other computers.
-  <br/>(`-P` is the short version of `--publish-all`.)
+- `P` / `--publish-all` tells Docker to publish all ports
 
-But, how do we connect to our web server now?
+  (publish = make them reachable from other computers)
+
+- ...OK, how do we connect to our web server now?
 
 ---
 
 ## Finding our web server port
 
-We will use `docker ps`:
+- First, we need to find the *port number* used by Docker
 
-```bash
-$ docker ps
-CONTAINER ID  IMAGE  ...  PORTS                  ...
-e40ffb406c9e  nginx  ...  0.0.0.0:32768->80/tcp  ...
-```
+  (the NGINX container listens on port 80, but this port will be *mapped*)
 
+- We can use `docker ps`:
+  ```bash
+  $ docker ps
+  CONTAINER ID  IMAGE  ...  PORTS                  ...
+  e40ffb406c9e  nginx  ...  0.0.0.0:`12345`->80/tcp  ...
+  ```
 
-* The web server is running on port 80 inside the container.
+- This means:
 
-* This port is mapped to port 32768 on our Docker host.
+  *port 12345 on the Docker host is mapped to port 80 in the container*
 
-We will explain the whys and hows of this port mapping.
+- Now we need to connect to the Docker host!
 
-But first, let's make sure that everything works properly.
+---
 
+## Finding the address of the Docker host
+
+- When running Docker on your Linux workstation:
+
+  *use `localhost`, or any IP address of your machine*
+
+- When running Docker on a remote Linux server:
+
+  *use any IP address of the remote machine*
+
+- When running Docker Desktop on Mac or Windows:
+
+  *use `localhost`*
+
+- In other scenarios (`docker-machine`, local VM...):
+
+  *use the IP address of the Docker VM*
+  
 ---
 
 ## Connecting to our web server (GUI)
@@ -81,7 +112,7 @@ Make sure to use the right port number if it is different
 from the example below:
 
 ```bash
-$ curl localhost:32768
+$ curl localhost:12345
 <!DOCTYPE html>
 <html>
 <head>
@@ -116,17 +147,41 @@ IMAGE               CREATED             CREATED BY
 
 ---
 
-## Why are we mapping ports?
+## Why can't we just connect to port 80?
 
-* We are out of IPv4 addresses.
+- Our Docker host has only one port 80
 
-* Containers cannot have public IPv4 addresses.
+- Therefore, we can only have one container at a time on port 80
 
-* They have private addresses.
+- Therefore, if multiple containers want port 80, only one can get it
 
-* Services have to be exposed port by port.
+- By default, containers *do not* get "their" port number, but a random one
 
-* Ports have to be mapped to avoid conflicts.
+  (not "random" as "crypto random", but as "it depends on various factors")
+
+- We'll see later how to force a port number (including port 80!)
+
+---
+
+class: extra-details
+
+## Using multiple IP addresses
+
+*Hey, my network-fu is strong, and I have questions...*
+
+- Can I publish one container on 127.0.0.2:80, and another on 127.0.0.3:80?
+
+- My machine has multiple (public) IP addresses, let's say A.A.A.A and B.B.B.B.
+  <br/>
+  Can I have one container on A.A.A.A:80 and another on B.B.B.B:80?
+
+- I have a whole IPV4 subnet, can I allocate it to my containers?
+
+- What about IPV6?
+
+You can do all these things when running Docker directly on Linux.
+
+(On other platforms, *generally not*, but there are some exceptions.)
 
 ---
 
@@ -138,7 +193,7 @@ There is a command to help us:
 
 ```bash
 $ docker port <containerID> 80
-32768
+0.0.0.0:12345
 ```
 
 ---
@@ -172,13 +227,11 @@ There are many ways to integrate containers in your network.
 * Pick a fixed port number in advance, when you generate your configuration.
   <br/>Then start your container by setting the port numbers manually.
 
-* Use a network plugin, connecting your containers with e.g. VLANs, tunnels...
+* Use an orchestrator like Kubernetes or Swarm.
+  <br/>The orchestrator will provide its own networking facilities.
 
-* Enable *Swarm Mode* to deploy across a cluster.
-  <br/>The container will then be reachable through any node of the cluster.
-
-When using Docker through an extra management layer like Mesos or Kubernetes,
-these will usually provide their own mechanism to expose containers.
+Orchestrators typically provide mechanisms to enable direct container-to-container
+communication across hosts, and publishing/load balancing for inbound traffic.
 
 ---
 
@@ -202,16 +255,34 @@ $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' <yourContainerID>
 
 ## Pinging our container
 
-We can test connectivity to the container using the IP address we've
-just discovered. Let's see this now by using the `ping` tool.
+Let's try to ping our container *from another container.*
 
 ```bash
-$ ping <ipAddress>
-64 bytes from <ipAddress>: icmp_req=1 ttl=64 time=0.085 ms
-64 bytes from <ipAddress>: icmp_req=2 ttl=64 time=0.085 ms
-64 bytes from <ipAddress>: icmp_req=3 ttl=64 time=0.085 ms
+docker run alpine ping `<ipaddress>`
+PING 172.17.0.X (172.17.0.X): 56 data bytes
+64 bytes from 172.17.0.X: seq=0 ttl=64 time=0.106 ms
+64 bytes from 172.17.0.X: seq=1 ttl=64 time=0.250 ms
+64 bytes from 172.17.0.X: seq=2 ttl=64 time=0.188 ms
 ```
 
+When running on Linux, we can even ping that IP address directly!
+
+(And connect to a container's ports even if they aren't published.)
+
+---
+
+## How often do we use `-p` and `-P` ?
+
+- When running a stack of containers, we will often use Compose
+
+- Compose will take care of exposing containers
+
+  (through a `ports:` section in the `docker-compose.yml` file)
+
+- It is, however, fairly common to use `docker run -P` for a quick test
+
+- Or `docker run -p ...` when an image doesn't `EXPOSE` a port correctly
+
 ---
 
 ## Section summary
@@ -220,19 +291,11 @@ We've learned how to:
 
 * Expose a network port.
 
-* Manipulate container networking basics.
+* Connect to an application running in a container.
 
 * Find a container's IP address.
 
-In the next chapter, we will see how to connect
-containers together without exposing their ports.
-
 ???
 
-:EN:Connecting containers
-:EN:- Container networking basics
-:EN:- Exposing a container
-
-:FR:Connecter les conteneurs
-:FR:- Description du modèle réseau des conteneurs
-:FR:- Exposer un conteneur
+:EN:- Exposing single containers
+:FR:- Exposer un conteneur isolé

slides/containers/Copying_Files_During_Build.md

@@ -88,18 +88,45 @@ Success!
 
 ## Details
 
-* You can `COPY` whole directories recursively.
+* We can `COPY` whole directories recursively
 
-* Older Dockerfiles also have the `ADD` instruction.
-  <br/>It is similar but can automatically extract archives.
+* It is possible to do e.g. `COPY . .`
+
+  (but it might require some extra precautions to avoid copying too much)
+ 
+* In older Dockerfiles, you might see the `ADD` command; consider it deprecated
+
+  (it is similar to `COPY` but can automatically extract archives)
 
 * If we really wanted to compile C code in a container, we would:
 
-  * Place it in a different directory, with the `WORKDIR` instruction.
+  * place it in a different directory, with the `WORKDIR` instruction
 
-  * Even better, use the `gcc` official image.
+  * even better, use the `gcc` official image
+
+---
+
+class: extra-details
+
+## `.dockerignore`
+
+- We can create a file named `.dockerignore`
+
+  (at the top-level of the build context)
+
+- It can contain file names and globs to ignore
+
+- They won't be sent to the builder
+
+  (and won't end up in the resulting image)
+
+- See the [documentation] for the little details
+
+  (exceptions can be made with `!`, multiple directory levels with `**`...)
+
+[documentation]: https://docs.docker.com/engine/reference/builder/#dockerignore-file
 
 ???
 
-:EN:- The build cache
+:EN:- Leveraging the build cache for faster builds
 :FR:- Tirer parti du cache afin d'optimiser la vitesse de *build*

slides/containers/Dockerfile_Tips.md

@@ -66,9 +66,9 @@ Adding the dependencies as a separate step means that Docker can cache more effi
 
 ```bash
 FROM python
-COPY requirements.txt /tmp/requirements.txt
-RUN pip install -qr /tmp/requirements.txt
 WORKDIR /src
+COPY requirements.txt .
+RUN pip install -qr requirements.txt
 COPY . .
 EXPOSE 5000
 CMD ["python", "app.py"]
@@ -434,5 +434,12 @@ services:
 
 ???
 
+:EN:Optimizing images
 :EN:- Dockerfile tips, tricks, and best practices
-:FR:- Bonnes pratiques pour la construction des images
+:EN:- Reducing build time
+:EN:- Reducing image size
+
+:FR:Optimiser ses images
+:FR:- Bonnes pratiques, trucs et astuces
+:FR:- Réduire le temps de build
+:FR:- Réduire la taille des images

slides/containers/Exercise_Dockerfile_Basic.md

@@ -2,4 +2,99 @@
 
 Let's write Dockerfiles for an existing application!
 
-The code is at: https://github.com/jpetazzo/wordsmith
+1. Check out the code repository
+
+2. Read all the instructions
+
+3. Write Dockerfiles
+
+4. Build and test them individually
+
+<!--
+5. Test them together with the provided Compose file
+-->
+
+---
+
+## Code repository
+
+Clone the repository available at:
+
+https://github.com/jpetazzo/wordsmith
+
+It should look like this:
+```
+├── LICENSE
+├── README
+├── db/
+│   └── words.sql
+├── web/
+│   ├── dispatcher.go
+│   └── static/
+└── words/
+    ├── pom.xml
+    └── src/
+```
+
+---
+
+## Instructions
+
+The repository contains instructions in English and French.
+<br/>
+For now, we only care about the first part (about writing Dockerfiles).
+<br/>
+Place each Dockerfile in its own directory, like this:
+```
+├── LICENSE
+├── README
+├── db/
+│   ├── `Dockerfile`
+│   └── words.sql
+├── web/
+│   ├── `Dockerfile`
+│   ├── dispatcher.go
+│   └── static/
+└── words/
+    ├── `Dockerfile`
+    ├── pom.xml
+    └── src/
+```
+
+---
+
+## Build and test
+
+Build and run each Dockerfile individually.
+
+For `db`, we should be able to see some messages confirming that the data set
+was loaded successfully (some `INSERT` lines in the container output).
+
+For `web` and `words`, we should be able to see some message looking like
+"server started successfully".
+
+That's all we care about for now!
+
+Bonus question: make sure that each container stops correctly when hitting Ctrl-C.
+
+???
+
+## Test with a Compose file
+
+Place the following Compose file at the root of the repository:
+
+
+```yaml
+version: "3"
+services:
+  db:
+    build: db
+  words:
+    build: words
+  web:
+    build: web
+    ports:
+    - 8888:80
+```
+
+Test the whole app by bringin up the stack and connecting to port 8888.

slides/containers/First_Containers.md

@@ -106,7 +106,7 @@ root@04c0bb0a6c07:/# figlet hello
 |_| |_|\___|_|_|\___/ 
 ```
 
-Beautiful! .emoji[😍]
+Beautiful! 😍
 
 ---
 
@@ -118,7 +118,7 @@ Let's check how many packages are installed there.
 
