💡 Lumen content RC2

.gitignore

@@ -6,7 +6,13 @@ prepare-vms/tags
 prepare-vms/infra
 prepare-vms/www
 
-prepare-tf/tag-*
+prepare-tf/.terraform*
+prepare-tf/terraform.*
+prepare-tf/stage2/*.tf
+prepare-tf/stage2/kubeconfig.*
+prepare-tf/stage2/.terraform*
+prepare-tf/stage2/terraform.*
+prepare-tf/stage2/externalips.*
 
 slides/*.yml.html
 slides/autopilot/state.yaml

compose/frr-route-reflector/conf/zebra.conf

@@ -1,3 +1,2 @@
 hostname frr
-ip nht resolve-via-default
 log stdout

compose/frr-route-reflector/docker-compose.yaml

@@ -2,36 +2,30 @@ version: "3"
 
 services:
   bgpd:
-    image: frrouting/frr:v8.2.2
+    image: ajones17/frr:662
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
-    cap_add:
-    - NET_ADMIN
-    - SYS_ADMIN
-    entrypoint: /usr/lib/frr/bgpd -f /etc/frr/bgpd.conf --log=stdout --log-level=debug --no_kernel --no_zebra
+    entrypoint: /usr/lib/frr/bgpd -f /etc/frr/bgpd.conf --log=stdout --log-level=debug --no_kernel
     restart: always
 
   zebra:
-    image: frrouting/frr:v8.2.2
+    image: ajones17/frr:662
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
-    cap_add:
-    - NET_ADMIN
-    - SYS_ADMIN
     entrypoint: /usr/lib/frr/zebra -f /etc/frr/zebra.conf --log=stdout --log-level=debug
     restart: always
 
   vtysh:
-    image: frrouting/frr:v8.2.2
+    image: ajones17/frr:662
     volumes:
     - ./conf:/etc/frr
     - ./run:/var/run/frr
     network_mode: host
-    entrypoint: vtysh
+    entrypoint: vtysh -c "show ip bgp"
 
   chmod:
     image: alpine

dockercoins/Tiltfile

@@ -48,25 +48,20 @@ k8s_yaml('../k8s/dockercoins.yaml')
 # The following line lets Tilt run with the default kubeadm cluster-admin context.
 allow_k8s_contexts('kubernetes-admin@kubernetes')
 
-# Note: the whole section below (to set up ngrok tunnels) is disabled,
-# because ngrok now requires to set up an account to serve HTML
-# content. So we can still use ngrok for e.g. webhooks and "raw" APIs,
-# but not to serve web pages like the Tilt UI.
+# This will run an ngrok tunnel to expose Tilt to the outside world.
+# This is intended to be used when Tilt runs on a remote machine.
+local_resource(name='ngrok:tunnel', serve_cmd='ngrok http 10350')
 
-# # This will run an ngrok tunnel to expose Tilt to the outside world.
-# # This is intended to be used when Tilt runs on a remote machine.
-# local_resource(name='ngrok:tunnel', serve_cmd='ngrok http 10350')
-
-# # This will wait until the ngrok tunnel is up, and show its URL to the user.
-# # We send the output to /dev/tty so that it doesn't get intercepted by
-# # Tilt, and gets displayed to the user's terminal instead.
-# # Note: this assumes that the ngrok instance will be running on port 4040.
-# # If you have other ngrok instances running on the machine, this might not work.
-# local_resource(name='ngrok:showurl', cmd='''
-#   while sleep 1; do
-#     TUNNELS=$(curl -fsSL http://localhost:4040/api/tunnels | jq -r .tunnels[].public_url)
-#     [ "$TUNNELS" ] && break
-#   done
-#   printf "\nYou should be able to connect to the Tilt UI with the following URL(s): %s\n" "$TUNNELS" >/dev/tty
-#   '''
-# )
+# This will wait until the ngrok tunnel is up, and show its URL to the user.
+# We send the output to /dev/tty so that it doesn't get intercepted by
+# Tilt, and gets displayed to the user's terminal instead.
+# Note: this assumes that the ngrok instance will be running on port 4040.
+# If you have other ngrok instances running on the machine, this might not work.
+local_resource(name='ngrok:showurl', cmd='''
+  while sleep 1; do
+    TUNNELS=$(curl -fsSL http://localhost:4040/api/tunnels | jq -r .tunnels[].public_url)
+    [ "$TUNNELS" ] && break
+  done
+  printf "\nYou should be able to connect to the Tilt UI with the following URL(s): %s\n" "$TUNNELS" >/dev/tty
+  '''
+)

k8s/dashboard-insecure.yaml

@@ -9,273 +9,377 @@ metadata:
 spec: {}
 status: {}
 ---
+---
+# Source: kubernetes-dashboard/templates/serviceaccount.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# kubernetes-dashboard-certs
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-certs
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-csrf
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-csrf
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-key-holder
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-key-holder
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/configmap.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
-data: null
 kind: ConfigMap
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-settings
-  namespace: kubernetes-dashboard
+data:
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: kubernetes-dashboard/templates/clusterrole-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - metrics.k8s.io
-  resources:
-  - pods
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
 ---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kubernetes-dashboard-metrics
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/role.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-key-holder
-  - kubernetes-dashboard-certs
-  - kubernetes-dashboard-csrf
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-settings
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - update
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - dashboard-metrics-scraper
-  resources:
-  - services
-  verbs:
-  - proxy
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - 'http:heapster:'
-  - 'https:heapster:'
-  - dashboard-metrics-scraper
-  - http:dashboard-metrics-scraper
-  resources:
-  - services/proxy
-  verbs:
-  - get
+    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+    verbs: ["get", "update", "delete"]
+    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["kubernetes-dashboard-settings"]
+    verbs: ["get", "update"]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+    verbs: ["get"]
 ---
+# Source: kubernetes-dashboard/templates/rolebinding.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: kubernetes-dashboard
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/service.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-    kubernetes.io/cluster-service: "true"
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
-spec:
-  ports:
-  - name: http
-    port: 443
-    targetPort: http
-  selector:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
+  labels:
     app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
+    kubernetes.io/cluster-service: "true"
+spec:
   type: NodePort
+  ports:
+  - port: 443
+    targetPort: http
+    name: http
+  selector:
+    app.kubernetes.io/name: kubernetes-dashboard
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/component: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/deployment.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: kubernetes-dashboard
-      app.kubernetes.io/instance: kubernetes-dashboard
-      app.kubernetes.io/name: kubernetes-dashboard
   strategy:
     rollingUpdate:
       maxSurge: 0
       maxUnavailable: 1
     type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-dashboard
+      app.kubernetes.io/instance: kubernetes-dashboard
+      app.kubernetes.io/component: kubernetes-dashboard
   template:
     metadata:
-      annotations: null
       labels:
-        app.kubernetes.io/component: kubernetes-dashboard
-        app.kubernetes.io/instance: kubernetes-dashboard
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kubernetes-dashboard
-        app.kubernetes.io/version: 2.7.0
-        helm.sh/chart: kubernetes-dashboard-6.0.0
+        helm.sh/chart: kubernetes-dashboard-5.0.2
+        app.kubernetes.io/instance: kubernetes-dashboard
+        app.kubernetes.io/version: "2.3.1"
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: kubernetes-dashboard
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kubernetes-dashboard
       containers:
-      - args:
-        - --namespace=kubernetes-dashboard
-        - --sidecar-host=http://127.0.0.1:8000
-        - --enable-skip-login
-        - --enable-insecure-login
-        image: kubernetesui/dashboard:v2.7.0
+      - name: kubernetes-dashboard
+        image: "kubernetesui/dashboard:v2.3.1"
         imagePullPolicy: IfNotPresent
+        args:
+          - --namespace=kubernetes-dashboard
+          - --metrics-provider=none
+          - --enable-skip-login
+          - --enable-insecure-login
+        ports:
+        - name: http
+          containerPort: 9090
+          protocol: TCP
+        volumeMounts:
+        - name: kubernetes-dashboard-certs
+          mountPath: /certs
+          # Create on-disk volume to store exec logs
+        - mountPath: /tmp
+          name: tmp-volume
         livenessProbe:
           httpGet:
+            scheme: HTTP
             path: /
             port: 9090
-            scheme: HTTP
           initialDelaySeconds: 30
           timeoutSeconds: 30
-        name: kubernetes-dashboard
-        ports:
-        - containerPort: 9090
-          name: http
-          protocol: TCP
         resources:
           limits:
             cpu: 2
@@ -288,42 +392,102 @@ spec:
           readOnlyRootFilesystem: true
           runAsGroup: 2001
           runAsUser: 1001
-        volumeMounts:
-        - mountPath: /certs
-          name: kubernetes-dashboard-certs
-        - mountPath: /tmp
-          name: tmp-volume
-      - image: kubernetesui/metrics-scraper:v1.0.8
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            port: 8000
-            scheme: HTTP
-          initialDelaySeconds: 30
-          timeoutSeconds: 30
-        name: dashboard-metrics-scraper
-        ports:
-        - containerPort: 8000
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsGroup: 2001
-          runAsUser: 1001
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp-volume
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      serviceAccountName: kubernetes-dashboard
       volumes:
       - name: kubernetes-dashboard-certs
         secret:
           secretName: kubernetes-dashboard-certs
-      - emptyDir: {}
-        name: tmp-volume
+      - name: tmp-volume
+        emptyDir: {}
+---
+# Source: kubernetes-dashboard/templates/clusterrole-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/ingress.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/networkpolicy.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/pdb.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/psp.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