 ```bash
 root@04c0bb0a6c07:/# dpkg -l | wc -l
-190
+97
 ```
 
 * `dpkg -l` lists the packages installed in our container
@@ -175,7 +175,7 @@ Now try to run `figlet`. Does that work?
 
 * We can run *any container* on *any host*.
 
-  (One exception: Windows containers cannot run on Linux machines; at least not yet.)
+  (One exception: Windows containers can only run on Windows hosts; at least for now.)
 
 ---
 

slides/containers/Initial_Images.md

@@ -56,6 +56,8 @@ Each of the following items will correspond to one layer:
 * Our application code and assets
 * Our application configuration
 
+(Note: app config is generally added by orchestration facilities.)
+
 ---
 
 class: pic
@@ -367,6 +369,44 @@ This is similar to what we would do with `pip install`, `npm install`, etc.
 
 ---
 
+class: extra-details
+
+## Multi-arch images
+
+- An image can support multiple architectures
+
+- More precisely, a specific *tag* in a given *repository* can have either:
+
+  - a single *manifest* referencing an image for a single architecture
+
+  - a *manifest list* (or *fat manifest*) referencing multiple images
+
+- In a *manifest list*, each image is identified by a combination of:
+
+  - `os` (linux, windows)
+
+  - `architecture` (amd64, arm, arm64...)
+
+  - optional fields like `variant` (for arm and arm64), `os.version` (for windows)
+
+---
+
+class: extra-details
+
+## Working with multi-arch images
+
+- The Docker Engine will pull "native" images when available
+
+  (images matching its own os/architecture/variant)
+
+- We can ask for a specific image platform with `--platform`
+
+- The Docker Engine can run non-native images thanks to QEMU+binfmt
+
+  (automatically on Docker Desktop; with a bit of setup on Linux)
+
+---
+
 ## Section summary
 
 We've learned how to:

slides/containers/Local_Development_Workflow.md

@@ -154,7 +154,7 @@ Option 2:
 
 Option 3:
 
-* Use a *volume* to mount local files into the container
+* Use a *bind mount* to share local files with the container
 * Make changes locally
 * Changes are reflected in the container
 
@@ -199,7 +199,28 @@ The flag structure is:
 
 * If you don't specify `rw` or `ro`, it will be `rw` by default.
 
-There will be a full chapter about volumes!
+---
+
+class: extra-details
+
+## Hold your horses... and your mounts
+
+- The `-v /path/on/host:/path/in/container` syntax is the "old" syntax
+
+- The modern syntax looks like this:
+
+  `--mount type=bind,source=/path/on/host,target=/path/in/container`
+
+- `--mount` is more explicit, but `-v` is quicker to type
+
+- `--mount` supports all mount types; `-v` doesn't support `tmpfs` mounts
+
+- `--mount` fails if the path on the host doesn't exist; `-v` creates it
+
+With the new syntax, our command becomes:
+```bash
+docker run --mount=type=bind,source=$(pwd),target=/src -dP namer
+```
 
 ---
 
@@ -253,15 +274,43 @@ color: red;
 
 ## Understanding volumes
 
-* Volumes are *not* copying or synchronizing files between the host and the container.
+- Volumes are *not* copying or synchronizing files between the host and the container
 
-* Volumes are *bind mounts*: a kernel mechanism associating one path with another.
+- Changes made in the host are immediately visible in the container (and vice versa)
 
-* Bind mounts are *kind of* similar to symbolic links, but at a very different level.
+- When running on Linux:
 
-* Changes made on the host or on the container will be visible on the other side.
+  - volumes and bind mounts correspond to directories on the host
 
-  (Under the hood, it's the same file anyway.)
+  - if Docker runs in a Linux VM, these directories are in the Linux VM
+
+- When running on Docker Desktop:
+
+  - volumes correspond to directories in a small Linux VM running Docker
+
+  - access to bind mounts is translated to host filesystem access
+    <br/>
+    (a bit like a network filesystem)
+
+---
+
+class: extra-details
+
+## Docker Desktop caveats
+
+- When running Docker natively on Linux, accessing a mount = native I/O
+
+- When running Docker Desktop, accessing a bind mount = file access translation
+
+- That file access translation has relatively good performance *in general*
+
+  (watch out, however, for that big `npm install` working on a bind mount!)
+
+- There are some corner cases when watching files (with mechanisms like inotify)
+
+- Features like "live reload" or programs like `entr` don't always behave properly
+
+  (due to e.g. file attribute caching, and other interesting details!)
 
 ---
 
@@ -397,4 +446,4 @@ We've learned how to:
 :EN:- “Containerize” a development environment
 
 :FR:Développer au jour le jour
-:FR:- « Containeriser » son environnement de développement
+:FR:- « Containeriser » son environnement de développement

slides/containers/Multi_Stage_Builds.md

@@ -298,21 +298,20 @@ virtually "free."
 
 ## Build targets
 
-* We can also tag an intermediary stage with `docker build --target STAGE --tag NAME`
+* We can also tag an intermediary stage with the following command:
+  ```bash
+  docker build --target STAGE --tag NAME
+  ```
 
 * This will create an image (named `NAME`) corresponding to stage `STAGE`
 
 * This can be used to easily access an intermediary stage for inspection
 
-  (Instead of parsing the output of `docker build` to find out the image ID)
+  (instead of parsing the output of `docker build` to find out the image ID)
 
 * This can also be used to describe multiple images from a single Dockerfile
 
-  (Instead of using multiple Dockerfiles, which could go out of sync)
-
-* Sometimes, we want to inspect a specific intermediary build stage.
-
-* Or, we want to describe multiple images using a single Dockerfile.
+  (instead of using multiple Dockerfiles, which could go out of sync)
 
 ???
 

slides/containers/Network_Drivers.md

@@ -1,18 +1,20 @@
 # Container network drivers
 
-The Docker Engine supports many different network drivers.
+The Docker Engine supports different network drivers.
 
 The built-in drivers include:
 
 * `bridge` (default)
 
-* `none`
+* `null` (for the special network called `none`)
 
-* `host`
+* `host` (for the special network called `host`)
 
-* `container`
+* `container` (that one is a bit magic!)
 
-The driver is selected with `docker run --net ...`.
+The network is selected with `docker run --net ...`.
+
+Each network is managed by a driver.
 
 The different drivers are explained with more details on the following slides.
 
@@ -82,3 +84,12 @@ Use cases:
 * Those containers can communicate over their `lo` interface.
   <br/>(i.e. one can bind to 127.0.0.1 and the others can connect to it.)
 
+???
+
+:EN:Advanced container networking
+:EN:- Transparent network access with the "host" driver
+:EN:- Sharing is caring with the "container" driver
+
+:FR:Paramétrage réseau avancé
+:FR:- Accès transparent au réseau avec le mode "host"
+:FR:- Partage de la pile réseau avece le mode "container"

slides/highfive.html

@@ -0,0 +1,98 @@
+<?xml version="1.0"?>
+<html>
+  <head>
+    <style>
+      td { 
+        background: #ccc; 
+        padding: 1em;
+      }
+</style>
+  </head>
+  <body>
+    <table>
+      <tr>
+        <td>Lundi 10 mai 2021</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mardi 11 mai 2021</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 12 mai 2021</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Lundi 17 mai 2021</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mardi 18 mai 2021</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 19 mai 2021</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Jeudi 20 mai 2021</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Lundi 24 mai 2021</td>
+        <td>
+          <a href="3.yml.html">Packaging d'applications et CI/CD pour Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mardi 25 mai 2021</td>
+        <td>
+          <a href="3.yml.html">Packaging d'applications et CI/CD pour Kubernetes</a>
+        </td>
+      </tr>
+        <td>Mercredi 26 mai 2021</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      </tr>
+        <td>Jeudi 27 mai 2021</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      </tr>
+        <td>Vendredi 28 mai 2021</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Lundi 31 mai 2021</td>
+        <td>
+          <a href="5.yml.html">Opérer Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mardi 1er juin 2021</td>
+        <td>
+          <a href="5.yml.html">Opérer Kubernetes</a>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>

slides/images/control-planes/single-node-dev.svg

@@ -0,0 +1,914 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:osb="http://www.openswatchbook.org/uri/2009/osb"
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="1600"
+   height="900"
+   viewBox="0 0 1600 900"
+   version="1.1"
+   id="svg696"
+   sodipodi:docname="single-node-dev.svg"
+   inkscape:version="1.0.2 (e86c870879, 2021-01-15)"
+   enable-background="new">
+  <metadata
+     id="metadata700">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title>how-does-k8s-work</dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="1920"
+     inkscape:window-height="1080"
+     id="namedview698"
+     showgrid="false"
+     inkscape:zoom="0.64"
+     inkscape:cx="133.80574"
+     inkscape:cy="440.39529"
+     inkscape:window-x="0"
+     inkscape:window-y="1080"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="how-does-k8s-work"
+     units="px"
+     inkscape:snap-object-midpoints="true"
+     inkscape:document-rotation="0" />
+  <title
+     id="title304">how-does-k8s-work</title>
+  <style
+     type="text/css"
+     id="style5"><![CDATA[
+    @font-face {
+        font-family: "Droid Serif";
+        src: url(https://fonts.gstatic.com/s/droidserif/v9/tDbI2oqRg1oM3QBjjcaDkOr9rAU.woff2) format("woff2");
+    }
+  ]]></style>
+  <defs
+     id="defs483">
+    <marker
+       inkscape:stockid="TriangleOutS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker4502"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path4500"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker4492"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path4490"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker3758"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleOutS">
+      <path
+         transform="scale(0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path3756" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker3586"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path3584" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2794"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleOutS">
+      <path
+         transform="scale(0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2792" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2634"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2632" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2202"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleOutS">
+      <path
+         transform="scale(0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2200" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2054"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2052" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2781"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleOutS">
+      <path
+         transform="scale(0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2779" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker2657"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path2655" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleOutS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker2327"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path2325"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker2181"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path2179"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleOutS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker2026"
+       style="overflow:visible"
+       inkscape:isstock="true"
+       inkscape:collect="always">
+      <path
+         id="path2024"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker1880"
+       style="overflow:visible"
+       inkscape:isstock="true"
+       inkscape:collect="always">
+      <path
+         id="path1878"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleOutS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker1725"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path1723"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker1613"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path1611"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <linearGradient
+       id="linearGradient15544"
+       osb:paint="solid">
+      <stop
+         style="stop-color:#f7fe9a;stop-opacity:1;"
+         offset="0"
+         id="stop15542" />
+    </linearGradient>
+    <marker
+       inkscape:stockid="TriangleOutS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker15078"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path15076"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(0.2)" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker14924"
+       style="overflow:visible"
+       inkscape:isstock="true">
+      <path
+         id="path14922"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker6635"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleOutS">
+      <path
+         transform="scale(0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path6633" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker6541"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path6539" />
+    </marker>
+    <marker
+       inkscape:stockid="TriangleInS"
+       orient="auto"
+       refY="0.0"
+       refX="0.0"
+       id="marker6297"
+       style="overflow:visible"
+       inkscape:isstock="true"
+       inkscape:collect="always">
+      <path
+         id="path6295"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         transform="scale(-0.2)" />
+    </marker>
+    <marker
+       inkscape:isstock="true"
+       style="overflow:visible"
+       id="marker4353"
+       refX="0.0"
+       refY="0.0"
+       orient="auto"
+       inkscape:stockid="TriangleInS"
+       inkscape:collect="always">
+      <path
+         transform="scale(-0.2)"
+         style="fill-rule:evenodd;stroke:#cccccc;stroke-width:1pt;stroke-opacity:1;fill:#cccccc;fill-opacity:1"
+         d="M 5.77,0.0 L -2.88,5.0 L -2.88,-5.0 L 5.77,0.0 z "
+         id="path4351" />
+    </marker>
+    <filter
+       x="-0.039000001"
+       y="-0.096999995"
+       width="1.077"
+       height="1.181"
+       filterUnits="objectBoundingBox"
+       id="filter-1">
+      <feOffset
+         dx="0"
+         dy="2"
+         in="SourceAlpha"
+         result="shadowOffsetOuter1"
+         id="feOffset308" />
+      <feGaussianBlur
+         stdDeviation="2"
+         in="shadowOffsetOuter1"
+         result="shadowBlurOuter1"
+         id="feGaussianBlur310" />
+      <feColorMatrix
+         values="0 0 0 0 0   0 0 0 0 0   0 0 0 0 0  0 0 0 0.5 0"
+         type="matrix"
+         in="shadowBlurOuter1"
+         result="shadowMatrixOuter1"
+         id="feColorMatrix312" />
+      <feMerge
+         id="feMerge318">
+        <feMergeNode
+           in="shadowMatrixOuter1"
+           id="feMergeNode314" />
+        <feMergeNode
+           in="SourceGraphic"
+           id="feMergeNode316" />
+      </feMerge>
+    </filter>
+    <filter
+       x="-0.039000001"
+       y="-0.096999995"
+       width="1.077"
+       height="1.181"
+       filterUnits="objectBoundingBox"
+       id="filter-1-3">
+      <feOffset
+         dx="0"
+         dy="2"
+         in="SourceAlpha"
+         result="shadowOffsetOuter1"
+         id="feOffset308-6" />
+      <feGaussianBlur
+         stdDeviation="2"
+         in="shadowOffsetOuter1"
+         result="shadowBlurOuter1"
+         id="feGaussianBlur310-7" />
+      <feColorMatrix
+         values="0 0 0 0 0   0 0 0 0 0   0 0 0 0 0  0 0 0 0.5 0"
+         type="matrix"
+         in="shadowBlurOuter1"
+         result="shadowMatrixOuter1"
+         id="feColorMatrix312-5" />
+      <feMerge
+         id="feMerge318-3">
+        <feMergeNode
+           in="shadowMatrixOuter1"
+           id="feMergeNode314-5" />
+        <feMergeNode
+           in="SourceGraphic"
+           id="feMergeNode316-6" />
+      </feMerge>
+    </filter>
+    <filter
+       inkscape:collect="always"
+       style="color-interpolation-filters:sRGB"
+       id="filter1101"
+       x="-0.023413722"
+       width="1.0468274"
+       y="-0.023627247"
+       height="1.0472545">
+      <feGaussianBlur
+         inkscape:collect="always"
+         stdDeviation="6.3996521"
+         id="feGaussianBlur1103" />
+    </filter>
+  </defs>
+  <g
+     id="how-does-k8s-work"
+     style="display:inline;fill:none;fill-rule:evenodd;stroke:none;stroke-width:1"
+     transform="translate(240,90)">
+    <path
+       inkscape:connector-curvature="0"
+       id="path3461"
+       d="m 550.17888,-14.918735 c -5.79916,0.29836 -11.4811,1.76683 -16.7125,4.31926 L 305.41221,100.68854 c -11.95688,5.8319 -20.64156,16.86146 -23.59583,29.96674 l -56.2625,249.981 c -2.62478,11.6363 -0.48906,23.8532 5.92083,33.869 0.7693,1.2119 1.59668,2.3849 2.47917,3.515 l 157.85,200.44354 c 8.27676,10.5066 20.82591,16.6243 34.09583,16.6217 l 253.13751,-0.06 c 13.26496,0.01 25.81322,-6.0964 34.09583,-16.5919 L 870.92472,417.96068 c 8.28119,-10.5119 11.38389,-24.2726 8.42917,-37.384 l -56.35,-249.98098 c -2.95427,-13.10528 -11.63895,-24.13483 -23.59583,-29.96674 L 571.32472,-10.599475 c -6.58031,-3.21076 -13.85136,-4.69595 -21.14584,-4.31926 z"
+       style="display:inline;opacity:1;mix-blend-mode:overlay;vector-effect:none;fill:#4285f4;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:2.78722;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter1101)"
+       transform="matrix(1.1552713,0,0,1.1552713,-85.780113,43.857391)"
+       inkscape:label="control plane" />
+    <text
+       id="text3581"
+       y="763.69812"
+       x="502.07855"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:32.6588px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;filter:url(#filter-1)"
+       xml:space="preserve"
+       transform="matrix(1.4029438,0,0,1.4029438,-157.63347,-1100.6682)"
+       inkscape:label="control plane label"><tspan
+         y="763.69812"
+         x="502.07855"
+         id="tspan3579"
+         sodipodi:role="line">SINGLE-NODE CLUSTER (FOR DEVELOPMENT)</tspan></text>
+    <g
+       id="apiserver"
+       transform="translate(-160.72924,-102.29405)">
+      <rect
+         transform="matrix(0.83465672,0,0,0.83465672,99.00177,261.15864)"
+         ry="5.617908"
+         y="135.0636"
+         x="427.27243"
+         height="125.52966"
+         width="231.99153"
+         id="rect3668"
+         style="display:inline;vector-effect:none;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+         inkscape:label="API server" />
+      <text
+         id="text4504"
+         y="438.31876"
+         x="552.05261"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+         xml:space="preserve"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           y="438.31876"
+           x="552.05261"
+           id="tspan4502"
+           sodipodi:role="line">API server</tspan></text>
+    </g>
+    <g
+       id="controller-manager"
+       transform="translate(-200,22)">
+      <rect
+         transform="matrix(0.83465672,0,0,0.83465672,205.00177,315.15864)"
+         style="display:inline;vector-effect:none;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+         id="rect4506"
+         width="231.99153"
+         height="125.52966"
+         x="426.37198"
+         y="298.2099"
+         ry="5.617908"
+         inkscape:label="controller manager" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+         x="656.36871"
+         y="606.2431"
+         id="text4510"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           sodipodi:role="line"
+           id="tspan4508"
+           x="656.36871"
+           y="606.2431">controller</tspan><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           id="tspan4524"
+           sodipodi:role="line"
+           x="656.36871"
+           y="647.06647">manager</tspan></text>
+    </g>
+    <g
+       id="scheduler"
+       transform="translate(-100,-118)">
+      <rect
+         transform="matrix(0.83465672,0,0,0.83465672,-4.99823,167.15864)"
+         ry="5.617908"
+         y="475.73566"
+         x="427.94846"
+         height="125.52966"
+         width="231.99153"
+         id="rect4512"
+         style="display:inline;vector-effect:none;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+         inkscape:label="scheduler" />
+      <text
+         id="text4516"
+         y="628.66296"
+         x="447.62476"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+         xml:space="preserve"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           y="628.66296"
+           x="447.62476"
+           id="tspan4514"
+           sodipodi:role="line">scheduler</tspan></text>
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+       x="560.76428"
+       y="764.29028"
+       id="text1649"><tspan
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+         sodipodi:role="line"
+         id="tspan1647"
+         x="560.76428"
+         y="764.29028">VM or container</tspan></text>
+    <text
+       id="text3666"
+       y="281.34979"
+       x="-192.40442"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:71.7295px;line-height:1.25;font-family:'Noto Color Emoji';-inkscape-font-specification:'Noto Color Emoji, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1.79323"
+       xml:space="preserve"
+       inkscape:label="emojis"><tspan
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:71.7295px;font-family:'Noto Color Emoji';-inkscape-font-specification:'Noto Color Emoji, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;writing-mode:lr-tb;text-anchor:start;stroke-width:1.79323"
+         y="281.34979"
+         x="-192.40442"
+         id="tspan3664"
+         sodipodi:role="line">👩🏼‍💻👨🏾‍💻🤖</tspan></text>
+    <rect
+       transform="matrix(0.74849003,0,0,0.42877044,-44.82304,220.38115)"
+       y="149.33455"
+       x="-217.52838"
+       height="357.51495"
+       width="435.94931"
+       id="rect3662"
+       style="display:inline;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1-3)"
+       inkscape:label="terminal" />
+    <text
+       inkscape:label="commands"
+       id="text3656"
+       y="331.70175"
+       x="-189.80005"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:35.8105px;line-height:1.25;font-family:Consolas;-inkscape-font-specification:'Consolas, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;display:inline;fill:#e6e6e6;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.895262"
+       xml:space="preserve"><tspan
+         style="stroke-width:0.895262"
+         y="331.70175"
+         x="-189.80005"
+         sodipodi:role="line"
+         id="tspan1145">$ kubectl ...</tspan></text>
+    <text
+       inkscape:label="thumbsup"
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:71.7295px;line-height:1.25;font-family:'Noto Color Emoji';-inkscape-font-specification:'Noto Color Emoji, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1.79323"
+       x="207.5956"
+       y="359.34979"
+       id="text5150"><tspan
+         sodipodi:role="line"
+         id="tspan5148"
+         x="207.5956"
+         y="359.34979"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:71.7295px;font-family:'Noto Color Emoji';-inkscape-font-specification:'Noto Color Emoji, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;writing-mode:lr-tb;text-anchor:start;stroke-width:1.79323" /></text>
+    <path
+       inkscape:label="arrow kubectl"
+       sodipodi:nodetypes="cc"
+       inkscape:connector-curvature="0"
+       id="path1135"
+       d="m 198.47677,432.58136 237.89885,-0.39724"
+       style="display:none;vector-effect:none;fill:#cccccc;fill-opacity:1;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker-start:url(#marker1613);marker-end:url(#marker1725);paint-order:normal" />
+    <path
+       inkscape:label="arrow scheduler"
+       style="display:inline;fill:#cccccc;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker4353);paint-order:normal"
+       d="m 414.32586,398.25642 -3.32843,50.64656"
+       id="path4349"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cc" />
+    <path
+       inkscape:label="arrow controller manager"
+       sodipodi:nodetypes="cc"
+       inkscape:connector-curvature="0"
+       id="path6293"
+       d="m 469.44118,396.89114 20.93237,189.75864"
+       style="display:inline;fill:#cccccc;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker6297);paint-order:normal" />
+    <path
+       inkscape:label="node top"
+       style="vector-effect:none;fill:#cccccc;fill-opacity:1;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker-end:url(#marker4502);paint-order:normal"
+       d="M 117.18356,331.36155 274.9691,326.32941"
+       id="path4488"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cc" />
+    <g
+       id="etcd"
+       transform="translate(1.971505,-80.740088)">
+      <rect
+         transform="matrix(0.83465672,0,0,0.83465672,99.00177,181.15864)"
+         style="display:inline;opacity:1;vector-effect:none;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+         id="rect4518"
+         width="231.99153"
+         height="125.52966"
+         x="427.27246"
+         y="-4.9364014"
+         ry="5.617908"
+         inkscape:label="etcd" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.834657"
+         x="552.46265"
+         y="161.46683"
+         id="text4522"
+         transform="translate(0,80)"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           sodipodi:role="line"
+           id="tspan4520"
+           x="552.46265"
+           y="161.46683">etcd</tspan></text>
+      <g
+         id="g3228"
+         inkscape:label="storage"
+         style="display:inline"
+         transform="matrix(0.24039167,0,0,0.24784672,397.27503,204.48707)">
+        <ellipse
+           cx="374.0946"
+           cy="234.48322"
+           rx="92.65731"
+           ry="25.358843"
+           style="display:inline;opacity:1;fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:5;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:normal"
+           id="ellipse9871" />
+        <path
+           sodipodi:nodetypes="cccc"
+           inkscape:connector-curvature="0"
+           id="rect9873"
+           d="M 281.43729,235.006 V -24.92734 H 466.75191 V 235.006"
+           style="display:inline;opacity:1;fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:5;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:normal" />
+        <ellipse
+           ry="25.358843"
+           rx="92.65731"
+           cy="-24.750473"
+           cx="374.0946"
+           id="path9869"
+           style="display:inline;opacity:1;fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:5;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:normal" />
+      </g>
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:40px;line-height:1.25;font-family:'Noto Color Emoji';-inkscape-font-specification:'Noto Color Emoji, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none"
+       x="-314.87122"
+       y="76.790283"
+       id="text5696"><tspan
+         sodipodi:role="line"
+         id="tspan5694"
+         x="-314.87122"
+         y="76.790283" /></text>
+    <g
+       id="g6027"
+       transform="translate(173.26362,-123.65545)"
+       inkscape:label="kubelet">
+      <rect
+         transform="matrix(0.83465672,0,0,0.83465672,99.00177,261.15864)"
+         ry="5.617908"
+         y="135.0636"
+         x="427.27243"
+         height="125.52966"
+         width="231.99153"
+         id="rect6021"
+         style="display:inline;vector-effect:none;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+         inkscape:label="rect" />
+      <text
+         id="text6025"
+         y="438.31876"
+         x="552.05261"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+         xml:space="preserve"><tspan
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+           y="438.31876"
+           x="552.05261"
+           id="tspan6023"
+           sodipodi:role="line">kubelet</tspan></text>
+    </g>
+    <g
+       id="g6159"
+       inkscape:label="pod"
+       style="display:inline"
+       transform="translate(-465.32975,388.44365)">
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,188.949 38.7689,-11.2425 38.7688,11.2425 -38.7688,11.24254 z"
+         id="path6139" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,193.25418 v 41.2523 l 36.1218,20.00898 0.1788,-50.46488 z"
+         id="path6141" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1254.6157,193.25418 v 41.2523 l -36.1217,20.00898 -0.1788,-50.46488 z"
+         id="path6143" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:22.0298px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.550744"
+         x="1195.4893"
+         y="274.76129"
+         id="text6147"><tspan
+           sodipodi:role="line"
+           id="tspan6145"
+           x="1195.4893"
+           y="274.76129"
+           style="stroke-width:0.550744">pod</tspan></text>
+    </g>
+    <g
+       id="g7100"
+       inkscape:label="container engine"
+       transform="translate(780.76442,-206.55137)">
+      <g
+         id="g7089"
+         transform="translate(-657.05924,68.771622)">
+        <rect
+           transform="matrix(0.83465672,0,0,0.83465672,205.00177,315.15864)"
+           style="display:inline;vector-effect:none;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:2.78697;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;filter:url(#filter-1)"
+           id="rect7081"
+           width="231.99153"
+           height="125.52966"
+           x="426.37198"
+           y="298.2099"
+           ry="5.617908"
+           inkscape:label="controller manager" />
+        <text
+           xml:space="preserve"
+           style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;display:inline;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.834657"
+           x="656.36871"
+           y="606.2431"
+           id="text7087"><tspan
+             style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+             id="tspan7085"
+             sodipodi:role="line"
+             x="656.36871"
+             y="606.2431">container</tspan><tspan
+             style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:32.6587px;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.834657"
+             sodipodi:role="line"
+             x="656.36871"
+             y="647.06647"
+             id="tspan7093">engine</tspan></text>
+      </g>
+    </g>
+    <path
+       sodipodi:nodetypes="cc"
+       inkscape:connector-curvature="0"
+       id="path2048"
+       d="m 718.47061,417.59763 2.84701,-46.58932"
+       style="display:inline;fill:#cccccc;fill-rule:evenodd;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker2054);marker-end:url(#marker2202);paint-order:normal"
+       inkscape:label="node top left" />
+    <path
+       inkscape:label="arrow etcd"
+       style="display:inline;fill:#cccccc;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker6635);paint-order:normal"
+       d="m 465.71622,277.64 30.73977,-64.3282"
+       id="path6537"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cc" />
+    <path
+       inkscape:label="node top"
+       style="display:inline;vector-effect:none;fill:#cccccc;fill-opacity:1;stroke:#cccccc;stroke-width:20;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:3;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker-start:url(#marker1880);marker-end:url(#marker2026);paint-order:normal"
+       d="m 505.55141,327.11713 103.53017,-3.03009"
+       id="path8569"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cc" />
+    <g
+       id="g7154"
+       inkscape:label="pod"
+       style="display:inline"
+       transform="translate(-578.21351,370.84416)">
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,188.949 38.7689,-11.2425 38.7688,11.2425 -38.7688,11.24254 z"
+         id="path7144" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,193.25418 v 41.2523 l 36.1218,20.00898 0.1788,-50.46488 z"
+         id="path7146" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1254.6157,193.25418 v 41.2523 l -36.1217,20.00898 -0.1788,-50.46488 z"
+         id="path7148" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:22.0298px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.550744"
+         x="1195.4893"
+         y="274.76129"
+         id="text7152"><tspan
+           sodipodi:role="line"
+           id="tspan7150"
+           x="1195.4893"
+           y="274.76129"
+           style="stroke-width:0.550744">pod</tspan></text>
+    </g>
+    <g
+       id="g7166"
+       inkscape:label="pod"
+       style="display:inline"
+       transform="translate(-606.70424,238.95491)">
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,188.949 38.7689,-11.2425 38.7688,11.2425 -38.7688,11.24254 z"
+         id="path7156" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1177.078,193.25418 v 41.2523 l 36.1218,20.00898 0.1788,-50.46488 z"
+         id="path7158" />
+      <path
+         inkscape:export-ydpi="376.57999"
+         inkscape:export-xdpi="376.57999"
+         style="fill:#eeeeee;fill-rule:evenodd;stroke:#000000;stroke-width:2.74114;stroke-linecap:square;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         inkscape:connector-curvature="0"
+         d="m 1254.6157,193.25418 v 41.2523 l -36.1217,20.00898 -0.1788,-50.46488 z"
+         id="path7160" />
+      <text
+         xml:space="preserve"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:22.0298px;line-height:1.25;font-family:'Droid Serif';-inkscape-font-specification:'Droid Serif, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.550744"
+         x="1195.4893"
+         y="274.76129"
+         id="text7164"><tspan
+           sodipodi:role="line"
+           id="tspan7162"
+           x="1195.4893"
+           y="274.76129"
+           style="stroke-width:0.550744">pod</tspan></text>
+    </g>
+  </g>
+</svg>

slides/intro-fullday.yml

@@ -20,6 +20,7 @@ content:
 - containers/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md

slides/intro-selfpaced.yml

@@ -20,6 +20,7 @@ content:
 - containers/intro.md
 - shared/about-slides.md
 #- shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md

slides/intro-twodays.yml

@@ -20,6 +20,7 @@ content:
 - containers/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md

slides/k8s/access-eks-cluster.md

@@ -0,0 +1,104 @@
+## Accessing our EKS cluster
+
+- We also have a shared EKS cluster
+
+- With individual IAM users
+
+- Let's connect to this cluster!
+
+---
+
+## What we need
+
+- `kubectl` (obviously!)
+
+- `aws` CLI (recent-ish version)
+
+  (or `aws` CLI + `aws-iam-authenticator` plugin)
+
+- AWS API access key and secret access key
+
+- AWS region
+
+- EKS cluster name
+
+---
+
+## Setting up AWS credentials
+
+- There are many ways to do this
+
+- We're going to use environment variables
+
+- You're welcome to use whatever you like (e.g. AWS profiles)
+
+.exercise[
+
+- Set the AWS region, API access key, and secret key:
+  ```bash
+  export AWS_DEFAULT_REGION=`us-east-2`
+  export AWS_ACCESS_KEY_ID=`AKI...`
+  export AWS_SECRET_ACCESS_KEY=`xyz123...`
+  ```
+
+- Check that the AWS API recognizes us:
+  ```bash
+  aws sts get-caller-identity
+  ```
+
+]
+
+---
+
+## Updating our kubeconfig file
+
+- Now we can use the AWS CLI to:
+
+  - obtain the Kubernetes API address
+
+  - register it in our kubeconfig file
+
+.exercise[
+
+- Update our kubeconfig file:
+  ```bash
+  aws eks update-kubeconfig --name `fancy-clustername-1234`
+  ```
+
+- Run some harmless command:
+  ```bash
+  kubectl version
+  ```
+
+]
+
+---
+
+## Our resources
+
+- We have the following permissions:
+
+  - `view` in the `default` namespace
+
+  - `edit` in the `container-training` namespace
+
+  - `admin` in our personal namespace
+
+- Our personal namespace is our IAM user name
+
+  (but with dots replaced with dashes)
+
+- For instance, user `ada.lovelace` has namespace `ada-lovelace`
+
+---
+
+## Deploying things
+
+- Let's deploy DockerCoins in our personal namespace!
+
+- Expose the Web UI with a `LoadBalancer` service
+
+???
+
+:EN:- Working with an EKS cluster
+:FR:- Travailler avec un cluster EKS

slides/k8s/accessinternal.md

@@ -134,3 +134,17 @@ installed and set up `kubectl` to communicate with your cluster.
 
 :EN:- Securely accessing internal services
 :FR:- Accès sécurisé aux services internes
+
+:T: Accessing internal services from our local machine
+
+:Q: What's the advantage of "kubectl port-forward" compared to a NodePort?
+:A: It can forward arbitrary protocols
+:A: It doesn't require Kubernetes API credentials
+:A: It offers deterministic load balancing (instead of random)
+:A: ✔️It doesn't expose the service to the public
+
+:Q: What's the security concept behind "kubectl port-forward"?
+:A: ✔️We authenticate with the Kubernetes API, and it forwards connections on our behalf
+:A: It detects our source IP address, and only allows connections coming from it
+:A: It uses end-to-end mTLS (mutual TLS) to authenticate our connections
+:A: There is no security (as long as it's running, anyone can connect from anywhere)

slides/k8s/authn-authz.md

@@ -733,17 +733,19 @@ class: extra-details
 
 ## Figuring out who can do what
 
-- For auditing purposes, sometimes we want to know who can perform an action
+- For auditing purposes, sometimes we want to know who can perform which actions
 
-- There are a few tools to help us with that
+- There are a few tools to help us with that, available as `kubectl` plugins:
 
-  - [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can) by Aqua Security
+  - `kubectl who-can` / [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can) by Aqua Security
 
-  - [Review Access (aka Rakkess)](https://github.com/corneliusweig/rakkess)
+  - `kubectl access-matrix` / [Rakkess (Review Access)](https://github.com/corneliusweig/rakkess) by Cornelius Weig
 
-- Both are available as standalone programs, or as plugins for `kubectl`
+  - `kubectl rbac-lookup` / [RBAC Lookup](https://github.com/FairwindsOps/rbac-lookup) by FairwindsOps
 
-  (`kubectl` plugins can be installed and managed with `krew`)
+- `kubectl` plugins can be installed and managed with `krew`
+
+- They can also be installed and executed as standalone programs
 
 ???
 

slides/k8s/authoring-yaml.md

@@ -1,6 +1,6 @@
 # Authoring YAML
 
-- There are various ways to generate YAML with Kubernetes, e.g.:
+- We have already generated YAML implicitly, with e.g.:
 
   - `kubectl run`
 
@@ -32,26 +32,63 @@
 
 ---
 
-## We don't have to start from scratch
+## Various ways to write YAML
 
-- Create a resource (e.g. Deployment)
+- Completely from scratch with our favorite editor
 
-- Dump its YAML with `kubectl get -o yaml ...`
+  (yeah, right)
 
-- Edit the YAML
+- Dump an existing resource with `kubectl get -o yaml ...`
 
-- Use `kubectl apply -f ...` with the YAML file to:
+  (it is recommended to clean up the result)
 
-  - update the resource (if it's the same kind)
+- Ask `kubectl` to generate the YAML
 
-  - create a new resource (if it's a different kind)
+  (with a `kubectl create --dry-run -o yaml`)
 
-- Or: Use The Docs, Luke
+- Use The Docs, Luke
 
   (the documentation almost always has YAML examples)
 
 ---
 
+## Generating YAML from scratch
+
+- Start with a namespace:
+  ```yaml
+    kind: Namespace
+    apiVersion: v1
+    metadata:
+      name: hello
+  ```
+
+- We can use `kubectl explain` to see resource definitions:
+  ```bash
+  kubectl explain -r pod.spec
+  ```
+
+- Not the easiest option!
+
+---
+
+## Dump the YAML for an existing resource
+
+- `kubectl get -o yaml` works!
+
+- A lot of fields in `metadata` are not necessary
+
+  (`managedFields`, `resourceVersion`, `uid`, `creationTimestamp` ...)
+
+- Most objects will have a `status` field that is not necessary
+
+- Default or empty values can also be removed for clarity
+
+- This can be done manually or with the `kubectl-neat` plugin
+
+  `kubectl get -o yaml ... | kubectl neat`
+
+---
+
 ## Generating YAML without creating resources
 
 - We can use the `--dry-run` option
@@ -63,14 +100,18 @@
   kubectl create deployment web --image nginx --dry-run
   ```
 