k8s/dashboard-recommended.yaml

@@ -9,272 +9,376 @@ metadata:
 spec: {}
 status: {}
 ---
+---
+# Source: kubernetes-dashboard/templates/serviceaccount.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# kubernetes-dashboard-certs
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-certs
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-csrf
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-csrf
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-key-holder
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-key-holder
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/configmap.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
-data: null
 kind: ConfigMap
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-settings
-  namespace: kubernetes-dashboard
+data:
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: kubernetes-dashboard/templates/clusterrole-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - metrics.k8s.io
-  resources:
-  - pods
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
 ---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kubernetes-dashboard-metrics
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/role.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-key-holder
-  - kubernetes-dashboard-certs
-  - kubernetes-dashboard-csrf
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-settings
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - update
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - dashboard-metrics-scraper
-  resources:
-  - services
-  verbs:
-  - proxy
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - 'http:heapster:'
-  - 'https:heapster:'
-  - dashboard-metrics-scraper
-  - http:dashboard-metrics-scraper
-  resources:
-  - services/proxy
-  verbs:
-  - get
+    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+    verbs: ["get", "update", "delete"]
+    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["kubernetes-dashboard-settings"]
+    verbs: ["get", "update"]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+    verbs: ["get"]
 ---
+# Source: kubernetes-dashboard/templates/rolebinding.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: kubernetes-dashboard
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/service.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-    kubernetes.io/cluster-service: "true"
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: https
-  selector:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
+  labels:
     app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
+    kubernetes.io/cluster-service: "true"
+spec:
   type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: https
+    name: https
+  selector:
+    app.kubernetes.io/name: kubernetes-dashboard
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/component: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/deployment.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: kubernetes-dashboard
-      app.kubernetes.io/instance: kubernetes-dashboard
-      app.kubernetes.io/name: kubernetes-dashboard
   strategy:
     rollingUpdate:
       maxSurge: 0
       maxUnavailable: 1
     type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-dashboard
+      app.kubernetes.io/instance: kubernetes-dashboard
+      app.kubernetes.io/component: kubernetes-dashboard
   template:
     metadata:
-      annotations: null
       labels:
-        app.kubernetes.io/component: kubernetes-dashboard
-        app.kubernetes.io/instance: kubernetes-dashboard
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kubernetes-dashboard
-        app.kubernetes.io/version: 2.7.0
-        helm.sh/chart: kubernetes-dashboard-6.0.0
+        helm.sh/chart: kubernetes-dashboard-5.0.2
+        app.kubernetes.io/instance: kubernetes-dashboard
+        app.kubernetes.io/version: "2.3.1"
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: kubernetes-dashboard
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kubernetes-dashboard
       containers:
-      - args:
-        - --namespace=kubernetes-dashboard
-        - --auto-generate-certificates
-        - --sidecar-host=http://127.0.0.1:8000
-        image: kubernetesui/dashboard:v2.7.0
+      - name: kubernetes-dashboard
+        image: "kubernetesui/dashboard:v2.3.1"
         imagePullPolicy: IfNotPresent
+        args:
+          - --namespace=kubernetes-dashboard
+          - --auto-generate-certificates
+          - --metrics-provider=none
+        ports:
+        - name: https
+          containerPort: 8443
+          protocol: TCP
+        volumeMounts:
+        - name: kubernetes-dashboard-certs
+          mountPath: /certs
+          # Create on-disk volume to store exec logs
+        - mountPath: /tmp
+          name: tmp-volume
         livenessProbe:
           httpGet:
+            scheme: HTTPS
             path: /
             port: 8443
-            scheme: HTTPS
           initialDelaySeconds: 30
           timeoutSeconds: 30
-        name: kubernetes-dashboard
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
         resources:
           limits:
             cpu: 2
@@ -287,39 +391,99 @@ spec:
           readOnlyRootFilesystem: true
           runAsGroup: 2001
           runAsUser: 1001
-        volumeMounts:
-        - mountPath: /certs
-          name: kubernetes-dashboard-certs
-        - mountPath: /tmp
-          name: tmp-volume
-      - image: kubernetesui/metrics-scraper:v1.0.8
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            port: 8000
-            scheme: HTTP
-          initialDelaySeconds: 30
-          timeoutSeconds: 30
-        name: dashboard-metrics-scraper
-        ports:
-        - containerPort: 8000
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsGroup: 2001
-          runAsUser: 1001
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp-volume
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      serviceAccountName: kubernetes-dashboard
       volumes:
       - name: kubernetes-dashboard-certs
         secret:
           secretName: kubernetes-dashboard-certs
-      - emptyDir: {}
-        name: tmp-volume
+      - name: tmp-volume
+        emptyDir: {}
+---
+# Source: kubernetes-dashboard/templates/clusterrole-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/ingress.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/networkpolicy.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/pdb.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/psp.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

k8s/dashboard-with-token.yaml

@@ -9,272 +9,376 @@ metadata:
 spec: {}
 status: {}
 ---
+---
+# Source: kubernetes-dashboard/templates/serviceaccount.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# kubernetes-dashboard-certs
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-certs
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-csrf
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-csrf
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/secret.yaml
+# kubernetes-dashboard-key-holder
 apiVersion: v1
 kind: Secret
 metadata:
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-key-holder
-  namespace: kubernetes-dashboard
 type: Opaque
 ---
+# Source: kubernetes-dashboard/templates/configmap.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
-data: null
 kind: ConfigMap
 metadata:
-  annotations: null
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
   name: kubernetes-dashboard-settings
-  namespace: kubernetes-dashboard
+data:
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: kubernetes-dashboard/templates/clusterrole-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - metrics.k8s.io
-  resources:
-  - pods
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
 ---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  annotations: null
+  name: "kubernetes-dashboard-metrics"
   labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-  name: kubernetes-dashboard-metrics
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kubernetes-dashboard-metrics
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/role.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 rules:
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-key-holder
-  - kubernetes-dashboard-certs
-  - kubernetes-dashboard-csrf
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - delete
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubernetes-dashboard-settings
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - update
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - dashboard-metrics-scraper
-  resources:
-  - services
-  verbs:
-  - proxy
-- apiGroups:
-  - ""
-  resourceNames:
-  - heapster
-  - 'http:heapster:'
-  - 'https:heapster:'
-  - dashboard-metrics-scraper
-  - http:dashboard-metrics-scraper
-  resources:
-  - services/proxy
-  verbs:
-  - get
+    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+    verbs: ["get", "update", "delete"]
+    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["kubernetes-dashboard-settings"]
+    verbs: ["get", "update"]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+    verbs: ["get"]
 ---
+# Source: kubernetes-dashboard/templates/rolebinding.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: kubernetes-dashboard
 subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/service.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: Service
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
-    kubernetes.io/cluster-service: "true"
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: https
-  selector:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
+  labels:
     app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
+    kubernetes.io/cluster-service: "true"
+spec:
   type: NodePort
+  ports:
+  - port: 443
+    targetPort: https
+    name: https
+  selector:
+    app.kubernetes.io/name: kubernetes-dashboard
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/component: kubernetes-dashboard
 ---
+# Source: kubernetes-dashboard/templates/deployment.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: kubernetes-dashboard
-    app.kubernetes.io/instance: kubernetes-dashboard
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kubernetes-dashboard
-    app.kubernetes.io/version: 2.7.0
-    helm.sh/chart: kubernetes-dashboard-6.0.0
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  labels:
+    app.kubernetes.io/name: kubernetes-dashboard
+    helm.sh/chart: kubernetes-dashboard-5.0.2
+    app.kubernetes.io/instance: kubernetes-dashboard
+    app.kubernetes.io/version: "2.3.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: kubernetes-dashboard
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: kubernetes-dashboard
-      app.kubernetes.io/instance: kubernetes-dashboard
-      app.kubernetes.io/name: kubernetes-dashboard
   strategy:
     rollingUpdate:
       maxSurge: 0
       maxUnavailable: 1
     type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-dashboard
+      app.kubernetes.io/instance: kubernetes-dashboard
+      app.kubernetes.io/component: kubernetes-dashboard
   template:
     metadata:
-      annotations: null
       labels:
-        app.kubernetes.io/component: kubernetes-dashboard
-        app.kubernetes.io/instance: kubernetes-dashboard
-        app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kubernetes-dashboard
-        app.kubernetes.io/version: 2.7.0
-        helm.sh/chart: kubernetes-dashboard-6.0.0
+        helm.sh/chart: kubernetes-dashboard-5.0.2
+        app.kubernetes.io/instance: kubernetes-dashboard
+        app.kubernetes.io/version: "2.3.1"
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: kubernetes-dashboard
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kubernetes-dashboard
       containers:
-      - args:
-        - --namespace=kubernetes-dashboard
-        - --auto-generate-certificates
-        - --sidecar-host=http://127.0.0.1:8000
-        image: kubernetesui/dashboard:v2.7.0
+      - name: kubernetes-dashboard
+        image: "kubernetesui/dashboard:v2.3.1"
         imagePullPolicy: IfNotPresent
+        args:
+          - --namespace=kubernetes-dashboard
+          - --auto-generate-certificates
+          - --metrics-provider=none
+        ports:
+        - name: https
+          containerPort: 8443
+          protocol: TCP
+        volumeMounts:
+        - name: kubernetes-dashboard-certs
+          mountPath: /certs
+          # Create on-disk volume to store exec logs
+        - mountPath: /tmp
+          name: tmp-volume
         livenessProbe:
           httpGet:
+            scheme: HTTPS
             path: /
             port: 8443
-            scheme: HTTPS
           initialDelaySeconds: 30
           timeoutSeconds: 30
-        name: kubernetes-dashboard
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
         resources:
           limits:
             cpu: 2
@@ -287,42 +391,102 @@ spec:
           readOnlyRootFilesystem: true
           runAsGroup: 2001
           runAsUser: 1001
-        volumeMounts:
-        - mountPath: /certs
-          name: kubernetes-dashboard-certs
-        - mountPath: /tmp
-          name: tmp-volume
-      - image: kubernetesui/metrics-scraper:v1.0.8
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            port: 8000
-            scheme: HTTP
-          initialDelaySeconds: 30
-          timeoutSeconds: 30
-        name: dashboard-metrics-scraper
-        ports:
-        - containerPort: 8000
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsGroup: 2001
-          runAsUser: 1001
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp-volume
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-      serviceAccountName: kubernetes-dashboard
       volumes:
       - name: kubernetes-dashboard-certs
         secret:
           secretName: kubernetes-dashboard-certs
-      - emptyDir: {}
-        name: tmp-volume
+      - name: tmp-volume
+        emptyDir: {}
+---
+# Source: kubernetes-dashboard/templates/clusterrole-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/ingress.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/networkpolicy.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/pdb.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Source: kubernetes-dashboard/templates/psp.yaml
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -344,12 +508,3 @@ metadata:
   creationTimestamp: null
   name: cluster-admin
   namespace: kubernetes-dashboard
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: cluster-admin-token
-  namespace: kubernetes-dashboard
-  annotations:
-    kubernetes.io/service-account.name: cluster-admin