+- Optionally clean it up with `kubectl neat`, too
+
 ]
 
-- We can clean up that YAML even more if we want
+Note: in recent versions of Kubernetes, we should use `--dry-run=client`
 
-  (for instance, we can remove the `creationTimestamp` and empty dicts)
+(Or `--dry-run=server`; more on that later!)
 
 ---
 
+class: extra-details
+
 ## Using `--dry-run` with `kubectl apply`
 
 - The `--dry-run` option can also be used with `kubectl apply`
@@ -87,6 +128,8 @@
 
 ---
 
+class: extra-details
+
 ## The limits of `kubectl apply --dry-run`
 
 .exercise[
@@ -112,6 +155,8 @@ The resulting YAML doesn't represent a valid DaemonSet.
 
 ---
 
+class: extra-details
+
 ## Server-side dry run
 
 - Since Kubernetes 1.13, we can use [server-side dry run and diffs](https://kubernetes.io/blog/2019/01/14/apiserver-dry-run-and-kubectl-diff/)
@@ -135,6 +180,8 @@ Instead, it has the fields expected in a DaemonSet.
 
 ---
 
+class: extra-details
+
 ## Advantages of server-side dry run
 
 - The YAML is verified much more extensively
@@ -149,6 +196,8 @@ Instead, it has the fields expected in a DaemonSet.
 
 ---
 
+class: extra-details
+
 ## `kubectl diff`
 
 - Kubernetes 1.13 also introduced `kubectl diff`
@@ -209,3 +258,8 @@ Note: we don't need to specify `--validate=false` here.
   - check that it still works!
 
 - That YAML will be useful later when using e.g. Kustomize or Helm
+
+???
+
+:EN:- Techniques to write YAML manifests
+:FR:- Comment écrire des *manifests* YAML

slides/k8s/cert-manager.md

@@ -58,25 +58,20 @@
 
 .exercise[
 
-- Create the namespace for cert-manager:
+- Let's install the cert-manager Helm chart with this one-liner:
   ```bash
-  kubectl create ns cert-manager
-  ```
-
-- Add the Jetstack repository:
-  ```bash
-  helm repo add jetstack https://charts.jetstack.io
-  ```
-
-- Install cert-manager:
-  ```bash
-    helm install cert-manager jetstack/cert-manager \
-         --namespace cert-manager \
-         --set installCRDs=true
+    helm install cert-manager cert-manager \
+        --repo https://charts.jetstack.io \
+        --create-namespace --namespace cert-manager \
+        --set installCRDs=true
   ```
 
 ]
 
+- If you prefer to install with a single YAML file, that's fine too!
+
+  (see [the documentation](https://cert-manager.io/docs/installation/kubernetes/#installing-with-regular-manifests) for instructions)
+
 ---
 
 ## ClusterIssuer manifest
@@ -223,6 +218,24 @@ spec:
 
 class: extra-details
 
+## Automatic TLS Ingress with annotations
+
+- It is also possible to annotate Ingress resources for cert-manager
+
+- If we annotate an Ingress resource with `cert-manager.io/cluster-issuer=xxx`:
+
+  - cert-manager will detect that annotation
+
+  - it will obtain a certificate using the specified ClusterIssuer (`xxx`)
+
+  - it will store the key and certificate in the specified Secret
+
+- Note: the Ingress still needs the `tls` section with `secretName` and `hosts`
+
+---
+
+class: extra-details
+
 ## Let's Encrypt and nip.io
 
 - Let's Encrypt has [rate limits](https://letsencrypt.org/docs/rate-limits/) per domain
@@ -242,3 +255,5 @@ class: extra-details
 
 :EN:- Obtaining certificates with cert-manager
 :FR:- Obtenir des certificats avec cert-manager
+
+:T: Obtaining TLS certificates with cert-manager

slides/k8s/concepts-k8s.md

@@ -220,6 +220,41 @@ class: extra-details
 
 ---
 
+class: pic
+![](images/control-planes/single-node-dev.svg)
+
+---
+
+class: pic
+![](images/control-planes/managed-kubernetes.svg)
+
+---
+
+class: pic
+![](images/control-planes/single-control-and-workers.svg)
+
+---
+
+class: pic
+![](images/control-planes/stacked-control-plane.svg)
+
+---
+
+class: pic
+![](images/control-planes/non-dedicated-stacked-nodes.svg)
+
+---
+
+class: pic
+![](images/control-planes/advanced-control-plane.svg)
+
+---
+
+class: pic
+![](images/control-planes/advanced-control-plane-split-events.svg)
+
+---
+
 class: extra-details
 
 ## How many nodes should a cluster have?

slides/k8s/exercise-sealed-secrets.md

@@ -0,0 +1,99 @@
+# Exercise — sealed secrets
+
+This is a "combo exercise" to practice the following concepts:
+
+- Secrets (mounting them in containers)
+
+- RBAC (granting specific permissions to specific users)
+
+- Operators (specifically, sealed secrets)
+
+- Migrations (copying/transferring resources from a cluster to another)
+
+For this exercise, you will need two clusters.
+
+(It can be two local clusters.)
+
+We will call them "source cluster" and "target cluster".
+
+---
+
+## Step 1 (easy)
+
+- Install the sealed secrets operator on both clusters
+
+- On source cluster, create a Namespace called `dev`
+
+- Create two sealed secrets, `verysecure` and `veryverysecure`
+
+  (the content doesn't matter; put a random string of your choice)
+
+- Create a Deployment called `app` using both secrets
+
+  (use a mount or environment variables; whatever you prefer!)
+
+- Verify that the secrets are available to the Deployment
+
+---
+
+## Step 2 (medium)
+
+- Create another Namespace called `prod`
+
+  (on the source cluster)
+
+- Create the same Deployment `app` using both secrets
+
+- Verify that the secrets are available to the Deployment
+
+---
+
+## Step 3 (hard)
+
+- On the target cluster, create a Namespace called `prod`
+
+- Create the `app` Deployment and both sealed secrets
+
+  (do not copy the Secrets; only the sealed secrets)
+
+- Check the next slide if you need a hint!
+
+--
+
+- You will have to copy the Sealed Secret private key
+
+---
+
+## Step 4 (medium)
+
+On the target cluster, create the Namespace `dev`.
+
+Let's say that user `alice` has access to the target cluster.
+
+(You can use `kubectl --as=alice` to impersonate her.)
+
+We want Alice to be able to:
+
+- deploy the whole application
+
+- access the `verysecure` secret
+
+- but *not* the `veryverysecure` secret
+
+---
+
+## Step 5 (hard)
+
+- Make sure that Alice can view the logs of the Deployment
+
+- Can you think of a way for Alice to access the `veryverysecure` Secret?
+
+  (check next slide for a hint)
+
+--
+
+- `kubectl exec`, maybe?
+
+--
+
+- Can you think of a way to prevent that?

slides/k8s/helm-chart-format.md

@@ -40,7 +40,22 @@
 
   - a `Chart.yaml` file, containing metadata (name, version, description ...)
 
-- Let's look at a simple chart, `stable/tomcat`
+- Let's look at a simple chart for a basic demo app
+
+---
+
+## Adding the repo
+
+- If you haven't done it before, you need to add the repo for that chart
+
+.exercise[
+
+- Add the repo that holds the chart for the OWASP Juice Shop:
+  ```bash
+  helm repo add juice https://charts.securecodebox.io
+  ```
+
+]
 
 ---
 
@@ -50,17 +65,17 @@
 
 .exercise[
 
-- Download the tarball for `stable/tomcat`:
+- Download the tarball for `juice/juice-shop`:
   ```bash
-  helm pull stable/tomcat
+  helm pull juice/juice-shop
   ```
-  (This will create a file named `tomcat-X.Y.Z.tgz`.)
+  (This will create a file named `juice-shop-X.Y.Z.tgz`.)
 
-- Or, download + untar `stable/tomcat`:
+- Or, download + untar `juice/juice-shop`:
   ```bash
-  helm pull stable/tomcat --untar
+  helm pull juice/juice-shop --untar
   ```
-  (This will create a directory named `tomcat`.)
+  (This will create a directory named `juice-shop`.)
 
 ]
 
@@ -68,13 +83,13 @@
 
 ## Looking at the chart's content
 
-- Let's look at the files and directories in the `tomcat` chart
+- Let's look at the files and directories in the `juice-shop` chart
 
 .exercise[
 
 - Display the tree structure of the chart we just downloaded:
   ```bash
-  tree tomcat
+  tree juice-shop
   ```
 
 ]
@@ -93,12 +108,11 @@ We see the components mentioned above: `Chart.yaml`, `templates/`, `values.yaml`
 
   (using the standard Go template library)
 
-
 .exercise[
 
-- Look at the template file for the tomcat Service resource:
+- Look at the template file for the Service resource:
   ```bash
-  cat tomcat/templates/appsrv-svc.yaml
+  cat juice-shop/templates/service.yaml
   ```
 
 ]
@@ -190,7 +204,7 @@ We see the components mentioned above: `Chart.yaml`, `templates/`, `values.yaml`
 
 - At the top-level of the chart, it's a good idea to have a README
 
-- It will be viewable with e.g. `helm show readme stable/tomcat`
+- It will be viewable with e.g. `helm show readme juice/juice-shop`
 
 - In the `templates/` directory, we can also have a `NOTES.txt` file
 

slides/k8s/helm-dependencies.md

@@ -0,0 +1,338 @@
+# Charts using other charts
+
+- Helm charts can have *dependencies* on other charts
+
+- These dependencies will help us to share or reuse components
+
+  (so that we write and maintain less manifests, less templates, less code!)
+
+- As an example, we will use a community chart for Redis
+
+- This will help people who write charts, and people who use them
+
+- ... And potentially remove a lot of code! ✌️
+
+---
+
+## Redis in DockerCoins
+
+- In the DockerCoins demo app, we have 5 components:
+
+  - 2 internal webservices
+  - 1 worker
+  - 1 public web UI
+  - 1 Redis data store
+
+- Every component is running some custom code, except Redis
+
+- Every component is using a custom image, except Redis
+
+  (which is using the official `redis` image)
+
+- Could we use a standard chart for Redis?
+
+- Yes! Dependencies to the rescue!
+
+---
+
+## Adding our dependency
+
+- First, we will add the dependency to the `Chart.yaml` file
+
+- Then, we will ask Helm to download that dependency
+
+- We will also *lock* the dependency
+
+  (lock it to a specific version, to ensure reproducibility)
+
+---
+
+## Declaring the dependency
+
+- First, let's edit `Chart.yaml`
+
+.exercise[
+
+- In `Chart.yaml`, fill the `dependencies` section:
+  ```yaml
+    dependencies:
+      - name: redis
+        version: 11.0.5
+        repository: https://charts.bitnami.com/bitnami
+        condition: redis.enabled
+  ```
+
+]
+
+Where do that `repository` and `version` come from?
+
+We're assuming here that we did our reserach,
+or that our resident Helm expert advised us to
+use Bitnami's Redis chart.
+
+---
+
+## Conditions
+
+- The `condition` field gives us a way to enable/disable the dependency:
+  ```yaml
+  conditions: redis.enabled
+  ```
+
+- Here, we can disable Redis with the Helm flag `--set redis.enabled=false`
+
+  (or set that value in a `values.yaml` file)
+
+- Of course, this is mostly useful for *optional* dependencies
+
+  (otherwise, the app ends up being broken since it'll miss a component)
+
+---
+
+## Lock & Load!
+
+- After adding the dependency, we ask Helm to pin an download it
+
+.exercise[
+
+- Ask Helm:
+  ```bash
+  helm dependency update
+  ```
+
+  (Or `helm dep up`)
+
+]
+
+- This wil create `Chart.lock` and fetch the dependency
+
+---
+
+## What's `Chart.lock`?
+
+- This is a common pattern with dependencies
+
+  (see also: `Gemfile.lock`, `package.json.lock`, and many others)
+
+- This lets us define loose dependencies in `Chart.yaml`
+
+  (e.g. "version 11.whatever, but below 12")
+
+- But have the exact version used in `Chart.lock`
+
+- This ensures reproducible deployments
+
+- `Chart.lock` can (should!) be added to our source tree
+
+- `Chart.lock` can (should!) regularly be updated
+
+---
+
+## Loose dependencies
+
+- Here is an example of loose version requirement:
+  ```yaml
+    dependencies:
+      - name: redis
+        version: ">=11, <12"
+        repository: https://charts.bitnami.com/bitnami
+  ```
+
+- This makes sure that we have the most recent version in the 11.x train
+
+- ... But without upgrading to version 12.x
+
+  (because it might be incompatible)
+
+---
+
+## `build` vs `update`
+
+- Helm actually offers two commands to manage dependencies:
+
+  `helm dependency build` = fetch dependencies listed in `Chart.lock`
+
+  `helm dependency update` = update `Chart.lock` (and run `build`)
+
+- When the dependency gets updated, we can/should:
+
+  - `helm dep up` (update `Chart.lock` and fetch new chart)
+
+  - test!
+
+  - if everything is fine, `git add Chart.lock` and commit
+
+---
+
+## Where are my dependencies?
+
+- Dependencies are downloaded to the `charts/` subdirectory
+
+- When they're downloaded, they stay in compressed format (`.tgz`)
+
+- Should we commit them to our code repository?
+
+- Pros:
+
+  - more resilient to internet/mirror failures/decomissioning
+
+- Cons:
+
+  - can add a lot of weight to the repo if charts are big or change often
+
+  - this can be solved by extra tools like git-lfs
+
+---
+
+## Dependency tuning
+
+- DockerCoins expects the `redis` Service to be named `redis`
+
+- Our Redis chart uses a different Service name by default
+
+- Service name is `{{ template "redis.fullname" . }}-master`
+
+- `redis.fullname` looks like this:
+  ```
+    {{- define "redis.fullname" -}}
+    {{- if .Values.fullnameOverride -}}
+    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+    {{- else -}}
+    [...]
+    {{- end }}
+    {{- end }}
+  ```
+
+- How do we fix this?
+
+---
+
+## Setting dependency variables
+
+- If we set `fullnameOverride` to `redis`:
+
+  - the `{{ template ... }}` block will output `redis`
+
+  - the Service name will be `redis-master`
+
+- A parent chart can set values for its dependencies
+
+- For example, in the parent's `values.yaml`:
+
+  ```yaml
+    redis:                    # Name of the dependency
+      fullnameOverride: redis # Value passed to redis
+      cluster:                # Other values passed to redis
+        enabled: false
+  ```
+
+- User can also set variables with `--set=` or with `--values=`
+
+---
+
+class: extra-details
+
+## Passing templates
+
+- We can even pass template `{{ include "template.name" }}`, but warning:
+
+   - need to be evaluated with the `tpl` function, on the child side
+
+   - evaluated in the context of the child, with no access to parent variables
+
+<!-- FIXME this probably deserves an example, but I can't imagine one right now 😅 -->
+
+---
+
+## Getting rid of the `-master`
+
+- Even if we set that `fullnameOverride`, the Service name will be `redis-master`
+
+- To remove the `-master` suffix, we need to edit the chart itself
+
+- To edit the Redis chart, we need to *embed* it in our own chart
+
+- We need to:
+
+  - decompress the chart
+
+  - adjust `Chart.yaml` accordingly
+
+---
+
+## Embedding a dependency
+
+.exercise[
+
+- Decompress the chart:
+  ```yaml
+  cd charts
+  tar zxf redis-*.tgz
+  cd ..
+  ```
+
+- Edit `Chart.yaml` and update the `dependencies` section:
+  ```yaml
+    dependencies:
+      - name: redis
+        version: '*' # No need to constraint version, from local files
+  ```
+
+- Run `helm dep update`
+
+]
+
+---
+
+## Updating the dependency
+
+- Now we can edit the Service name
+
+  (it should be in `charts/redis/templates/redis-master-svc.yaml`)
+
+- Then try to deploy the whole chart!
+
+---
+
+## Embedding a dependency multiple times
+
+- What if we need multiple copies of the same subchart?
+
+  (for instance, if we need two completely different Redis servers)
+
+- We can declare a dependency multiple times, and specify an `alias`:
+  ```yaml
+  dependencies:
+    - name: redis
+      version: '*'
+      alias: querycache
+    - name: redis
+      version: '*'
+      alias: celeryqueue
+  ```
+
+- `.Chart.Name` will be set to the `alias`
+
+---
+
+class: extra-details
+
+## Compatibility with Helm 2
+
+- Chart `apiVersion: v1` is the only version supported by Helm 2
+
+- Chart v1 is also supported by Helm 3
+
+- Use v1 if you want to be compatible with Helm 2
+
+- Instead of `Chart.yaml`, dependencies are defined in `requirements.yaml`
+
+  (and we should commit `requirements.lock` instead of `Chart.lock`)
+
+???
+
+:EN:- Depending on other charts
+:EN:- Charts within charts
+
+:FR:- Dépendances entre charts
+:FR:- Un chart peut en cacher un autre

slides/k8s/helm-intro.md

@@ -1,20 +1,84 @@
 # Managing stacks with Helm
 
-- We created our first resources with `kubectl run`, `kubectl expose` ...
+- Helm is a (kind of!) package manager for Kubernetes
 
-- We have also created resources by loading YAML files with `kubectl apply -f`
+- We can use it to:
 
-- For larger stacks, managing thousands of lines of YAML is unreasonable
+  - find existing packages (called "charts") created by other folks
 
-- These YAML bundles need to be customized with variable parameters
+  - install these packages, configuring them for our particular setup
 
-  (E.g.: number of replicas, image version to use ...)
+  - package our own things (for distribution or for internal use)
 
-- It would be nice to have an organized, versioned collection of bundles
+  - manage the lifecycle of these installs (rollback to previous version etc.)
 
-- It would be nice to be able to upgrade/rollback these bundles carefully
+- It's a "CNCF graduate project", indicating a certain level of maturity
 
-- [Helm](https://helm.sh/) is an open source project offering all these things!
+  (more on that later)
+
+---
+
+## From `kubectl run` to YAML
+
+- We can create resources with one-line commands
+
+  (`kubectl run`, `kubectl createa deployment`, `kubectl expose`...)
+
+- We can also create resources by loading YAML files
+
+  (with `kubectl apply -f`, `kubectl create -f`...)
+
+- There can be multiple resources in a single YAML files
+
+  (making them convenient to deploy entire stacks)
+
+- However, these YAML bundles often need to be customized
+
+  (e.g.: number of replicas, image version to use, features to enable...)
+
+---
+
+## Beyond YAML
+
+- Very often, after putting together our first `app.yaml`, we end up with:
+
+  - `app-prod.yaml`
+
+  - `app-staging.yaml`
+
+  - `app-dev.yaml`
+
+  - instructions indicating to users "please tweak this and that in the YAML"
+
+- That's where using something like
+  [CUE](https://github.com/cuelang/cue/blob/v0.3.2/doc/tutorial/kubernetes/README.md),
+  [Kustomize](https://kustomize.io/),
+  or [Helm](https://helm.sh/) can help!
+
+- Now we can do something like this:
+  ```bash
+  helm install app ... --set this.parameter=that.value
+  ```
+
+---
+
+## Other features of Helm
+
+- With Helm, we create "charts"
+
+- These charts can be used internally or distributed publicly
+
+- Public charts can be indexed through the [Artifact Hub](https://artifacthub.io/)
+
+- This gives us a way to find and install other folks' charts
+
+- Helm also gives us ways to manage the lifecycle of what we install:
+
+  - keep track of what we have installed
+
+  - upgrade versions, change parameters, roll back, uninstall
+
+- Furthermore, even if it's not "the" standard, it's definitely "a" standard!
 
 ---
 
@@ -22,7 +86,7 @@
 
 - On April 30th 2020, Helm was the 10th project to *graduate* within the CNCF
 
-  .emoji[🎉]
+  🎉
 
   (alongside Containerd, Prometheus, and Kubernetes itself)
 
@@ -229,71 +293,95 @@ fine for personal and development clusters.)
 
 ---
 
-## Managing repositories
-
-- Let's check what repositories we have, and add the `stable` repo
-
-  (the `stable` repo contains a set of official-ish charts)
-
-.exercise[
-
-- List our repos:
-  ```bash
-  helm repo list
-  ```
-
-- Add the `stable` repo:
-  ```bash
-  helm repo add stable https://charts.helm.sh/stable
-  ```
-
-]
-
-Adding a repo can take a few seconds (it downloads the list of charts from the repo).
-
-It's OK to add a repo that already exists (it will merely update it).
-
----
-
 class: extra-details
 
-## Deprecation warning
+## How to find charts, the old way
 
-- That "stable" is being deprecated, in favor of a more decentralized approach
+- Helm 2 came with one pre-configured repo, the "stable" repo
 
-  (each community / company / group / project hosting their own repository)
+  (located at https://charts.helm.sh/stable)
 
-- We're going to use it here for educational purposes
+- Helm 3 doesn't have any pre-configured repo
 
-- But if you're looking for production-grade charts, look elsewhere!
+- The "stable" repo mentioned above is now being deprecated
 
-  (namely, on the Helm Hub)
+- The new approach is to have fully decentralized repos
+
+- Repos can be indexed in the Artifact Hub
+
+  (which supersedes the Helm Hub)
 
 ---
 
-## Search available charts
+## How to find charts, the new way
 
-- We can search available charts with `helm search`
+- Go to the [Artifact Hub](https://artifacthub.io/packages/search?kind=0) (https://artifacthub.io)
 
-- We need to specify where to search (only our repos, or Helm Hub)
+- Or use `helm search hub ...` from the CLI
 
-- Let's search for all charts mentioning tomcat!
+- Let's try to find a Helm chart for something called "OWASP Juice Shop"!
+
+  (it is a famous demo app used in security challenges)
+
+---
+
+## Finding charts from the CLI
+
+- We can use `helm search hub <keyword>`
 
 .exercise[
 
-- Search for tomcat in the repo that we added earlier:
+- Look for the OWASP Juice Shop app:
   ```bash
-  helm search repo tomcat
+  helm search hub owasp juice
   ```
 
-- Search for tomcat on the Helm Hub:
+- Since the URLs are truncated, try with the YAML output:
   ```bash
-  helm search hub tomcat
+  helm search hub owasp juice -o yaml
   ```
 
 ]
 
-[Helm Hub](https://hub.helm.sh/) indexes many repos, using the [Monocular](https://github.com/helm/monocular) server.
+Then go to → https://artifacthub.io/packages/helm/seccurecodebox/juice-shop
+
+---
+
+## Finding charts on the web
+
+- We can also use the Artifact Hub search feature
+
+.exercise[
+
+- Go to https://artifacthub.io/
+
+- In the search box on top, enter "owasp juice"
+
+- Click on the "juice-shop" result (not "multi-juicer" or "juicy-ctf")
+
+]
+
+---
+
+## Installing the chart
+
+- Click on the "Install" button, it will show instructions
+
+.exercise[
+
+- First, add the repository for that chart:
+  ```bash
+  helm repo add juice https://charts.securecodebox.io
+  ```
+
+- Then, install the chart:
+  ```bash
+  helm install my-juice-shop juice/juice-shop
+  ```
+
+]
+
+Note: it is also possible to install directly a chart, with `--repo https://...`
 
 ---
 
@@ -301,22 +389,22 @@ class: extra-details
 
 - "Installing a chart" means creating a *release*
 
-- We need to name that release
+- In the previous exemple, the release was named "my-juice-shop"
 
-  (or use the `--generate-name` to get Helm to generate one for us)
+- We can also use `--generate-name` to ask Helm to generate a name for us
 
 .exercise[
 
-- Install the tomcat chart that we found earlier:
-  ```bash
-  helm install java4ever stable/tomcat
-  ```
-
 - List the releases:
   ```bash
   helm list
   ```
 
+- Check that we have a `my-juice-shop-...` Pod up and running:
+  ```bash
+  kubectl get pods
+  ```
+
 ]
 
 ---
@@ -329,13 +417,13 @@ class: extra-details
 
 - The `helm search` command only takes a search string argument
 
-  (e.g. `helm search tomcat`)
+  (e.g. `helm search juice-shop`)
 
 - With Helm 2, the name is optional:
 
-  `helm install stable/tomcat` will automatically generate a name
+  `helm install juice/juice-shop` will automatically generate a name
 
-  `helm install --name java4ever stable/tomcat` will specify a name
+  `helm install --name my-juice-shop juice/juice-shop` will specify a name
 
 ---
 
@@ -349,12 +437,12 @@ class: extra-details
 
 - List all the resources created by this release:
   ```bash
-  kubectl get all --selector=release=java4ever
+  kubectl get all --selector=app.kubernetes.io/instance=my-juice-shop
   ```
 
 ]
 
-Note: this `release` label wasn't added automatically by Helm.
+Note: this label wasn't added automatically by Helm.
 <br/>
 It is defined in that chart. In other words, not all charts will provide this label.
 
@@ -362,11 +450,11 @@ It is defined in that chart. In other words, not all charts will provide this la
 
 ## Configuring a release
 
-- By default, `stable/tomcat` creates a service of type `LoadBalancer`
+- By default, `juice/juice-shop` creates a service of type `ClusterIP`
 
 - We would like to change that to a `NodePort`
 
-- We could use `kubectl edit service java4ever-tomcat`, but ...
+- We could use `kubectl edit service my-juice-shop`, but ...
 
   ... our changes would get overwritten next time we update that chart!
 
@@ -386,14 +474,14 @@ It is defined in that chart. In other words, not all charts will provide this la
 
 .exercise[
 
-- Look at the README for tomcat:
+- Look at the README for the app:
   ```bash
-  helm show readme stable/tomcat
+  helm show readme juice/juice-shop
   ```
 
 - Look at the values and their defaults:
   ```bash
-  helm show values stable/tomcat
+  helm show values juice/juice-shop
   ```
 
 ]
@@ -410,18 +498,19 @@ The `readme` may or may not have (accurate) explanations for the values.
 
 - Values can be set when installing a chart, or when upgrading it
 
-- We are going to update `java4ever` to change the type of the service
+- We are going to update `my-juice-shop` to change the type of the service
 
 .exercise[
 
-- Update `java4ever`:
+- Update `my-juice-shop`:
   ```bash
-  helm upgrade java4ever stable/tomcat --set service.type=NodePort
+  helm upgrade my-juice-shop juice/my-juice-shop \
+       --set service.type=NodePort
   ```
 
 ]
 
-Note that we have to specify the chart that we use (`stable/tomcat`),
+Note that we have to specify the chart that we use (`juice/my-juice-shop`),
 even if we just want to update some values.
 
 We can set multiple values. If we want to set many values, we can use `-f`/`--values` and pass a YAML file with all the values.
@@ -430,25 +519,21 @@ All unspecified values will take the default values defined in the chart.
 
 ---
 
-## Connecting to tomcat
+## Connecting to the Juice Shop
 
-- Let's check the tomcat server that we just installed
-
-- Note: its readiness probe has a 60s delay
-
-  (so it will take 60s after the initial deployment before the service works)
+- Let's check the app that we just installed
 
 .exercise[
 
 - Check the node port allocated to the service:
   ```bash
-  kubectl get service java4ever-tomcat
-  PORT=$(kubectl get service java4ever-tomcat -o jsonpath={..nodePort})
+  kubectl get service my-juice-shop
+  PORT=$(kubectl get service my-juice-shop -o jsonpath={..nodePort})
   ```
 
-- Connect to it, checking the demo app on `/sample/`:
+- Connect to it:
   ```bash
-  curl localhost:$PORT/sample/
+  curl localhost:$PORT/
   ```
 
 ]
@@ -462,3 +547,17 @@ All unspecified values will take the default values defined in the chart.
 :FR:- Fonctionnement général de Helm
 :FR:- Installer des composants via Helm
 :FR:- Helm 2, Helm 3, et le *Helm Hub*
+
+:T: Getting started with Helm and its concepts
+
+:Q: Which comparison is the most adequate?
+:A: Helm is a firewall, charts are access lists
+:A: ✔️Helm is a package manager, charts are packages
+:A: Helm is an artefact repository, charts are artefacts
+:A: Helm is a CI/CD platform, charts are CI/CD pipelines
+
+:Q: What's required to distribute a Helm chart?
+:A: A Helm commercial license
+:A: A Docker registry
+:A: An account on the Helm Hub
+:A: ✔️An HTTP server

slides/k8s/helm-secrets.md

@@ -12,22 +12,37 @@
 
 ---
 
+## Adding the repo
+
+- If you haven't done it before, you need to add the repo for that chart
+
+.exercise[
+
+- Add the repo that holds the chart for the OWASP Juice Shop:
+  ```bash
+  helm repo add juice https://charts.securecodebox.io
+  ```
+
+]
+
+---
+
 ## We need a release
 
 - We need to install something with Helm
 
-- Let's use the `stable/tomcat` chart as an example
+- Let's use the `juice/juice-shop` chart as an example
 
 .exercise[
 
-- Install a release called `tomcat` with the chart `stable/tomcat`:
+- Install a release called `orange` with the chart `juice/juice-shop`:
   ```bash
-  helm upgrade tomcat stable/tomcat --install
+  helm upgrade orange juice/juice-shop --install
   ```
 
 - Let's upgrade that release, and change a value:
   ```bash
-  helm upgrade tomcat stable/tomcat --set ingress.enabled=true
+  helm upgrade orange juice/juice-shop --set ingress.enabled=true
   ```
 
 ]
@@ -42,7 +57,7 @@
 
 - View the history for that release:
   ```bash
-  helm history tomcat
+  helm history orange
   ```
 
 ]
@@ -82,11 +97,11 @@ We should see a number of secrets with TYPE `helm.sh/release.v1`.
 
 .exercise[
 
-- Examine the secret corresponding to the second release of `tomcat`:
+- Examine the secret corresponding to the second release of `orange`:
   ```bash
-  kubectl describe secret sh.helm.release.v1.tomcat.v2
+  kubectl describe secret sh.helm.release.v1.orange.v2
   ```
-  (`v1` is the secret format; `v2` means revision 2 of the `tomcat` release)
+  (`v1` is the secret format; `v2` means revision 2 of the `orange` release)
 
 ]
 
@@ -102,7 +117,7 @@ There is a key named `release`.
 
 - Dump the secret:
   ```bash
-  kubectl get secret sh.helm.release.v1.tomcat.v2 \
+  kubectl get secret sh.helm.release.v1.orange.v2 \
       -o go-template='{{ .data.release }}'
   ```
 
@@ -120,7 +135,7 @@ Secrets are encoded in base64. We need to decode that!
 
 - Decode the secret:
   ```bash
-  kubectl get secret sh.helm.release.v1.tomcat.v2 \
+  kubectl get secret sh.helm.release.v1.orange.v2 \
       -o go-template='{{ .data.release | base64decode }}'
   ```
 
@@ -144,7 +159,7 @@ Let's try one more round of decoding!
 