k8s/kyverno-ingress-domain-name-2b.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: ingress-domain-name
-spec:
-  rules:
-  - name: create-ingress
-    match:
-      resources: 
-        kinds:
-        - Service
-    preconditions:
-      - key: http
-        operator: In
-        value: "{{request.object.spec.ports[*].name}}"
-    generate: 
-      kind: Ingress
-      name: "{{request.object.metadata.name}}"
-      namespace: "{{request.object.metadata.namespace}}"
-      data:
-        spec:
-          rules:
-          - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io"
-            http:
-              paths:
-              - backend:
-                  service:
-                    name: "{{request.object.metadata.name}}"
-                    port:
-                      name: http
-                path: /
-                pathType: Prefix

k8s/kyverno-ingress-domain-name-2c.yaml

@@ -1,34 +0,0 @@
-# Note: this policy uses the operator "AnyIn", which was introduced in Kyverno 1.6.
-# (This policy won't work with Kyverno 1.5!)
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: ingress-domain-name
-spec:
-  rules:
-  - name: create-ingress
-    match:
-      resources: 
-        kinds:
-        - Service
-    preconditions:
-      - key: "{{request.object.spec.ports[*].port}}"
-        operator: AnyIn
-        value: [ 80 ]
-    generate: 
-      kind: Ingress
-      name: "{{request.object.metadata.name}}"
-      namespace: "{{request.object.metadata.namespace}}"
-      data:
-        spec:
-          rules:
-          - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io"
-            http:
-              paths:
-              - backend:
-                  service:
-                    name: "{{request.object.metadata.name}}"
-                    port:
-                      name: http
-                path: /
-                pathType: Prefix

k8s/kyverno-pod-color-2.yaml

@@ -15,10 +15,10 @@ spec:
     - key: "{{ request.operation }}"
       operator: Equals
       value: UPDATE
-    - key: "{{ request.oldObject.metadata.labels.color || '' }}"
+    - key: "{{ request.oldObject.metadata.labels.color }}"
       operator: NotEquals
       value: ""
-    - key: "{{ request.object.metadata.labels.color || '' }}"
+    - key: "{{ request.object.metadata.labels.color }}"
       operator: NotEquals
       value: ""
     validate:

k8s/kyverno-pod-color-3.yaml

@@ -15,10 +15,10 @@ spec:
     - key: "{{ request.operation }}"
       operator: Equals
       value: UPDATE
-    - key: "{{ request.oldObject.metadata.labels.color || '' }}"
+    - key: "{{ request.oldObject.metadata.labels.color }}"
       operator: NotEquals
       value: ""
-    - key: "{{ request.object.metadata.labels.color || '' }}"
+    - key: "{{ request.object.metadata.labels.color }}"
       operator: Equals
       value: ""
     validate:

k8s/pizza-1.yaml

@@ -1,14 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: pizzas.container.training
-spec:
-  group: container.training
-  version: v1alpha1
-  scope: Namespaced
-  names:
-    plural: pizzas
-    singular: pizza
-    kind: Pizza
-    shortNames:
-    - piz

k8s/pizza-2.yaml

@@ -1,20 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: pizzas.container.training
-spec:
-  group: container.training
-  scope: Namespaced
-  names:
-    plural: pizzas
-    singular: pizza
-    kind: Pizza
-    shortNames:
-    - piz
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-    schema:
-      openAPIV3Schema:
-        type: object

k8s/pizza-3.yaml

@@ -1,32 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: pizzas.container.training
-spec:
-  group: container.training
-  scope: Namespaced
-  names:
-    plural: pizzas
-    singular: pizza
-    kind: Pizza
-    shortNames:
-    - piz
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-    schema:
-      openAPIV3Schema:
-        type: object
-        required: [ spec ]
-        properties:
-          spec:
-            type: object
-            required: [ sauce, toppings ]
-            properties:
-              sauce:
-                type: string
-              toppings:
-                type: array
-                items:
-                  type: string

k8s/pizza-4.yaml

@@ -1,39 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: pizzas.container.training
-spec:
-  group: container.training
-  scope: Namespaced
-  names:
-    plural: pizzas
-    singular: pizza
-    kind: Pizza
-    shortNames:
-    - piz
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-    schema:
-      openAPIV3Schema:
-        type: object
-        required: [ spec ]
-        properties:
-          spec:
-            type: object
-            required: [ sauce, toppings ]
-            properties:
-              sauce:
-                type: string
-              toppings:
-                type: array
-                items:
-                  type: string
-    additionalPrinterColumns:
-    - jsonPath: .spec.sauce
-      name: Sauce
-      type: string
-    - jsonPath: .spec.toppings
-      name: Toppings
-      type: string

k8s/pizza-5.yaml

@@ -1,40 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: pizzas.container.training
-spec:
-  group: container.training
-  scope: Namespaced
-  names:
-    plural: pizzas
-    singular: pizza
-    kind: Pizza
-    shortNames:
-    - piz
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-    schema:
-      openAPIV3Schema:
-        type: object
-        required: [ spec ]
-        properties:
-          spec:
-            type: object
-            required: [ sauce, toppings ]
-            properties:
-              sauce:
-                type: string
-                enum: [ red, white ]
-              toppings:
-                type: array
-                items:
-                  type: string
-    additionalPrinterColumns:
-    - jsonPath: .spec.sauce
-      name: Sauce
-      type: string
-    - jsonPath: .spec.toppings
-      name: Toppings
-      type: string

k8s/pizzas.yaml

@@ -1,45 +0,0 @@
----
-apiVersion: container.training/v1alpha1
-kind: Pizza
-metadata:
-  name: margherita
-spec:
-  sauce: red
-  toppings:
-    - mozarella
-    - basil
----
-apiVersion: container.training/v1alpha1
-kind: Pizza
-metadata:
-  name: quatrostagioni
-spec:
-  sauce: red
-  toppings:
-    - artichoke
-    - basil
-    - mushrooms
-    - prosciutto
----
-apiVersion: container.training/v1alpha1
-kind: Pizza
-metadata:
-  name: mehl31
-spec:
-  sauce: white
-  toppings:
-    - goatcheese
-    - pear
-    - walnuts
-    - mozzarella
-    - rosemary
-    - honey
----
-apiVersion: container.training/v1alpha1
-kind: Pizza
-metadata:
-  name: brownie
-spec:
-  sauce: chocolate
-  toppings:
-    - nuts

k8s/update-dashboard-yaml.sh

@@ -5,34 +5,25 @@ banner() {
   echo "#"
 }
 
-create_namespace() {
+namespace() {
   # 'helm template --namespace ... --create-namespace'
   # doesn't create the namespace, so we need to create it.
-  # https://github.com/helm/helm/issues/9813
   echo ---
   kubectl create namespace kubernetes-dashboard \
           -o yaml --dry-run=client
   echo ---
 }
 
-add_namespace() {
-  # 'helm template --namespace ...' doesn't add namespace information,
-  # so we do it with this convenient filter instead.
-  # https://github.com/helm/helm/issues/10737
-  kubectl create -f- -o yaml --dry-run=client --namespace kubernetes-dashboard
-}
-
 (
   banner
-  create_namespace
+  namespace
   helm template kubernetes-dashboard kubernetes-dashboard \
        --repo https://kubernetes.github.io/dashboard/ \
        --create-namespace --namespace kubernetes-dashboard \
        --set "extraArgs={--enable-skip-login,--enable-insecure-login}" \
-       --set metricsScraper.enabled=true \
        --set protocolHttp=true \
        --set service.type=NodePort \
-       | add_namespace
+       #
   echo ---
   kubectl create clusterrolebinding kubernetes-dashboard:insecure \
           --clusterrole=cluster-admin \
@@ -43,23 +34,21 @@ add_namespace() {
 
 (
   banner
-  create_namespace
+  namespace
   helm template kubernetes-dashboard kubernetes-dashboard \
        --repo https://kubernetes.github.io/dashboard/ \
        --create-namespace --namespace kubernetes-dashboard \
-       --set metricsScraper.enabled=true \
-       | add_namespace
+       #
 ) > dashboard-recommended.yaml
 
 (
   banner
-  create_namespace
+  namespace
   helm template kubernetes-dashboard kubernetes-dashboard \
        --repo https://kubernetes.github.io/dashboard/ \
        --create-namespace --namespace kubernetes-dashboard \
-       --set metricsScraper.enabled=true \
        --set service.type=NodePort \
-       | add_namespace
+       #
   echo ---
   kubectl create clusterrolebinding kubernetes-dashboard:cluster-admin \
           --clusterrole=cluster-admin \
@@ -70,15 +59,4 @@ add_namespace() {
   kubectl create serviceaccount -n kubernetes-dashboard cluster-admin \
           -o yaml --dry-run=client \
           # 
-  echo ---
-  cat <<EOF
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: cluster-admin-token
-  namespace: kubernetes-dashboard
-  annotations:
-    kubernetes.io/service-account.name: cluster-admin
-EOF
 ) > dashboard-with-token.yaml

k8s/ytt/1-variables/app.yaml

@@ -1,164 +0,0 @@
-#! Define and use variables.
----
-#@ repository = "dockercoins"
-#@ tag = "v0.1"
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: hasher
-  name: hasher
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: hasher
-  template:
-    metadata:
-      labels:
-        app: hasher
-    spec:
-      containers:
-      - image: #@ "{}/hasher:{}".format(repository, tag)
-        name: hasher
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hasher
-  name: hasher
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: hasher
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: redis
-  name: redis
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: redis
-  template:
-    metadata:
-      labels:
-        app: redis
-    spec:
-      containers:
-      - image: redis
-        name: redis
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: redis
-  name: redis
-spec:
-  ports:
-  - port: 6379
-    protocol: TCP
-    targetPort: 6379
-  selector:
-    app: redis
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: rng
-  name: rng
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: rng
-  template:
-    metadata:
-      labels:
-        app: rng
-    spec:
-      containers:
-      - image: #@ "{}/rng:{}".format(repository, tag)
-        name: rng
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: rng
-  name: rng
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: rng
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: webui
-  name: webui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: webui
-  template:
-    metadata:
-      labels:
-        app: webui
-    spec:
-      containers:
-      - image: #@ "{}/webui:{}".format(repository, tag)
-        name: webui
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: webui
-  name: webui
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: webui
-  type: NodePort
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: worker
-  name: worker
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: worker
-  template:
-    metadata:
-      labels:
-        app: worker
-    spec:
-      containers:
-      - image: #@ "{}/worker:{}".format(repository, tag)
-        name: worker

k8s/ytt/2-functions/app.yaml

@@ -1,167 +0,0 @@
-#! Define and use a function to set the deployment image.
----
-#@ repository = "dockercoins"
-#@ tag = "v0.1"
-#@ def image(component):
-#@   return "{}/{}:{}".format(repository, component, tag)
-#@ end
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: hasher
-  name: hasher
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: hasher
-  template:
-    metadata:
-      labels:
-        app: hasher
-    spec:
-      containers:
-      - image: #@ image("hasher")
-        name: hasher
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: hasher
-  name: hasher
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: hasher
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: redis
-  name: redis
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: redis
-  template:
-    metadata:
-      labels:
-        app: redis
-    spec:
-      containers:
-      - image: redis
-        name: redis
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: redis
-  name: redis
-spec:
-  ports:
-  - port: 6379
-    protocol: TCP
-    targetPort: 6379
-  selector:
-    app: redis
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: rng
-  name: rng
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: rng
-  template:
-    metadata:
-      labels:
-        app: rng
-    spec:
-      containers:
-      - image: #@ image("rng")
-        name: rng
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: rng
-  name: rng
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: rng
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: webui
-  name: webui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: webui
-  template:
-    metadata:
-      labels:
-        app: webui
-    spec:
-      containers:
-      - image: #@ image("webui")
-        name: webui
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: webui
-  name: webui
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: webui
-  type: NodePort
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: worker
-  name: worker
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: worker
-  template:
-    metadata:
-      labels:
-        app: worker
-    spec:
-      containers:
-      - image: #@ image("worker")
-        name: worker

k8s/ytt/3-labels/app.yaml

@@ -1,164 +0,0 @@
-#! Define and use functions, demonstrating how to generate labels.
----
-#@ repository = "dockercoins"
-#@ tag = "v0.1"
-#@ def image(component):
-#@   return "{}/{}:{}".format(repository, component, tag)
-#@ end
-#@ def labels(component):
-#@   return {
-#@     "app": component,
-#@     "container.training/generated-by": "ytt",
-#@   }
-#@ end
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("hasher")
-  name: hasher
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: hasher
-  template:
-    metadata:
-      labels:
-        app: hasher
-    spec:
-      containers:
-      - image: #@ image("hasher")
-        name: hasher
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("hasher")
-  name: hasher
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: hasher
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("redis")
-  name: redis
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: redis
-  template:
-    metadata:
-      labels:
-        app: redis
-    spec:
-      containers:
-      - image: redis
-        name: redis
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("redis")
-  name: redis
-spec:
-  ports:
-  - port: 6379
-    protocol: TCP
-    targetPort: 6379
-  selector:
-    app: redis
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("rng")
-  name: rng
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: rng
-  template:
-    metadata:
-      labels:
-        app: rng
-    spec:
-      containers:
-      - image: #@ image("rng")
-        name: rng
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("rng")
-  name: rng
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: rng
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("webui")
-  name: webui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: webui
-  template:
-    metadata:
-      labels:
-        app: webui
-    spec:
-      containers:
-      - image: #@ image("webui")
-        name: webui
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("webui")
-  name: webui
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: webui
-  type: NodePort
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("worker")
-  name: worker
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: worker
-  template:
-    metadata:
-      labels:
-        app: worker
-    spec:
-      containers:
-      - image: #@ image("worker")
-        name: worker

k8s/ytt/4-data/app.yaml

@@ -1,162 +0,0 @@
----
-#@ load("@ytt:data", "data")
-#@ def image(component):
-#@   return "{}/{}:{}".format(data.values.repository, component, data.values.tag)
-#@ end
-#@ def labels(component):
-#@   return {
-#@     "app": component,
-#@     "container.training/generated-by": "ytt",
-#@   }
-#@ end
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("hasher")
-  name: hasher
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: hasher
-  template:
-    metadata:
-      labels:
-        app: hasher
-    spec:
-      containers:
-      - image: #@ image("hasher")
-        name: hasher
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("hasher")
-  name: hasher
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: hasher
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("redis")
-  name: redis
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: redis
-  template:
-    metadata:
-      labels:
-        app: redis
-    spec:
-      containers:
-      - image: redis
-        name: redis
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("redis")
-  name: redis
-spec:
-  ports:
-  - port: 6379
-    protocol: TCP
-    targetPort: 6379
-  selector:
-    app: redis
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("rng")
-  name: rng
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: rng
-  template:
-    metadata:
-      labels:
-        app: rng
-    spec:
-      containers:
-      - image: #@ image("rng")
-        name: rng
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("rng")
-  name: rng
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: rng
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("webui")
-  name: webui
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: webui
-  template:
-    metadata:
-      labels:
-        app: webui
-    spec:
-      containers:
-      - image: #@ image("webui")
-        name: webui
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels: #@ labels("webui")
-  name: webui
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: webui
-  type: NodePort
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: #@ labels("worker")
-  name: worker
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: worker
-  template:
-    metadata:
-      labels:
-        app: worker
-    spec:
-      containers:
-      - image: #@ image("worker")
-        name: worker

k8s/ytt/4-data/schema.yaml

@@ -1,4 +0,0 @@
-#@data/values-schema
----
-repository: dockercoins
-tag: v0.1

k8s/ytt/5-factor/app.yaml

@@ -1,54 +0,0 @@
----
-#@ load("@ytt:data", "data")
----
-#@ def Deployment(component, repository=data.values.repository, tag=data.values.tag):
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: #@ component
-    container.training/generated-by: ytt
-  name: #@ component
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: #@ component
-  template:
-    metadata:
-      labels:
-        app: #@ component
-    spec:
-      containers:
-      - image: #@ repository + "/" + component + ":" + tag
-        name: #@ component
-#@ end
----
-#@ def Service(component, port=80, type="ClusterIP"):
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: #@ component
-    container.training/generated-by: ytt
-  name: #@ component
-spec:
-  ports:
-  - port: #@ port
-    protocol: TCP
-    targetPort: #@ port
-  selector:
-    app: #@ component
-  type: #@ type
-#@ end
----
---- #@ Deployment("hasher")
---- #@ Service("hasher")
---- #@ Deployment("redis", repository="library", tag="latest")
---- #@ Service("redis", port=6379)
---- #@ Deployment("rng")
---- #@ Service("rng")
---- #@ Deployment("webui")
---- #@ Service("webui", type="NodePort")
---- #@ Deployment("worker")
----

k8s/ytt/5-factor/schema.yaml

@@ -1,4 +0,0 @@
-#@data/values-schema
----
-repository: dockercoins
-tag: v0.1

k8s/ytt/6-template/app.yaml

@@ -1,56 +0,0 @@
----
-#@ load("@ytt:data", "data")
-#@ load("@ytt:template", "template")
----
-#@ def component(name, repository=data.values.repository, tag=data.values.tag, port=None, type="ClusterIP"):
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: #@ name
-    container.training/generated-by: ytt
-  name: #@ name
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: #@ name
-  template:
-    metadata:
-      labels:
-        app: #@ name
-    spec:
-      containers:
-      - image: #@ repository + "/" + name + ":" + tag
-        name: #@ name
-        #@ if/end port==80:
-        readinessProbe:
-          httpGet:
-            port: #@ port
-#@ if port != None:
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: #@ name
-    container.training/generated-by: ytt
-  name: #@ name
-spec:
-  ports:
-  - port: #@ port
-    protocol: TCP
-    targetPort: #@ port
-  selector:
-    app: #@ name
-  type: #@ type
-#@ end
-#@ end
----
---- #@ template.replace(component("hasher", port=80))
---- #@ template.replace(component("redis", repository="library", tag="latest", port=6379))
---- #@ template.replace(component("rng", port=80))
---- #@ template.replace(component("webui", port=80, type="NodePort"))
---- #@ template.replace(component("worker"))
----