 - Decode it twice:
   ```bash
-  kubectl get secret sh.helm.release.v1.tomcat.v2 \
+  kubectl get secret sh.helm.release.v1.orange.v2 \
       -o go-template='{{ .data.release | base64decode | base64decode }}'
   ```
 
@@ -164,7 +179,7 @@ Let's try one more round of decoding!
 
 - Pipe the decoded release through `file -`:
   ```bash
-  kubectl get secret sh.helm.release.v1.tomcat.v2 \
+  kubectl get secret sh.helm.release.v1.orange.v2 \
       -o go-template='{{ .data.release | base64decode | base64decode }}' \
       | file -
   ```
@@ -185,7 +200,7 @@ Gzipped data! It can be decoded with `gunzip -c`.
 
 - Rerun the previous command, but with `| gunzip -c > release-info` :
   ```bash
-  kubectl get secret sh.helm.release.v1.tomcat.v2 \
+  kubectl get secret sh.helm.release.v1.orange.v2 \
       -o go-template='{{ .data.release | base64decode | base64decode }}' \
       | gunzip -c > release-info
   ```
@@ -211,7 +226,7 @@ If we inspect that JSON (e.g. with `jq keys release-info`), we see:
 - `config` (contains the values that we've set)
 - `info` (date of deployment, status messages)
 - `manifest` (YAML generated from the templates)
-- `name` (name of the release, so `tomcat`)
+- `name` (name of the release, so `orange`)
 - `namespace` (namespace where we deployed the release)
 - `version` (revision number within that release; starts at 1)
 

slides/k8s/helm-values-schema-validation.md

@@ -0,0 +1,191 @@
+# Helm and invalid values
+
+- A lot of Helm charts let us specify an image tag like this:
+  ```bash
+  helm install ... --set image.tag=v1.0
+  ```
+
+- What happens if we make a small mistake, like this:
+  ```bash
+  helm install ... --set imagetag=v1.0
+  ```
+
+- Or even, like this:
+  ```bash
+  helm install ... --set image=v1.0
+  ```
+
+🤔
+
+---
+
+## Making mistakes
+
+- In the first case:
+
+  - we set `imagetag=v1.0` instead of `image.tag=v1.0`
+
+  - Helm will ignore that value (if it's not used anywhere in templates)
+
+  - the chart is deployed with the default value instead
+
+- In the second case:
+
+  - we set `image=v1.0` instead of `image.tag=v1.0`
+
+  - `image` will be a string instead of an object
+
+  - Helm will *probably* fail when trying to evaluate `image.tag`
+
+---
+
+## Preventing mistakes
+
+- To prevent the first mistake, we need to tell Helm:
+
+  *"let me know if any additional (unknonw) value was set!"*
+
+- To prevent the second mistake, we need to tell Helm:
+
+  *"`image` should be an object, and `image.tag` should be a string!"*
+
+- We can do this with *values schema validation*
+
+---
+
+## Helm values schema validation
+
+- We can write a spec representing the possible values accepted by the chart
+
+- Helm will check the validity of the values before trying to install/upgrade
+
+- If it finds problems, it will stop immediately
+
+- The spec uses [JSON Schema](https://json-schema.org/):
+
+  *JSON Schema is a vocabulary that allows you to annotate and validate JSON documents.*
+
+- JSON Schema is designed for JSON, but can easily work with YAML too
+
+  (or any language with `map|dict|associativearray` and `list|array|sequence|tuple`)
+
+---
+
+## In practice
+
+- We need to put the JSON Schema spec in a file called `values.schema.json`
+
+  (at the root of our chart; right next to `values.yaml` etc.)
+
+- The file is optional
+
+- We don't need to register or declare it in `Chart.yaml` or anywhere
+
+- Let's write a schema that will verify that ...
+
+  - `image.repository` is an official image (string without slashes or dots)
+
+  - `image.pullPolicy` can only be `Always`, `Never`, `IfNotPresent`
+
+---
+
+## `values.schema.json`
+
+```json
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "image": {
+      "type": "object",
+      "properties": {
+        "repository": {
+          "type": "string",
+          "pattern": "^[a-z0-9-_]+$"
+        },
+        "pullPolicy": {
+          "type": "string",
+          "pattern": "^(Always|Never|IfNotPresent)$"
+        }
+      } 
+    } 
+  } 
+}
+```
+
+---
+
+## Testing our schema
+
+- Let's try to install a couple releases with that schema!
+
+.exercise[
+
+- Try an invalid `pullPolicy`:
+  ```bash
+  helm install broken --set image.pullPolicy=ShallNotPass
+  ```
+
+- Try an invalid value:
+  ```bash
+  helm install should-break --set ImAgeTAg=toto
+  ```
+
+]
+
+- The first one fails, but the second one still passes ...
+
+- Why?
+
+---
+
+## Bailing out on unkown properties
+
+- We told Helm what properties (values) were valid
+
+- We didn't say what to do about additional (unknown) properties!
+
+- We can fix that with `"additionalProperties": false`
+
+.exercise[
+
+- Edit `values.schema.json` to add `"additionalProperties": false`
+  ```json
+    {
+      "$schema": "http://json-schema.org/schema#",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+      ...
+  ```
+
+]
+
+---
+
+## Testing with unknown properties
+
+.exercise[
+
+- Try to pass an extra property:
+  ```bash
+  helm install should-break --set ImAgeTAg=toto
+  ```
+
+- Try to pass an extra nested property:
+  ```bash
+  helm install does-it-work --set image.hello=world
+  ```
+
+]
+
+The first command should break.
+
+The second will not.
+
+`"additionalProperties": false` needs to be specified at each level.
+
+???
+
+:EN:- Helm schema validation
+:FR:- Validation de schema Helm

slides/k8s/kubectl-logs.md

@@ -160,3 +160,8 @@ class: extra-details
 - The problem was fixed in Kubernetes 1.13
 
 *See [#70554](https://github.com/kubernetes/kubernetes/issues/70554) for details.*
+
+???
+
+:EN:- Viewing logs with "kubectl logs"
+:FR:- Consulter les logs avec "kubectl logs"

slides/k8s/kubenet.md

@@ -52,7 +52,7 @@
 
 - There are literally dozens of implementations out there
 
-  (15 are listed in the Kubernetes documentation)
+  (https://github.com/containernetworking/cni/ lists more than 25 plugins)
 
 - Pods have level 3 (IP) connectivity, but *services* are level 4 (TCP or UDP)
 

slides/k8s/kubercoins.md

@@ -69,7 +69,7 @@ Without further ado, let's start this application!
 
 --
 
-- It is a DockerCoin miner! .emoji[💰🐳📦🚢]
+- It is a DockerCoin miner! 💰🐳📦🚢
 
 --
 

slides/k8s/kustomize.md

@@ -1,38 +1,60 @@
 # Kustomize
 
-- Kustomize lets us transform YAML files representing Kubernetes resources
+- Kustomize lets us transform Kubernetes resources:
 
-- The original YAML files are valid resource files
+  *YAML + kustomize → new YAML*
 
-  (e.g. they can be loaded with `kubectl apply -f`)
+- Starting point = valid resource files
 
-- They are left untouched by Kustomize
+  (i.e. something that we could load with `kubectl apply -f`)
 
-- Kustomize lets us define *kustomizations*
+- Recipe = a *kustomization* file
 
-- A *kustomization* is conceptually similar to a *layer*
+  (describing how to transform the resources)
 
-- Technically, a *kustomization* is a file named `kustomization.yaml`
+- Result = new resource files
 
-  (or a directory containing that files + additional files)
+  (that we can load with `kubectl apply -f`)
 
 ---
 
-## What's in a kustomization
+## Pros and cons
 
-- A kustomization can do any combination of the following:
+- Relatively easy to get started
 
-  - include other kustomizations
+  (just get some existing YAML files)
 
-  - include Kubernetes resources defined in YAML files
+- Easy to leverage existing "upstream" YAML files
 
-  - patch Kubernetes resources (change values)
+  (or other *kustomizations*)
 
-  - add labels or annotations to all resources
+- Somewhat integrated with `kubectl`
 
-  - specify ConfigMaps and Secrets from literal values or local files
+  (but only "somewhat" because of version discrepancies)
 
-(... And a few more advanced features that we won't cover today!)
+- Less complex than e.g. Helm, but also less powerful
+
+- No central index like the Artifact Hub (but is there a need for it?)
+
+---
+
+## Kustomize in a nutshell
+
+- Get some valid YAML (our "resources")
+
+- Write a *kustomization* (technically, a file named `kustomization.yaml`)
+
+  - reference our resources
+
+  - reference other kustomizations
+
+  - add some *patches*
+
+  - ...
+
+- Use that kustomization either with `kustomize build` or `kubectl apply -k`
+
+- Write new kustomizations referencing the first one to handle minor differences
 
 ---
 
@@ -58,11 +80,17 @@ On the next slide, let's see a more complex example ...
 
 ---
 
+## A more complex Kustomization
+
+.small[
 ```yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+commonAnnotations:
+  mood: 😎
 commonLabels:
   add-this-to-all-my-resources: please
+namePrefix: prod-
 patchesStrategicMerge:
 - prod-scaling.yaml
 - prod-healthchecks.yaml
@@ -80,6 +108,7 @@ configMapGenerator:
   - global.conf
   - local.conf=prod.conf
 ```
+]
 
 ---
 
@@ -139,7 +168,7 @@ configMapGenerator:
 
 ## Remote bases
 
-- Kustomize can fetch remote bases using Hashicorp go-getter library
+- Kustomize can also use bases that are remote git repositories
 
 - Examples:
 
@@ -147,11 +176,31 @@ configMapGenerator:
 
   github.com/jpetazzo/kubercoins?ref=kustomize (specific tag or branch)
 
+- Note that this only works for kustomizations, not individual resources
+
+  (the specified repository or directory must contain a `kustomization.yaml` file)
+
+---
+
+class: extra-details
+
+## Hashicorp go-getter
+
+- Some versions of Kustomize support additional forms for remote resources
+
+- Examples:
+
   https://releases.hello.io/k/1.0.zip (remote archive)
 
   https://releases.hello.io/k/1.0.zip//some-subdir (subdirectory in archive)
 
-- See [hashicorp/go-getter URL format docs](https://github.com/hashicorp/go-getter#url-format) for more examples
+- This relies on [hashicorp/go-getter](https://github.com/hashicorp/go-getter#url-format)
+
+- ... But it prevents Kustomize inclusion in `kubectl`
+
+- Avoid them!
+
+- See [kustomize#3578](https://github.com/kubernetes-sigs/kustomize/issues/3578) for details
 