k8s/ytt/6-template/schema.yaml

@@ -1,4 +0,0 @@
-#@data/values-schema
----
-repository: dockercoins
-tag: v0.1

k8s/ytt/7-morevalues/app.yaml

@@ -1,65 +0,0 @@
----
-#@ load("@ytt:data", "data")
-#@ load("@ytt:template", "template")
----
-#@ def component(name, repository, tag, port=None, type="ClusterIP"):
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: #@ name
-    container.training/generated-by: ytt
-  name: #@ name
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: #@ name
-  template:
-    metadata:
-      labels:
-        app: #@ name
-    spec:
-      containers:
-      - image: #@ repository + "/" + name + ":" + tag
-        name: #@ name
-        #@ if/end port==80:
-        readinessProbe:
-          httpGet:
-            port: #@ port
-#@ if port != None:
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: #@ name
-    container.training/generated-by: ytt
-  name: #@ name
-spec:
-  ports:
-  - port: #@ port
-    protocol: TCP
-    targetPort: #@ port
-  selector:
-    app: #@ name
-  type: #@ type
-#@ end
-#@ end
----
-#@ defaults = {}
-#@ for name in data.values:
-#@   if name.startswith("_"):
-#@     defaults.update(data.values[name])
-#@   end
-#@ end
----
-#@ for name in data.values:
-#@   if not name.startswith("_"):
-#@     values = dict(name=name)
-#@     values.update(defaults)
-#@     values.update(data.values[name])
---- #@ template.replace(component(**values))
-#@   end
-#@ end

k8s/ytt/7-morevalues/schema.yaml

@@ -1,19 +0,0 @@
-#@data/values-schema
-#! Entries starting with an underscore will hold default values.
-#! Entires NOT starting with an underscore will generate a Deployment
-#! (and a Service if a port number is set).
----
-_default_:
-  repository: dockercoins
-  tag: v0.1
-hasher:
-  port: 80
-redis:
-  repository: library
-  tag: latest
-rng:
-  port: 80
-webui:
-  port: 80
-  type: NodePort
-worker: {}

k8s/ytt/8-library/_ytt_lib/component/deployment.yaml

@@ -1,26 +0,0 @@
-#@ load("@ytt:data", "data")
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: #@ data.values.name
-    container.training/generated-by: ytt
-  name: #@ data.values.name
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: #@ data.values.name
-  template:
-    metadata:
-      labels:
-        app: #@ data.values.name
-    spec:
-      containers:
-      - image: #@ data.values.repository + "/" + data.values.name + ":" + data.values.tag
-        name: #@ data.values.name
-        #@ if/end data.values.port==80:
-        readinessProbe:
-          httpGet:
-            port: #@ data.values.port

k8s/ytt/8-library/_ytt_lib/component/schema.yaml

@@ -1,7 +0,0 @@
-#@data/values-schema
----
-name: component
-repository: dockercoins
-tag: v0.1
-port: 0
-type: ClusterIP

k8s/ytt/8-library/_ytt_lib/component/service.yaml

@@ -1,19 +0,0 @@
-#@ load("@ytt:data", "data")
-#@ if data.values.port > 0:
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: #@ data.values.name
-    container.training/generated-by: ytt
-  name: #@ data.values.name
-spec:
-  ports:
-  - port: #@ data.values.port
-    protocol: TCP
-    targetPort: #@ data.values.port
-  selector:
-    app: #@ data.values.name
-  type: #@ data.values.type
-#@ end

k8s/ytt/8-library/app.yaml

@@ -1,20 +0,0 @@
-#@ load("@ytt:data", "data")
-#@ load("@ytt:library", "library")
-#@ load("@ytt:template", "template")
-#@ 
-#@ component = library.get("component")
-#@ 
-#@ defaults = {}
-#@ for name in data.values:
-#@   if name.startswith("_"):
-#@     defaults.update(data.values[name])
-#@   end
-#@ end
-#@ for name in data.values:
-#@   if not name.startswith("_"):
-#@     values = dict(name=name)
-#@     values.update(defaults)
-#@     values.update(data.values[name])
---- #@ template.replace(component.with_data_values(values).eval())
-#@   end
-#@ end

k8s/ytt/8-library/schema.yaml

@@ -1,19 +0,0 @@
-#@data/values-schema
-#! Entries starting with an underscore will hold default values.
-#! Entires NOT starting with an underscore will generate a Deployment
-#! (and a Service if a port number is set).
----
-_default_:
-  repository: dockercoins
-  tag: v0.1
-hasher:
-  port: 80
-redis:
-  repository: library
-  tag: latest
-rng:
-  port: 80
-webui:
-  port: 80
-  type: NodePort
-worker: {}

k8s/ytt/9-overlay/_ytt_lib/component/deployment.yaml

@@ -1,26 +0,0 @@
-#@ load("@ytt:data", "data")
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: #@ data.values.name
-    container.training/generated-by: ytt
-  name: #@ data.values.name
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: #@ data.values.name
-  template:
-    metadata:
-      labels:
-        app: #@ data.values.name
-    spec:
-      containers:
-      - image: #@ data.values.repository + "/" + data.values.name + ":" + data.values.tag
-        name: #@ data.values.name
-        #@ if/end data.values.port==80:
-        readinessProbe:
-          httpGet:
-            port: #@ data.values.port

k8s/ytt/9-overlay/_ytt_lib/component/schema.yaml

@@ -1,7 +0,0 @@
-#@data/values-schema
----
-name: component
-repository: dockercoins
-tag: v0.1
-port: 0
-type: ClusterIP

k8s/ytt/9-overlay/_ytt_lib/component/service.yaml

@@ -1,19 +0,0 @@
-#@ load("@ytt:data", "data")
-#@ if data.values.port > 0:
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: #@ data.values.name
-    container.training/generated-by: ytt
-  name: #@ data.values.name
-spec:
-  ports:
-  - port: #@ data.values.port
-    protocol: TCP
-    targetPort: #@ data.values.port
-  selector:
-    app: #@ data.values.name
-  type: #@ data.values.type
-#@ end

k8s/ytt/9-overlay/app.yaml

@@ -1,20 +0,0 @@
-#@ load("@ytt:data", "data")
-#@ load("@ytt:library", "library")
-#@ load("@ytt:template", "template")
-#@ 
-#@ component = library.get("component")
-#@ 
-#@ defaults = {}
-#@ for name in data.values:
-#@   if name.startswith("_"):
-#@     defaults.update(data.values[name])
-#@   end
-#@ end
-#@ for name in data.values:
-#@   if not name.startswith("_"):
-#@     values = dict(name=name)
-#@     values.update(defaults)
-#@     values.update(data.values[name])
---- #@ template.replace(component.with_data_values(values).eval())
-#@   end
-#@ end

k8s/ytt/9-overlay/rng-healthcheck.yaml

@@ -1,20 +0,0 @@
-#@ load("@ytt:overlay", "overlay")
-
-#@ def match():
-kind: Deployment
-metadata:
-  name: rng
-#@ end
-
-#@overlay/match by=overlay.subset(match())
----
-spec:
-  template:
-    spec:
-      containers:
-      #@overlay/match by="name"
-      - name: rng
-        readinessProbe:
-          httpGet:
-            #@overlay/match missing_ok=True
-            path: /1

k8s/ytt/9-overlay/schema.yaml

@@ -1,19 +0,0 @@
-#@data/values-schema
-#! Entries starting with an underscore will hold default values.
-#! Entires NOT starting with an underscore will generate a Deployment
-#! (and a Service if a port number is set).
----
-_default_:
-  repository: dockercoins
-  tag: v0.1
-hasher:
-  port: 80
-redis:
-  repository: library
-  tag: latest
-rng:
-  port: 80
-webui:
-  port: 80
-  type: NodePort
-worker: {}

k8s/ytt/9-overlay/worker-scaling.yaml

@@ -1,25 +0,0 @@
-#@ load("@ytt:overlay", "overlay")
-
-#@ def match():
-kind: Deployment
-metadata:
-  name: worker
-#@ end
-
-#! This removes the number of replicas:
-#@overlay/match by=overlay.subset(match())
----
-spec:
-  #@overlay/remove
-  replicas:
-
-#! This overrides it:
-#@overlay/match by=overlay.subset(match())
----
-spec:
-  #@overlay/match missing_ok=True
-  replicas: 10
-
-#! Note that it's not necessary to remove the number of replicas.
-#! We're just presenting both options here (for instance, you might
-#! want to remove the number of replicas if you're using an HPA).

netlify.toml

@@ -2,3 +2,4 @@
   base = "slides"
   publish = "slides"
   command = "./build.sh once"
+

prepare-local/provisioning.yml

@@ -1,10 +1,11 @@
 ---
 - hosts: nodes
-  become: yes
+  sudo: true
   vars_files:
     - vagrant.yml
 
   tasks:
+
     - name: clean up the home folder
       file:
         path: /home/vagrant/{{ item }}
@@ -23,23 +24,25 @@
 
     - name: installing dependencies
       apt:
-        name: apt-transport-https,ca-certificates,python3-pip,tmux
+        name: apt-transport-https,ca-certificates,python-pip,tmux
         state: present
         update_cache: true
 