 ---
 
@@ -283,7 +332,7 @@ configMapGenerator:
   kubectl apply -f rendered.yaml --namespace=kustomcoins
   ```
 
-- Or, with Kubernetes 1.14, you can also do this:
+- Or, with Kubernetes 1.14, we can also do this:
   ```bash
   kubectl apply -k overlays/ship --namespace=kustomcoins
   ```
@@ -337,39 +386,163 @@ Note: it might take a minute or two for the worker to start.
 
 ---
 
-## `kubectl apply -k`
+## `kubectl` integration
 
-- Kustomize has been integrated in `kubectl`
+- Kustomize has been integrated in `kubectl` (since Kubernetes 1.14)
+
+  - `kubectl kustomize` can apply a kustomization
+
+  - commands that use `-f` can also use `-k` (`kubectl apply`/`delete`/...)
 
 - The `kustomize` tool is still needed if we want to use `create`, `edit`, ...
 
-- Also, warning: `kubectl apply -k` is a slightly older version than `kustomize`!
+- Kubernetes 1.14 to 1.20 uses Kustomize 2.0.3
 
-- In recent versions of `kustomize`, bases can be listed in `resources`
+- Kubernetes 1.21 jumps to Kustomize 4.1.2
 
-  (and `kustomize edit add base` will add its arguments to `resources`)
+- Future versions should track Kustomize updates more closely
 
-- `kubectl apply -k` requires bases to be listed in `bases`
+---
 
-  (so after using `kustomize edit add base`, we need to fix `kustomization.yaml`)
+class: extra-details
+
+## Differences between 2.0.3 and later
+
+- Kustomize 2.1 / 3.0 deprecates `bases` (they should be listed in `resources`)
+
+  (this means that "modern" `kustomize edit add resource` won't work with "old" `kubectl apply -k`)
+
+- Kustomize 2.1 introduces `replicas` and `envs`
+
+- Kustomize 3.1 introduces multipatches
+
+- Kustomize 3.2 introduce inline patches in `kustomization.yaml`
+
+- Kustomize 3.3 to 3.10 is mostly internal refactoring
+
+- Kustomize 4.0 drops go-getter again
+
+- Kustomize 4.1 allows patching kind and name
+
+---
+
+## Scaling
+
+Instead of using a patch, scaling can be done like this:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+...
+replicas:
+- name: worker
+  count: 5
+```
+
+It will automatically work with Deployments, ReplicaSets, StatefulSets.
+
+(For other resource types, fall back to a patch.)
+
+---
+
+## Updating images
+
+Instead of using patches, images can be changed like this:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+...
+images:
+- name: postgres
+  newName: harbor.enix.io/my-postgres
+- name: dockercoins/worker
+  newTag: v0.2
+- name: dockercoins/hasher
+  newName: registry.dockercoins.io/hasher
+  newTag: v0.2
+- name: alpine
+  digest: sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
+```
+
+---
+
+## Updating images, pros and cons
+
+- Very convenient when the same image appears multiple times
+
+- Very convenient to define tags (or pin to hashes) outside of the main YAML
+
+- Doesn't support wildcard or generic substitutions:
+
+  - cannot "replace `dockercoins/*` with `ghcr.io/dockercoins/*`"
+
+  - cannot "tag all `dockercoins/*` with `v0.2`"
+
+- Only patches "well-known" image fields (won't work with CRDs referencing images)
+
+- Helm can deal with these scenarios, for instance:
+  ```yaml
+  image: {{ .Values.registry }}/worker:{{ .Values.version }}
+  ```
+
+---
+
+## Advanced resource patching
+
+The example below shows how to:
+
+- patch multiple resources with a selector (new in Kustomize 3.1)
+- use an inline patch instead of a separate patch file (new in Kustomize 3.2)
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+...
+patches:
+- patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/image
+      value: alpine
+  target:
+    kind: Deployment
+    labelSelector: "app"
+```
+
+(This replaces all images of Deployments matching the `app` selector with `alpine`.)
+
+---
+
+## Advanced resource patching, pros and cons
+
+- Very convenient to patch an arbitrary number of resources
+
+- Very convenient to patch any kind of resource, including CRDs
+
+- Doesn't support "fine-grained" patching (e.g. image registry or tag)
+
+- Once again, Helm can do it:
+  ```yaml
+  image: {{ .Values.registry }}/worker:{{ .Values.version }}
+  ```
 
 ---
 
 ## Differences with Helm
 
-- Helm charts use placeholders `{{ like.this }}`
+- Helm charts generally require more upfront work
 
-- Kustomize "bases" are standard Kubernetes YAML
+  (while kustomize "bases" are standard Kubernetes YAML)
 
-- It is possible to use an existing set of YAML as a Kustomize base
+- ... But Helm charts are also more powerful; their templating language can:
 
-- As a result, writing a Helm chart is more work ...
+  - conditionally include/exclude resources or blocks within resources
 
-- ... But Helm charts are also more powerful; e.g. they can:
+  - generate values by concatenating, hashing, transforming parameters
 
-  - use flags to conditionally include resources or blocks
+  - generate values or resources by iteration (`{{ range ... }}`)
 
-  - check if a given Kubernetes API group is supported
+  - access the Kubernetes API during template evaluation
 
   - [and much more](https://helm.sh/docs/chart_template_guide/)
 
@@ -377,4 +550,3 @@ Note: it might take a minute or two for the worker to start.
 
 :EN:- Packaging and running apps with Kustomize
 :FR:- *Packaging* d'applications avec Kustomize
-

slides/k8s/metrics-server.md

@@ -1,69 +1,182 @@
-# Checking pod and node resource usage
+# Checking Node and Pod resource usage
 
-- Since Kubernetes 1.8, metrics are collected by the [resource metrics pipeline](https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/)
+- We've installed a few things on our cluster so far
 
-- The resource metrics pipeline is:
+- How much resources (CPU, RAM) are we using?
 
-  - optional (Kubernetes can function without it)
-
-  - necessary for some features (like the Horizontal Pod Autoscaler)
-
-  - exposed through the Kubernetes API using the [aggregation layer](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
-
-  - usually implemented by the "metrics server"
-
----
-
-## How to know if the metrics server is running?
-
-- The easiest way to know is to run `kubectl top`
+- We need metrics!
 
 .exercise[
 
-- Check if the core metrics pipeline is available:
+- Let's try the following command:
+  ```bash
+  kubectl top nodes
+  ```
+]
+
+---
+
+## Is metrics-server installed?
+
+- If we see a list of nodes, with CPU and RAM usage:
+
+  *great, metrics-server is installed!*
+
+- If we see `error: Metrics API not available`:
+
+  *metrics-server isn't installed, so we'll install it!*
+
+---
+
+## The resource metrics pipeline
+
+- The `kubectl top` command relies on the Metrics API
+
+- The Metrics API is part of the "[resource metrics pipeline]"
+
+- The Metrics API isn't served (built into) the Kubernetes API server
+
+- It is made available through the [aggregation layer]
+
+- It is usually served by a component called metrics-server
+
+- It is optional (Kubernetes can function without it)
+
+- It is necessary for some features (like the Horizontal Pod Autoscaler)
+
+[resource metrics pipeline]: https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/
+[aggregation layer]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/
+
+---
+
+## Other ways to get metrics
+
+- We could use a SAAS like Datadog, New Relic...
+
+- We could use a self-hosted solution like Prometheus
+
+- Or we could use metrics-server
+
+- What's special about metrics-server?
+
+---
+
+## Pros/cons
+
+Cons:
+
+- no data retention (no history data, just instant numbers)
+
+- only CPU and RAM of nodes and pods (no disk or network usage or I/O...)
+
+Pros:
+
+- very lightweight
+
+- doesn't require storage
+
+- used by Kubernetes autoscaling
+
+---
+
+## Why metrics-server
+
+- We may install something fancier later
+
+  (think: Prometheus with Grafana)
+
+- But metrics-server will work in *minutes*
+
+- It will barely use resources on our cluster
+
+- It's required for autoscaling anyway
+
+---
+
+## How metric-server works
+
+- It runs a single Pod
+
+- That Pod will fetch metrics from all our Nodes
+
+- It will expose them through the Kubernetes API agregation layer
+
+  (we won't say much more about that agregation layer; that's fairly advanced stuff!)
+
+---
+
+## Installing metrics-server
+
+- In a lot of places, this is done with a little bit of custom YAML
+
+  (derived from the [official installation instructions](https://github.com/kubernetes-sigs/metrics-server#installation))
+
+- We're going to use Helm one more time:
+  ```bash
+    helm upgrade --install metrics-server bitnami/metrics-server \
+      --create-namespace --namespace metrics-server \
+      --set apiService.create=true \
+      --set extraArgs.kubelet-insecure-tls=true \
+      --set extraArgs.kubelet-preferred-address-types=InternalIP
+  ```
+
+- What are these options for?
+
+---
+
+## Installation options
+
+- `apiService.create=true`
+
+  register `metrics-server` with the Kubernetes agregation layer
+
+  (create an entry that will show up in `kubectl get apiservices`)
+
+- `extraArgs.kubelet-insecure-tls=true`
+
+  when connecting to nodes to collect their metrics, don't check kubelet TLS certs
+
+  (because most kubelet certs include the node name, but not its IP address)
+
+- `extraArgs.kubelet-preferred-address-types=InternalIP`
+
+  when connecting to nodes, use their internal IP address instead of node name
+
+  (because the latter requires an internal DNS, which is rarely configured)
+
+---
+
+## Testing metrics-server
+
+- After a minute or two, metrics-server should be up
+
+- We should now be able to check Nodes resource usage:
   ```bash
   kubectl top nodes
   ```
 
-]
-
-If it shows our nodes and their CPU and memory load, we're good!
-
----
-
-## Installing metrics server
-
-- The metrics server doesn't have any particular requirements
-
-  (it doesn't need persistence, as it doesn't *store* metrics)
-
-- It has its own repository, [kubernetes-incubator/metrics-server](https://github.com/kubernetes-incubator/metrics-server)
-
-- The repository comes with [YAML files for deployment](https://github.com/kubernetes-incubator/metrics-server/tree/master/deploy/1.8%2B)
-
-- These files may not work on some clusters
-
-  (e.g. if your node names are not in DNS)
-
-- The container.training repository has a [metrics-server.yaml](https://github.com/jpetazzo/container.training/blob/master/k8s/metrics-server.yaml#L90) file to help with that
-
-  (we can `kubectl apply -f` that file if needed)
-
----
-
-## Showing container resource usage
-
-- Once the metrics server is running, we can check container resource usage
-
-.exercise[
-
-- Show resource usage across all containers:
+- And Pods resource usage, too:
   ```bash
-  kubectl top pods --containers --all-namespaces
+  kubectl top pods --all-namespaces
   ```
-]
 
-- We can also use selectors (`-l app=...`)
+---
+
+## Keep some padding
+
+- The RAM usage that we see should correspond more or less to the Resident Set Size
+
+- Our pods also need some extra space for buffers, caches...
+
+- Do not aim for 100% memory usage!
+
+- Some more realistic targets:
+
+  50% (for workloads with disk I/O and leveraging caching)
+
+  90% (on very big nodes with mostly CPU-bound workloads)
+
+  75% (anywhere in between!)
 
 ---
 
@@ -83,5 +196,8 @@ If it shows our nodes and their CPU and memory load, we're good!
 
 ???
 
-:EN:- The *core metrics pipeline*
-:FR:- Le *core metrics pipeline*
+:EN:- The resource metrics pipeline
+:EN:- Installing metrics-server
+
+:EN:- Le *resource metrics pipeline*
+:FR:- Installtion de metrics-server

slides/k8s/openebs.md

@@ -0,0 +1,529 @@
+# OpenEBS 
+
+ - [OpenEBS] is a popular open-source storage solution for Kubernetes
+
+ - Uses the concept of "Container Attached Storage"
+
+   (1 volume = 1 dedicated controller pod + a set of replica pods)
+
+ - Supports a wide range of storage engines:
+
+   - LocalPV: local volumes (hostpath or device), no replication
+
+   - Jiva: for lighter workloads with basic cloning/snapshotting
+
+   - cStor: more powerful engine that also supports resizing, RAID, disk pools ...
+
+   - [Mayastor]: newer, even more powerful engine with NVMe and vhost-user support
+
+[OpenEBS]: https://openebs.io/
+
+[Mayastor]: https://github.com/openebs/MayaStor#mayastor
+
+---
+
+class: extra-details
+
+## What are all these storage engines?
+
+- LocalPV is great if we want good performance, no replication, easy setup
+
+  (it is similar to the Rancher local path provisioner)
+
+- Jiva is great if we want replication and easy setup
+
+  (data is stored in containers' filesystems)
+
+- cStor is more powerful and flexible, but requires more extensive setup
+
+- Mayastor is designed to achieve extreme performance levels
+
+  (with the right hardware and disks)
+
+- The OpenEBS documentation has a [good comparison of engines] to help us pick
+
+[good comparison of engines]: https://docs.openebs.io/docs/next/casengines.html#cstor-vs-jiva-vs-localpv-features-comparison
+
+---
+
+## Installing OpenEBS with Helm
+
+- The OpenEBS control plane can be installed with Helm
+
+- It will run as a set of containers on Kubernetes worker nodes
+
+.exercise[
+
+  - Install OpenEBS:
+  ```bash  
+    helm upgrade --install openebs openebs \
+         --repo https://openebs.github.io/charts \
+         --namespace openebs --create-namespace
+  ```
+]
+
+---
+
+## Checking what was installed
+
+- Wait a little bit ...
+
+.exercise[
+
+- Look at the pods in the `openebs` namespace:
+  ```bash  
+      kubectl get pods --namespace openebs
+  ```
+
+- And the StorageClasses that were created:
+  ```bash  
+      kubectl get sc
+  ```
+
+]
+
+---
+
+## The default StorageClasses
+
+- OpenEBS typically creates three default StorageClasses
+
+- `openebs-jiva-default` provisions 3 replicated Jiva pods per volume
+
+  - data is stored in `/openebs` in the replica pods
+  - `/openebs` is a localpath volume mapped to `/var/openebs/pvc-...` on the node
+
+- `openebs-hostpath` uses LocalPV with local directories
+
+  - volumes are hostpath volumes created in `/var/openebs/local` on each node
+
+- `openebs-device` uses LocalPV with local block devices
+
+  - requires available disks and/or a bit of extra configuration
+  - the default configuration filters out loop, LVM, MD devices
+
+---
+
+## When do we need custom StorageClasses?
+
+- To store LocalPV hostpath volumes on a different path on the host
+
+- To change the number of replicated Jiva pods
+
+- To use a different Jiva pool
+
+  (i.e. a different path on the host to store the Jiva volumes)
+
+- To create a cStor pool
+
+- ...
+
+---
+
+class: extra-details
+
+## Defining a custom StorageClass
+
+Example for a LocalPV hostpath class using an extra mount on `/mnt/vol001`:
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: localpv-hostpath-mntvol001
+  annotations:
+    openebs.io/cas-type: local
+    cas.openebs.io/config: |
+      - name: BasePath
+        value: "/mnt/vol001"
+      - name: StorageType
+        value: "hostpath"
+provisioner: openebs.io/local
+```
+
+- `provisioner` needs to be set accordingly
+- Storage engine is chosen by specifying the annotation `openebs.io/cas-type`
+- Storage engine configuration is set with the annotation `cas.openebs.io/config` 
+
+---
+
+## Checking the default hostpath StorageClass
+
+- Let's inspect the StorageClass that OpenEBS created for us
+
+.exercise[
+
+- Let's look at the OpenEBS LocalPV hostpath StorageClass:
+  ```bash
+  kubectl get storageclass openebs-hostpath -o yaml
+  ``` 
+]
+
+---
+
+## Create a host path PVC
+
+- Let's create a Persistent Volume Claim using an explicit StorageClass
+
+.exercise[
+
+```bash
+kubectl apply -f - <<EOF
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: local-hostpath-pvc
+spec:
+  storageClassName: openebs-hostpath
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1G
+EOF
+```
+
+]
+
+---
+
+## Making sure that a PV was created for our PVC
+
+- Normally, the `openebs-hostpath` StorageClass created a PV for our PVC
+
+.exercise[
+
+- Look at the PV and PVC:
+  ```bash
+  kubectl get pv,pvc
+  ```
+
+]
+
+---
+
+## Create a Pod to consume the PV
+
+.exercise[
+
+- Create a Pod using that PVC:
+  ```bash
+  kubectl apply -f ~/container.training/k8s/openebs-pod.yaml
+  ```
+
+- Here are the sections that declare and use the volume:
+  ```yaml
+    volumes:
+    - name: my-storage
+      persistentVolumeClaim:
+        claimName: local-hostpath-pvc
+    containers:
+    ...  
+      volumeMounts:
+      - mountPath: /mnt/storage
+        name: my-storage
+  ```
+
+]
+
+---
+
+## Verify that data is written on the node
+
+- Let's find the file written by the Pod on the node where the Pod is running
+
+.exercise[
+
+- Get the worker node where the pod is located
+  ```bash
+  kubectl get pod openebs-local-hostpath-pod -ojsonpath={.spec.nodeName}
+  ```
+
+- SSH into the node
+
+- Check the volume content
+  ```bash
+  sudo tail /var/openebs/local/pvc-*/greet.txt
+  ```
+
+]
+
+---
+
+## Heads up!
+
+- The following labs and exercises will use the Jiva storage class
+
+- This storage class creates 3 replicas by default
+
+- It uses *anti-affinity* placement constraits to put these replicas on different nodes
+
+- **This requires a cluster with multiple nodes!**
+
+- It also requires the iSCSI client (aka *initiator*) to be installed on the nodes
+
+- On many platforms, the iSCSI client is preinstalled and will start automatically
+
+- If it doesn't, you might want to check [this documentation page] for details
+
+[this documentation page]: https://docs.openebs.io/docs/next/prerequisites.html
+
+---
+
+## The default StorageClass
+
+- The PVC that we defined earlier specified an explicit StorageClass
+
+- We can also set a default StorageClass
+
+- It will then be used for all PVC that *don't* specify and explicit StorageClass
+
+- This is done with the annotation `storageclass.kubernetes.io/is-default-class`
+
+.exercise[
+
+- Check if we have a default StorageClass:
+  ```bash
+  kubectl get storageclasses
+  ```
+]
+
+- The default StorageClass (if there is one) is shown with `(default)`
+
+---
+
+## Setting a default StorageClass
+
+- Let's set the default StorageClass to use `openebs-jiva-default`
+
+.exercise[
+
+- Remove the annotation (just in case we already have a default class):
+  ```bash
+  kubectl annotate storageclass storageclass.kubernetes.io/is-default-class- --all
+  ```
+
+- Annotate the Jiva StorageClass:
+  ```bash
+  kubectl annotate storageclasses \
+      openebs-jiva-default storageclass.kubernetes.io/is-default-class=true
+  ```
+
+- Check the result:
+  ```bash
+  kuectl get storageclasses
+  ```
+
+]
+
+---
+
+## Creating a Pod using the Jiva class
+
+- We will create a Pod running PostgreSQL, using the default class
+
+.exercise[
+
+- Create the Pod:
+  ```bash
+  kubectl apply -f ~/container.training/k8s/postgres.yaml
+  ```
+
+- Wait for the PV, PVC, and Pod to be up:
+  ```bash
+  watch kubectl get pv,pvc,pod
+  ```
+
+- We can also check what's going on in the `openebs` namespace:
+  ```bash
+  watch kubectl get pods --namespace openebs
+  ```
+
+]
+
+---
+
+## Node failover
+
+⚠️ This will partially break your cluster!
+
+- We are going to disconnect the node running PostgreSQL from the cluster
+
+- We will see what happens, and how to recover
+
+- We will not reconnect the node to the cluster
+
+- This whole lab will take at least 10-15 minutes (due to various timeouts)
+
+⚠️ Only do this lab at the very end, when you don't want to run anything else after!
+
+---
+
+## Disconnecting the node from the cluster
+
+.exercise[
+
+- Find out where the Pod is running, and SSH into that node:
+  ```bash
+  kubectl get pod postgres-0 -o jsonpath={.spec.nodeName}
+  ssh nodeX
+  ```
+
+- Check the name of the network interface:
+  ```bash
+  sudo ip route ls default
+  ```
+
+- The output should look like this:
+  ```
+  default via 10.10.0.1 `dev ensX` proto dhcp src 10.10.0.13 metric 100 
+  ```
+
+- Shutdown the network interface:
+  ```bash
+  sudo ip link set ensX down
+  ```
+
+]
+
+---
+
+## Watch what's going on
+
+- Let's look at the status of Nodes, Pods, and Events
+
+.exercise[
+
+- In a first pane/tab/window, check Nodes and Pods:
+  ```bash
+  watch kubectl get nodes,pods -o wide
+  ```
+
+- In another pane/tab/window, check Events:
+  ```bash
+  kubectl get events --watch
+  ```
+
+]
+
+---
+
+## Node Ready → NotReady
+
+- After \~30 seconds, the control plane stops receiving heartbeats from the Node
+
+- The Node is marked NotReady
+
+- It is not *schedulable* anymore
+
+  (the scheduler won't place new pods there, except some special cases)
+
+- All Pods on that Node are also *not ready*
+
+  (they get removed from service Endpoints)
+
+- ... But nothing else happens for now
+
+  (the control plane is waiting: maybe the Node will come back shortly?)
+
+---
+
+## Pod eviction
+
+- After \~5 minutes, the control plane will evict most Pods from the Node
+
+- These Pods are now `Terminating`
+
+- The Pods controlled by e.g. ReplicaSets are automatically moved
+
+  (or rather: new Pods are created to replace them)
+
+- But nothing happens to the Pods controlled by StatefulSets at this point
+
+  (they remain `Terminating` forever)
+
+- Why? 🤔
+
+--
+
+- This is to avoid *split brain scenarios*
+
+---
+
+class: extra-details
+
+## Split brain 🧠⚡️🧠
+
+- Imagine that we create a replacement pod `postgres-0` on another Node
+
+- And 15 minutes later, the Node is reconnected and the original `postgres-0` comes back
+
+- Which one is the "right" one?
+
+- What if they have conflicting data?
+
+😱
+
+- We *cannot* let that happen!
+
+- Kubernetes won't do it
+
+- ... Unless we tell it to
+
+---
+
+## The Node is gone
+
+- One thing we can do, is tell Kubernetes "the Node won't come back"
+
+  (there are other methods; but this one is the simplest one here)
+
+- This is done with a simple `kubectl delete node`
+
+.exercise[
+
+- `kubectl delete` the Node that we disconnected
+
+]
+
+---
+
+## Pod rescheduling
+
+- Kubernetes removes the Node
+
+- After a brief period of time (\~1 minute) the "Terminating" Pods are removed
+
+- A replacement Pod is created on another Node
+
+- ... But it doens't start yet!
+
+- Why? 🤔
+
+---
+
+## Multiple attachment
+
+- By default, a disk can only be attached to one Node at a time
+
+  (sometimes it's a hardware or API limitation; sometimes enforced in software)
+
+- In our Events, we should see `FailedAttachVolume` and `FailedMount` messages
+
+- After \~5 more minutes, the disk will be force-detached from the old Node
+
+- ... Which will allow attaching it to the new Node!
+
+🎉
+
+- The Pod will then be able to start
+
+- Failover is complete!
+
+???
+
+:EN:- Understanding Container Attached Storage (CAS)
+:EN:- Deploying stateful apps with OpenEBS
+
+:FR:- Comprendre le "Container Attached Storage" (CAS)
+:FR:- Déployer une application "stateful" avec OpenEBS

slides/k8s/prometheus-stack.md

@@ -0,0 +1,123 @@
+# Prometheus and Grafana
+
+- What if we want metrics retention, view graphs, trends?
+
+- A very popular combo is Prometheus+Grafana:
+
+  - Prometheus as the "metrics engine"
+
+  - Grafana to display comprehensive dashboards
+
+- Prometheus also has an alert-manager component to trigger alerts
+
+  (we won't talk about that one)
+
+---
+
+## Installing Prometheus and Grafana
+
+- A complete metrics stack needs at least:
+
+  - the Prometheus server (collects metrics and stores them efficiently)
+
+  - a collection of *exporters* (exposing metrics to Prometheus)
+
+  - Grafana
+
+  - a collection of Grafana dashboards (building them from scratch is tedious)
+
+- The Helm chart `kube-prometheus-stack` combines all these elements
+
+- ... So we're going to use it to deploy our metrics stack!
+
+---
+
+## Installing `kube-prometheus-stack`
+
+- Let's install that stack *directly* from its repo
+
+  (without doing `helm repo add` first)
+
+- Otherwise, keep the same naming strategy:
+  ```bash
+    helm upgrade --install kube-prometheus-stack kube-prometheus-stack \
+      --namespace kube-prometheus-stack --create-namespace \
+      --repo https://prometheus-community.github.io/helm-charts 
+  ```
+
+- This will take a minute...
+
+- Then check what was installed:
+  ```bash
+  kubectl get all --namespace kube-prometheus-stack
+  ```
+
+---
+
+## Exposing Grafana
+
+- Let's create an Ingress for Grafana
+  ```bash
+    kubectl create ingress --namespace kube-prometheus-stack grafana \
+      --rule=grafana.`cloudnative.party`/*=kube-prometheus-stack-grafana:80
+  ```
+
+  (as usual, make sure to use *your* domain name above)
+
+- Connect to Grafana
+
+  (remember that the DNS record might take a few minutes to come up)
+
+---
+
+## Grafana credentials
+
+- What could the login and password be?
+
+- Let's look at the Secrets available in the namespace:
+  ```bash
+  kubectl get secrets --namespace kube-prometheus-stack
+  ```
+
+- There is a `kube-prometheus-stack-grafana` that looks promising!
+
+- Decode the Secret:
+  ```bash
+    kubectl get secret --namespace kube-prometheus-stack \
+      kube-prometheus-stack-grafana -o json | jq '.data | map_values(@base64d)'
+  ```
+
+- If you don't have the `jq` tool mentioned above, don't worry...
+
+--
+
+- The login/password is hardcoded to `admin`/`prom-operator` 😬
+
+---
+
+## Grafana dashboards
+
+- Once logged in, click on the "Dashboards" icon on the left
+
+  (it's the one that looks like four squares)
+
+- Then click on the "Manage" entry
+
+- Then click on "Kubernetes / Compute Resources / Cluster"
+
+- This gives us a breakdown of resource usage by Namespace
+
+- Feel free to explore the other dashboards!
+
+???
+
+:EN:- Installing Prometheus and Grafana
+:FR:- Installer Prometheus et Grafana
+
+:T: Observing our cluster with Prometheus and Grafana
+
+:Q: What's the relationship between Prometheus and Grafana?
+:A: Prometheus collects and graphs metrics; Grafana sends alerts
+:A: ✔️Prometheus collects metrics; Grafana displays them on dashboards
+:A: Prometheus collects and graphs metrics; Grafana is its configuration interface
+:A: Grafana collects and graphs metrics; Prometheus sends alerts

slides/k8s/statefulsets.md

@@ -331,11 +331,8 @@ consul agent -data-dir=/consul/data -client=0.0.0.0 -server -ui \
       podAntiAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           - labelSelector:
-              matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                    - consul
+              matchLabels:
+                app: consul
             topologyKey: kubernetes.io/hostname
   ```
 
@@ -353,10 +350,7 @@ consul agent -data-dir=/consul/data -client=0.0.0.0 -server -ui \
     lifecycle:
       preStop:
         exec:
-          command:
-          - /bin/sh
-          - -c
-          - consul leave
+          command: [ "sh", "-c", "consul leave" ]
   ```
 
 ---

slides/kadm-fullday.yml

@@ -22,6 +22,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md

slides/kadm-twodays.yml

@@ -22,6 +22,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -63,6 +64,7 @@ content:
   - k8s/cluster-sizing.md
   - k8s/horizontal-pod-autoscaler.md
 - - k8s/prometheus.md
+  #- k8s/prometheus-stack.md
   - k8s/extending-api.md
   - k8s/crd.md
   - k8s/operators.md

slides/kube-adv.yml

@@ -20,6 +20,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 #- shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -49,12 +50,15 @@ content:
   - |
     # (Extra content)
   - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
   - k8s/helm-secrets.md
 - #5
   - k8s/extending-api.md
   - k8s/operators.md
   - k8s/sealed-secrets.md
   - k8s/crd.md
+  #- k8s/exercise-sealed-secrets.md
 - #6
   - k8s/ingress-tls.md
   - k8s/cert-manager.md
@@ -66,6 +70,7 @@ content:
   - k8s/aggregation-layer.md
   - k8s/metrics-server.md
   - k8s/prometheus.md
+  - k8s/prometheus-stack.md
   - k8s/hpa-v2.md
 - #9
   - k8s/operators-design.md

slides/kube-fullday.yml

@@ -21,6 +21,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -37,10 +38,7 @@ content:
   - k8s/kubectlget.md
 -
   - k8s/kubectl-run.md
-  - k8s/batch-jobs.md
-  - k8s/labels-annotations.md
-  - k8s/kubectl-logs.md
-  - k8s/logs-cli.md
+  #- k8s/batch-jobs.md
   - shared/declarative.md
   - k8s/declarative.md
   - k8s/deploymentslideshow.md
@@ -52,36 +50,46 @@ content:
   - k8s/ourapponkube.md
   #- k8s/exercise-wordsmith.md
 -
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - k8s/namespaces.md
   - k8s/yamldeploy.md
   - k8s/setup-overview.md
-  #- k8s/setup-devel.md
+  - k8s/setup-devel.md
   #- k8s/setup-managed.md
   #- k8s/setup-selfhosted.md
-  #- k8s/dashboard.md
+-
+  - k8s/dashboard.md
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  - k8s/ingress.md
+  #- k8s/volumes.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/openebs.md
   #- k8s/k9s.md
   #- k8s/tilt.md
   #- k8s/kubectlscale.md
-  - k8s/scalingdockercoins.md
-  - shared/hastyconclusions.md
-  - k8s/daemonset.md
-  #- k8s/dryrun.md
+  #- k8s/scalingdockercoins.md
+  #- shared/hastyconclusions.md
+  #- k8s/daemonset.md
+  #- k8s/authoring-yaml.md
   #- k8s/exercise-yaml.md
   #- k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
   #- k8s/accessinternal.md
   #- k8s/kubectlproxy.md
-  - k8s/rollout.md
-  #- k8s/healthchecks.md
   #- k8s/healthchecks-more.md
   #- k8s/record.md
--
-  - k8s/namespaces.md
-  - k8s/ingress.md
   #- k8s/ingress-tls.md
   #- k8s/kustomize.md
   #- k8s/helm-intro.md
   #- k8s/helm-chart-format.md
   #- k8s/helm-create-basic-chart.md
   #- k8s/helm-create-better-chart.md
+  #- k8s/helm-dependencies.md
+  #- k8s/helm-values-schema-validation.md
   #- k8s/helm-secrets.md
   #- k8s/exercise-helm.md
   #- k8s/gitlab.md
@@ -93,14 +101,12 @@ content:
   #- k8s/csr-api.md
   #- k8s/openid-connect.md
   #- k8s/podsecuritypolicy.md
-  - k8s/volumes.md
   #- k8s/exercise-configmap.md
   #- k8s/build-with-docker.md
   #- k8s/build-with-kaniko.md
-  - k8s/configuration.md
-  - k8s/secrets.md
   #- k8s/logs-centralized.md
   #- k8s/prometheus.md
+  #- k8s/prometheus-stack.md
   #- k8s/statefulsets.md
   #- k8s/local-persistent-volumes.md
   #- k8s/portworx.md
@@ -114,7 +120,7 @@ content:
   #- k8s/owners-and-dependents.md
   #- k8s/gitworkflows.md
 -
-  - k8s/whatsnext.md
+  #- k8s/whatsnext.md
   - k8s/lastwords.md
-  - k8s/links.md
+  #- k8s/links.md
   - shared/thankyou.md

slides/kube-halfday.yml

@@ -23,6 +23,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -55,6 +56,7 @@ content:
   - k8s/buildshiprun-dockerhub.md
   - k8s/ourapponkube.md
   #- k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
   #- k8s/accessinternal.md
   #- k8s/kubectlproxy.md
 - - k8s/dashboard.md
@@ -74,6 +76,8 @@ content:
   #- k8s/helm-chart-format.md
   - k8s/helm-create-basic-chart.md
   #- k8s/helm-create-better-chart.md
+  #- k8s/helm-dependencies.md
+  #- k8s/helm-values-schema-validation.md
   #- k8s/helm-secrets.md
   #- k8s/kustomize.md
   #- k8s/netpol.md

slides/kube-selfpaced.yml

@@ -21,6 +21,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 #- shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -65,7 +66,7 @@ content:
   - k8s/scalingdockercoins.md
   - shared/hastyconclusions.md
   - k8s/daemonset.md
-  - k8s/dryrun.md
+  - k8s/authoring-yaml.md
   #- k8s/exercise-yaml.md
 -
   - k8s/rollout.md
@@ -75,6 +76,7 @@ content:
 -
   - k8s/namespaces.md
   - k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
   - k8s/accessinternal.md
   - k8s/kubectlproxy.md
 -
@@ -86,6 +88,8 @@ content:
   - k8s/helm-chart-format.md
   - k8s/helm-create-basic-chart.md
   - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
   - k8s/helm-secrets.md
   #- k8s/exercise-helm.md
   - k8s/gitlab.md
@@ -108,9 +112,11 @@ content:
   - k8s/statefulsets.md
   - k8s/local-persistent-volumes.md
   - k8s/portworx.md
+  - k8s/openebs.md
 -
   - k8s/logs-centralized.md
   - k8s/prometheus.md
+  - k8s/prometheus-stack.md
   - k8s/resource-limits.md
   - k8s/metrics-server.md
   - k8s/cluster-sizing.md
@@ -126,6 +132,7 @@ content:
   - k8s/operators-design.md
   - k8s/kubebuilder.md
   - k8s/sealed-secrets.md
+  #- k8s/exercise-sealed-secrets.md
   - k8s/kyverno.md
   - k8s/eck.md
   - k8s/finalizers.md

slides/kube-twodays.yml

@@ -21,6 +21,7 @@ content:
 - k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
+#- shared/chat-room-slack.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
 - shared/toc.md
@@ -64,10 +65,11 @@ content:
   - k8s/scalingdockercoins.md
   - shared/hastyconclusions.md
   - k8s/daemonset.md
-  - k8s/dryrun.md
+  - k8s/authoring-yaml.md
   #- k8s/exercise-yaml.md
 -
   - k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
   - k8s/accessinternal.md
   #- k8s/kubectlproxy.md
   - k8s/rollout.md
@@ -83,6 +85,8 @@ content:
   - k8s/helm-chart-format.md
   - k8s/helm-create-basic-chart.md
   - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
   - k8s/helm-secrets.md
   #- k8s/exercise-helm.md
   - k8s/gitlab.md
@@ -100,11 +104,13 @@ content:
   - k8s/configuration.md
   - k8s/secrets.md
   - k8s/logs-centralized.md
-  - k8s/prometheus.md
+  #- k8s/prometheus.md
+  #- k8s/prometheus-stack.md
 -
   - k8s/statefulsets.md
   - k8s/local-persistent-volumes.md
   - k8s/portworx.md
+  #- k8s/openebs.md
   #- k8s/extending-api.md
   #- k8s/admission.md
   #- k8s/operators.md

slides/logistics-bridget.md

@@ -2,9 +2,9 @@
 
  - Hello! We are:
 
-   - .emoji[✨] Bridget ([@bridgetkromhout](https://twitter.com/bridgetkromhout))
+   - ✨ Bridget ([@bridgetkromhout](https://twitter.com/bridgetkromhout))
 
-   - .emoji[🌟] Joe ([@joelaha](https://twitter.com/joelaha))
+   - 🌟 Joe ([@joelaha](https://twitter.com/joelaha))
 
 - The workshop will run from 13:30-16:45
 

slides/logistics-online.md

@@ -2,9 +2,9 @@
 
 - Hello! We are:
 
-   - .emoji[👷🏻‍♀️] AJ ([@s0ulshake], [EphemeraSearch])
+   - 👷🏻‍♀️ AJ ([@s0ulshake], [EphemeraSearch])
 
-   - .emoji[🐳] Jérôme ([@jpetazzo], Enix SAS)
+   - 🐳 Jérôme ([@jpetazzo], Enix SAS)
 
 - The training will run for 4 hours, with a 10 minutes break every hour