     - name: fetching docker repo key
       apt_key:
-        url: https://download.docker.com/linux/ubuntu/gpg
-        state: present
+        keyserver: hkp://p80.pool.sks-keyservers.net:80
+        id: 58118E89F3A912897C070ADBF76221572C52609D
 
-    - name: adding docker repo
+    - name: adding package repos
       apt_repository:
-        repo: deb https://download.docker.com/linux/ubuntu focal stable
+        repo: "{{ item }}"
         state: present
+      with_items:
+        - deb https://apt.dockerproject.org/repo ubuntu-trusty main
 
     - name: installing docker
       apt:
-        name: docker-ce,docker-ce-cli,containerd.io,docker-compose-plugin
+        name: docker-engine
         state: present
         update_cache: true
 
@@ -53,7 +56,7 @@
       lineinfile:
         dest: /etc/default/docker
         line: DOCKER_OPTS="--host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:55555"
-        regexp: "^#?DOCKER_OPTS=.*$"
+        regexp: '^#?DOCKER_OPTS=.*$'
         state: present
       register: docker_opts
 
@@ -63,14 +66,22 @@
         state: restarted
       when: docker_opts is defined and docker_opts.changed
 
-    - name: install docker-compose from official github repo
-      get_url:
-        url: https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
-        dest: /usr/local/bin/docker-compose
-        mode: "u+x,g+x"
+    - name: performing pip autoupgrade
+      pip:
+        name: pip
+        state: latest
+
+    - name: installing virtualenv
+      pip:
+        name: virtualenv
+        state: latest
+
+    - name: Install Docker Compose via PIP
+      pip: name=docker-compose
 
     - name:
-      file: path="/usr/local/bin/docker-compose"
+      file:
+        path="/usr/local/bin/docker-compose"
         state=file
         mode=0755
         owner=vagrant
@@ -117,3 +128,5 @@
           line: "127.0.0.1 localhost {{ inventory_hostname }}"
         - regexp: '^127\.0\.1\.1'
           line: "127.0.1.1 {{ inventory_hostname }}"
+
+

prepare-local/vagrant.yml

@@ -1,12 +1,13 @@
 ---
 vagrant:
-  default_box: ubuntu/focal64
+  default_box: ubuntu/trusty64
   default_box_check_update: true
   ssh_insert_key: false
   min_memory: 256
   min_cores: 1
 
 instances:
+
   - hostname: node1
     private_ip: 10.10.10.10
     memory: 1512
@@ -36,3 +37,6 @@ instances:
     private_ip: 10.10.10.50
     memory: 512
     cores: 1
+
+
+

prepare-tf/README.md

@@ -53,7 +53,7 @@ The value of the `location` variable is provider-specific. Examples:
 | Provider      | Example value     | How to see possible values
 |---------------|-------------------|---------------------------
 | Digital Ocean | `ams3`            | `doctl compute region list`
-| Google Cloud  | `europe-north1-a` | `gcloud compute zones list`
+| Google Cloud  | `europe-north1-a` | `gcloud  compute zones list`
 | Linode        | `eu-central`      | `linode-cli regions list`
 | Oracle Cloud  | `eu-stockholm-1`  | `oci iam region list`
 
@@ -112,7 +112,7 @@ terraform init
 
 See steps above, and add the following extra steps:
 
-- Digital Ocean:
+- Digital Coean:
   ```bash
   export DIGITALOCEAN_ACCESS_TOKEN=$(grep ^access-token ~/.config/doctl/config.yaml | cut -d: -f2 | tr -d " ")
   ```

prepare-tf/run.sh

@@ -3,14 +3,6 @@ set -e
 
 TIME=$(which time)
 
-if [ -f ~/.config/doctl/config.yaml ]; then
-  export DIGITALOCEAN_ACCESS_TOKEN=$(grep ^access-token ~/.config/doctl/config.yaml | cut -d: -f2 | tr -d " ")
-fi
-
-if [ -f ~/.config/linode-cli ]; then
-  export LINODE_TOKEN=$(grep ^token ~/.config/linode-cli | cut -d= -f2 | tr -d " ")
-fi
-
 PROVIDER=$1
 [ "$PROVIDER" ] || {
   echo "Please specify a provider as first argument, or 'ALL' for parallel mode."

prepare-tf/source/locals.tf

@@ -1,6 +1,6 @@
 resource "random_string" "_" {
   length  = 4
-  numeric = false
+  number  = false
   special = false
   upper   = false
 }

prepare-tf/source/modules/digitalocean/variables.tf

@@ -53,5 +53,5 @@ variable "location" {
 # doctl kubernetes options versions -o json | jq -r .[].slug
 variable "k8s_version" {
   type    = string
-  default = "1.22.8-do.1"
+  default = "1.21.5-do.0"
 }

prepare-tf/source/modules/linode/main.tf

@@ -3,7 +3,7 @@ resource "linode_lke_cluster" "_" {
   tags  = var.common_tags
   # "region" is mandatory, so let's provide a default value if none was given.
   region      = var.location != null ? var.location : "eu-central"
-  k8s_version = local.k8s_version
+  k8s_version = var.k8s_version
 
   pool {
     type  = local.node_type

prepare-tf/source/modules/linode/variables.tf

@@ -51,22 +51,7 @@ variable "location" {
 
 # To view supported versions, run:
 # linode-cli lke versions-list --json | jq -r .[].id
-data "external" "k8s_version" {
-  program = [
-    "sh",
-    "-c",
-    <<-EOT
-      linode-cli lke versions-list --json |
-      jq -r '{"latest": [.[].id] | sort [-1]}'
-    EOT
-  ]
-}
-
 variable "k8s_version" {
   type    = string
-  default = ""
-}
-
-locals {
-  k8s_version = var.k8s_version != "" ? var.k8s_version : data.external.k8s_version.result.latest
+  default = "1.21"
 }

prepare-tf/source/modules/scaleway/variables.tf

@@ -56,5 +56,5 @@ variable "location" {
 # scw k8s version list -o json | jq -r .[].name
 variable "k8s_version" {
   type    = string
-  default = "1.23.6"
+  default = "1.22.2"
 }

prepare-tf/source/stage2.tmpl

@@ -145,15 +145,23 @@ resource "helm_release" "metrics_server_${index}" {
   # but only if it's not already installed.
   count = yamldecode(file("./flags.${index}"))["has_metrics_server"] ? 0 : 1
   provider = helm.cluster_${index}
-  repository = "https://kubernetes-sigs.github.io/metrics-server/"
+  repository = "https://charts.bitnami.com/bitnami"
   chart = "metrics-server"
-  version = "3.8.2"
+  version = "5.8.8"
   name = "metrics-server"
   namespace = "metrics-server"
   create_namespace = true
   set {
-    name = "args"
-    value = "{--kubelet-insecure-tls}"
+    name = "apiService.create"
+    value = "true"
+  }
+  set {
+    name = "extraArgs.kubelet-insecure-tls"
+    value = "true"
+  }
+  set {
+    name = "extraArgs.kubelet-preferred-address-types"
+    value = "InternalIP"
   }
 }
 
@@ -193,6 +201,7 @@ resource "tls_private_key" "cluster_admin_${index}" {
 }
 
 resource "tls_cert_request" "cluster_admin_${index}" {
+  key_algorithm = tls_private_key.cluster_admin_${index}.algorithm
   private_key_pem = tls_private_key.cluster_admin_${index}.private_key_pem
   subject {
     common_name = "cluster-admin"

prepare-vms/README.md

@@ -17,7 +17,6 @@ These tools can help you to create VMs on:
 - [Parallel SSH](https://github.com/lilydjwg/pssh)
   (should be installable with `pip install git+https://github.com/lilydjwg/pssh`;
   on a Mac, try `brew install pssh`)
-- [yq](https://github.com/kislyuk/yq)
 
 Depending on the infrastructure that you want to use, you also need to install
 the CLI that is specific to that cloud. For OpenStack deployments, you will

prepare-vms/infra/example.openstack-tf

@@ -1,5 +1,4 @@
-INFRACLASS=terraform
-TERRAFORM=openstack
+INFRACLASS=openstack-tf
 
 # If you are using OpenStack, copy this file (e.g. to "openstack" or "enix")
 # and customize the variables below.

prepare-vms/infra/scaleway

@@ -1,3 +1,3 @@
 INFRACLASS=scaleway
 #SCW_INSTANCE_TYPE=DEV1-L
-SCW_ZONE=fr-par-2
+#SCW_ZONE=fr-par-2

prepare-vms/lib/commands.sh

@@ -131,8 +131,6 @@ set nowrap
 SQRL
 
     pssh -I "sudo -u $USER_LOGIN tee /home/$USER_LOGIN/.tmux.conf" <<SQRL
-set -g status-style bg=yellow,bold
-
 bind h select-pane -L
 bind j select-pane -D
 bind k select-pane -U
@@ -159,9 +157,6 @@ _cmd_clusterize() {
     TAG=$1
     need_tag
 
-    # Disable unattended upgrades so that they don't mess up with the subsequent steps
-    pssh sudo rm -f /etc/apt/apt.conf.d/50unattended-upgrades
-
     # Special case for scaleway since it doesn't come with sudo
     if [ "$INFRACLASS" = "scaleway" ]; then
         pssh -l root "
@@ -183,27 +178,6 @@ _cmd_clusterize() {
     #    install --owner=ubuntu --mode=600 /root/.ssh/authorized_keys --target-directory /home/ubuntu/.ssh"
     #fi
 
-    # Special case for oracle since their iptables blocks everything but SSH
-    pssh "
-    if [ -f /etc/iptables/rules.v4 ]; then
-        sudo sed -i 's/-A INPUT -j REJECT --reject-with icmp-host-prohibited//' /etc/iptables/rules.v4
-        sudo netfilter-persistent flush
-        sudo netfilter-persistent start
-    fi"
-
-    # oracle-cloud-agent upgrades pacakges in the background.
-    # This breaks our deployment scripts, because when we invoke apt-get, it complains
-    # that the lock already exists (symptom: random "Exited with error code 100").
-    # Workaround: if we detect oracle-cloud-agent, remove it.
-    # But this agent seems to also take care of installing/upgrading
-    # the unified-monitoring-agent package, so when we stop the snap,
-    # it can leave dpkg in a broken state. We "fix" it with the 2nd command.
-    pssh "
-    if [ -d /snap/oracle-cloud-agent ]; then
-        sudo snap remove oracle-cloud-agent
-        sudo dpkg --remove --force-remove-reinstreq unified-monitoring-agent
-    fi"
-
     # Copy settings and install Python YAML parser
     pssh -I tee /tmp/settings.yaml <tags/$TAG/settings.yaml
     pssh "
@@ -211,10 +185,10 @@ _cmd_clusterize() {
     sudo apt-get install -y python-yaml"
 
     # If there is no "python" binary, symlink to python3
-    pssh "
-    if ! which python; then
-        sudo ln -s $(which python3) /usr/local/bin/python
-    fi"
+    #pssh "
+    #if ! which python; then
+    #    ln -s $(which python3) /usr/local/bin/python
+    #fi"
 
     # Copy postprep.py to the remote machines, and execute it, feeding it the list of IP addresses
     pssh -I tee /tmp/clusterize.py <lib/clusterize.py
@@ -258,14 +232,6 @@ _cmd_docker() {
       sudo ln -sfn /mnt/docker /var/lib/docker
     fi
 
-    # containerd 1.6 breaks Weave.
-    # See https://github.com/containerd/containerd/issues/6921
-    sudo tee /etc/apt/preferences.d/containerd <<EOF
-Package: containerd.io
-Pin: version 1.5.*
-Pin-Priority: 1000
-EOF
-
     # This will install the latest Docker.
     sudo apt-get -qy install apt-transport-https ca-certificates curl software-properties-common
     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
@@ -281,14 +247,13 @@ EOF
     "
 
     ##VERSION## https://github.com/docker/compose/releases
-    COMPOSE_VERSION=v2.11.1
-    COMPOSE_PLATFORM='linux-$(uname -m)'
-    
-    # Just in case you need Compose 1.X, you can use the following lines.
-    # (But it will probably only work for x86_64 machines.)
-    #COMPOSE_VERSION=1.29.2
-    #COMPOSE_PLATFORM='Linux-$(uname -m)'
-
+    if [ "$ARCHITECTURE" ]; then
+        COMPOSE_VERSION=v2.0.1
+        COMPOSE_PLATFORM='linux-$(uname -m)'
+    else
+        COMPOSE_VERSION=1.29.2
+        COMPOSE_PLATFORM='Linux-$(uname -m)'
+    fi
     pssh "
     set -e
     ### Install docker-compose.
@@ -366,8 +331,7 @@ EOF"
     pssh --timeout 200 "
     sudo apt-get update -q &&
     sudo apt-get install -qy kubelet kubeadm kubectl &&
-    sudo apt-mark hold kubelet kubeadm kubectl &&
-    kubeadm completion bash | sudo tee /etc/bash_completion.d/kubeadm &&
+    sudo apt-mark hold kubelet kubeadm kubectl
     kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl &&
     echo 'alias k=kubectl' | sudo tee /etc/bash_completion.d/k &&
     echo 'complete -F __start_kubectl k' | sudo tee -a /etc/bash_completion.d/k"
@@ -440,9 +404,8 @@ EOF
     # Install weave as the pod network
     pssh "
     if i_am_first_node; then
-        #kubever=\$(kubectl version | base64 | tr -d '\n') &&
-        #kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version=\$kubever
-        kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s-1.11.yaml
+        kubever=\$(kubectl version | base64 | tr -d '\n') &&
+        kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version=\$kubever
     fi"
 
     # Join the other nodes to the cluster
@@ -457,9 +420,6 @@ EOF
     pssh "
     if i_am_first_node; then
 	kubectl apply -f https://raw.githubusercontent.com/jpetazzo/container.training/master/k8s/metrics-server.yaml
-    #helm upgrade --install metrics-server \
-    #     --repo https://kubernetes-sigs.github.io/metrics-server/ metrics-server \
-    #     --namespace kube-system --set args={--kubelet-insecure-tls}
     fi"
 }
 
@@ -500,13 +460,12 @@ _cmd_kubetools() {
     # Install kube-ps1
     pssh "
     set -e
-    if ! [ -d /opt/kube-ps1 ]; then
+    if ! [ -f /etc/profile.d/kube-ps1.sh ]; then
       cd /tmp
       git clone https://github.com/jonmosco/kube-ps1
-      sudo mv kube-ps1 /opt/kube-ps1
+      sudo cp kube-ps1/kube-ps1.sh /etc/profile.d/kube-ps1.sh
       sudo -u $USER_LOGIN sed -i s/docker-prompt/kube_ps1/ /home/$USER_LOGIN/.bashrc &&
       sudo -u $USER_LOGIN tee -a /home/$USER_LOGIN/.bashrc <<EOF
-. /opt/kube-ps1/kube-ps1.sh
 KUBE_PS1_PREFIX=""
 KUBE_PS1_SUFFIX=""
 KUBE_PS1_SYMBOL_ENABLE="false"
@@ -517,13 +476,13 @@ EOF
 
     # Install stern
     ##VERSION## https://github.com/stern/stern/releases
-    STERN_VERSION=1.22.0
+    STERN_VERSION=1.20.1
     FILENAME=stern_${STERN_VERSION}_linux_${ARCH}
     URL=https://github.com/stern/stern/releases/download/v$STERN_VERSION/$FILENAME.tar.gz
     pssh "
     if [ ! -x /usr/local/bin/stern ]; then
         curl -fsSL $URL |
-        sudo tar -C /usr/local/bin -zx stern
+        sudo tar -C /usr/local/bin -zx --strip-components=1 $FILENAME/stern
         sudo chmod +x /usr/local/bin/stern
         stern --completion bash | sudo tee /etc/bash_completion.d/stern
         stern --version
@@ -539,7 +498,7 @@ EOF
 
     # Install kustomize
     ##VERSION## https://github.com/kubernetes-sigs/kustomize/releases
-    KUSTOMIZE_VERSION=v4.5.7
+    KUSTOMIZE_VERSION=v4.4.0
     URL=https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_${ARCH}.tar.gz
     pssh "
     if [ ! -x /usr/local/bin/kustomize ]; then
@@ -558,7 +517,7 @@ EOF
     if [ ! -x /usr/local/bin/ship ]; then
         ##VERSION##
         curl -fsSL https://github.com/replicatedhq/ship/releases/download/v0.51.3/ship_0.51.3_linux_$ARCH.tar.gz |
-            sudo tar -C /usr/local/bin -zx ship
+             sudo tar -C /usr/local/bin -zx ship
     fi"
 
     # Install the AWS IAM authenticator
@@ -566,8 +525,8 @@ EOF
     if [ ! -x /usr/local/bin/aws-iam-authenticator ]; then
         ##VERSION##
         sudo curl -fsSLo /usr/local/bin/aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.12.7/2019-03-27/bin/linux/$ARCH/aws-iam-authenticator
-	      sudo chmod +x /usr/local/bin/aws-iam-authenticator
-        aws-iam-authenticator version
+	sudo chmod +x /usr/local/bin/aws-iam-authenticator
+    aws-iam-authenticator version
     fi"
 
     # Install the krew package manager
@@ -609,7 +568,6 @@ EOF
         FILENAME=tilt.\$TILT_VERSION.linux.$TILT_ARCH.tar.gz
         curl -fsSL https://github.com/tilt-dev/tilt/releases/download/v\$TILT_VERSION/\$FILENAME |
         sudo tar -zxvf- -C /usr/local/bin tilt
-        tilt completion bash | sudo tee /etc/bash_completion.d/tilt
         tilt version
     fi"
 
@@ -618,7 +576,6 @@ EOF
     if [ ! -x /usr/local/bin/skaffold ]; then
         curl -fsSLo skaffold https://storage.googleapis.com/skaffold/releases/latest/skaffold-linux-$ARCH &&
         sudo install skaffold /usr/local/bin/
-        skaffold completion bash | sudo tee /etc/bash_completion.d/skaffold
         skaffold version
     fi"
 
@@ -627,39 +584,20 @@ EOF
     if [ ! -x /usr/local/bin/kompose ]; then
         curl -fsSLo kompose https://github.com/kubernetes/kompose/releases/latest/download/kompose-linux-$ARCH &&
         sudo install kompose /usr/local/bin
-        kompose completion bash | sudo tee /etc/bash_completion.d/kompose
         kompose version
     fi"
 
-    # Install KinD
-    pssh "
-    if [ ! -x /usr/local/bin/kind ]; then
-        curl -fsSLo kind https://github.com/kubernetes-sigs/kind/releases/latest/download/kind-linux-$ARCH &&
-        sudo install kind /usr/local/bin
-        kind completion bash | sudo tee /etc/bash_completion.d/kind
-        kind version
-    fi"
-
-    # Install YTT
-    pssh "
-    if [ ! -x /usr/local/bin/ytt ]; then
-        curl -fsSLo ytt https://github.com/vmware-tanzu/carvel-ytt/releases/latest/download/ytt-linux-$ARCH &&
-        sudo install ytt /usr/local/bin
-        ytt completion bash | sudo tee /etc/bash_completion.d/ytt
-        ytt version
-    fi"
-
     ##VERSION## https://github.com/bitnami-labs/sealed-secrets/releases
-    KUBESEAL_VERSION=0.17.4
-    #case $ARCH in
-    #amd64) FILENAME=kubeseal-linux-amd64;;
-    #arm64) FILENAME=kubeseal-arm64;;
-    #*)     FILENAME=nope;;
-    #esac
-    pssh "
+    KUBESEAL_VERSION=v0.16.0
+    case $ARCH in
+    amd64) FILENAME=kubeseal-linux-amd64;;
+    arm64) FILENAME=kubeseal-arm64;;
+    *)     FILENAME=nope;;
+    esac
+    [ "$FILENAME" = "nope" ] || pssh "
     if [ ! -x /usr/local/bin/kubeseal ]; then
-        curl -fsSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v$KUBESEAL_VERSION/kubeseal-$KUBESEAL_VERSION-linux-$ARCH.tar.gz |
-        sudo tar -zxvf- -C /usr/local/bin kubeseal
+        curl -fsSLo kubeseal https://github.com/bitnami-labs/sealed-secrets/releases/download/$KUBESEAL_VERSION/$FILENAME &&
+        sudo install kubeseal /usr/local/bin
         kubeseal --version
     fi"
 }
@@ -1113,8 +1051,7 @@ _cmd_webssh() {
     need_tag
     pssh "
     sudo apt-get update &&
-    sudo apt-get install python-tornado python-paramiko -y ||
-    sudo apt-get install python3-tornado python3-paramiko -y"
+    sudo apt-get install python-tornado python-paramiko -y"
     pssh "
     cd /opt
     [ -d webssh ] || sudo git clone https://github.com/jpetazzo/webssh"

prepare-vms/lib/infra/linode.sh

@@ -26,24 +26,12 @@ infra_start() {
         info "          Name: $NAME"
         info " Instance type: $LINODE_TYPE"
         ROOT_PASS="$(base64 /dev/urandom | cut -c1-20 | head -n 1)"
-        MAX_TRY=5
-        TRY=1
-        WAIT=1
-        while ! linode-cli linodes create \
+        linode-cli linodes create \
             --type=${LINODE_TYPE} --region=${LINODE_REGION} \
             --image=linode/ubuntu18.04 \
             --authorized_keys="${LINODE_SSHKEY}" \
             --root_pass="${ROOT_PASS}" \
-            --tags=${TAG} --label=${NAME}; do
-              warning "Failed to create VM (attempt $TRY/$MAX_TRY)."
-              if [ $TRY -ge $MAX_TRY ]; then
-                  die "Giving up."
-              fi
-              info "Waiting $WAIT seconds and retrying."
-              sleep $WAIT
-              TRY=$(($TRY+1))
-              WAIT=$(($WAIT*2))
-            done
+            --tags=${TAG} --label=${NAME}
     done
     sep
 

prepare-vms/lib/infra/openstack-tf.sh

@@ -1,26 +1,7 @@
-error_terraform_configuration() {
-        error "When using the terraform infraclass, the TERRAFORM"
-        error "environment variable must be set to one of the available"
-        error "terraform configurations. These configurations are in"
-        error "the prepare-vm/terraform subdirectory. You should probably"
-        error "update your infra file and set the variable."
-        error "(e.g. with TERRAFORM=openstack)"
-}
-
-if [ "$TERRAFORM" = "" ]; then
-        error_terraform_configuration
-        die "Aborting because TERRAFORM variable is not set."
-fi
-
-if [ ! -d terraform/$TERRAFORM ]; then
-        error_terraform_configuration
-        die "Aborting because no terraform configuration was found in 'terraform/$TERRAFORM'."
-fi
-
 infra_start() {
         COUNT=$1
 
-        cp terraform/$TERRAFORM/*.tf tags/$TAG
+        cp terraform-openstack/*.tf tags/$TAG
         (
                 cd tags/$TAG
                 if ! terraform init; then

prepare-vms/map-dns.py

@@ -36,7 +36,7 @@ if os.path.isfile(domain_or_domain_file):
     clusters = [line.split() for line in lines]
   else:
     ips = open(f"tags/{ips_file_or_tag}/ips.txt").read().split()
-    settings_file = f"tags/{ips_file_or_tag}/settings.yaml"
+    settings_file = f"tags/{tag}/settings.yaml"
     clustersize = yaml.safe_load(open(settings_file))["clustersize"]
     clusters = []
     while ips:
@@ -60,10 +60,7 @@ while domains and clusters:
     zone += f"node{node} 300 IN A {ip}\n"
   r = requests.put(
     f"{apiurl}/{domain}/records",
-    headers={
-      "x-api-key": apikey,
-      "content-type": "text/plain",
-    },
+    headers={"x-api-key": apikey},
     data=zone)
   print(r.text)
 

prepare-vms/netlify-dns.sh

@@ -17,17 +17,8 @@
   exit 1
 }
 
-NETLIFY_CONFIG_FILE=~/.config/netlify/config.json
-
-if ! [ -f "$NETLIFY_CONFIG_FILE" ]; then
-  echo "Could not find Netlify configuration file ($NETLIFY_CONFIG_FILE)."
-  echo "Try to run the following command, and try again:"
-  echo "npx netlify-cli login"
-  exit 1
-fi
-
-NETLIFY_USERID=$(jq .userId < "$NETLIFY_CONFIG_FILE")
-NETLIFY_TOKEN=$(jq -r .users[$NETLIFY_USERID].auth.token < "$NETLIFY_CONFIG_FILE")
+NETLIFY_USERID=$(jq .userId < ~/.config/netlify/config.json)
+NETLIFY_TOKEN=$(jq -r .users[$NETLIFY_USERID].auth.token < ~/.config/netlify/config.json)
 
 netlify() {
   URI=$1

prepare-vms/settings/admin-oldversion.yaml

@@ -16,7 +16,7 @@ user_password: training
 
 # For a list of old versions, check:
 # https://kubernetes.io/releases/patch-releases/#non-active-branch-history
-kubernetes_version: 1.20.15
+kubernetes_version: 1.18.20
 
 image:
 

prepare-vms/terraform/azure/main.tf

@@ -1,71 +0,0 @@
-resource "azurerm_resource_group" "_" {
-  name          = var.prefix
-  location = var.location
-}
-
-resource "azurerm_public_ip" "_" {
-  count               = var.how_many_nodes
-  name                = format("%s-%04d", var.prefix, count.index + 1)
-  location            = azurerm_resource_group._.location
-  resource_group_name = azurerm_resource_group._.name
-  allocation_method = "Dynamic"
-}
-
-resource "azurerm_network_interface" "_" {
-  count               = var.how_many_nodes
-  name                = format("%s-%04d", var.prefix, count.index + 1)
-  location            = azurerm_resource_group._.location
-  resource_group_name = azurerm_resource_group._.name
-
-  ip_configuration {
-    name                          = "internal"
-    subnet_id                     = azurerm_subnet._.id
-    private_ip_address_allocation = "Dynamic"
-    public_ip_address_id = azurerm_public_ip._[count.index].id
-  }
-}
-
-resource "azurerm_linux_virtual_machine" "_" {
-  count               = var.how_many_nodes
-  name                = format("%s-%04d", var.prefix, count.index + 1)
-  resource_group_name = azurerm_resource_group._.name
-  location            = azurerm_resource_group._.location
-  size                = var.size
-  admin_username      = "ubuntu"
-  network_interface_ids = [
-    azurerm_network_interface._[count.index].id,
-  ]
-
-  admin_ssh_key {
-    username   = "ubuntu"
-    public_key = local.authorized_keys
-  }
-
-  os_disk {
-    caching              = "ReadWrite"
-    storage_account_type = "Standard_LRS"
-  }
-
-  source_image_reference {
-    publisher = "Canonical"
-    offer     = "UbuntuServer"
-    sku       = "18.04-LTS" # FIXME
-    version   = "latest"
-  }
-}
-
-# The public IP address only gets allocated when the address actually gets
-# attached to the virtual machine. So we need to do this extra indrection
-# to retrieve the IP addresses. Otherwise the IP addresses show up as blank.
-# See: https://github.com/hashicorp/terraform-provider-azurerm/issues/310#issuecomment-335479735
-
-data "azurerm_public_ip" "_" {
-  count               = var.how_many_nodes
-  name                = format("%s-%04d", var.prefix, count.index + 1)
-  resource_group_name = azurerm_resource_group._.name
-  depends_on = [azurerm_linux_virtual_machine._]
-}
-
-output "ip_addresses" {
-  value = join("", formatlist("%s\n", data.azurerm_public_ip._.*.ip_address))
-}

prepare-vms/terraform/azure/network.tf

@@ -1,13 +0,0 @@
-resource "azurerm_virtual_network" "_" {
-  name                = "tf-vnet"
-  address_space       = ["10.10.0.0/16"]
-  location            = azurerm_resource_group._.location
-  resource_group_name = azurerm_resource_group._.name
-}
-
-resource "azurerm_subnet" "_" {
-  name                 = "tf-subnet"
-  resource_group_name  = azurerm_resource_group._.name
-  virtual_network_name = azurerm_virtual_network._.name
-  address_prefixes     = ["10.10.0.0/20"]
-}

prepare-vms/terraform/azure/provider.tf

@@ -1,13 +0,0 @@
-terraform {
-  required_version = ">= 1"
-  required_providers {
-    azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "=3.33.0"
-    }
-  }
-}
-
-provider "azurerm" {
-  features {}
-}

prepare-vms/terraform/azure/variables.tf

@@ -1,32 +0,0 @@
-variable "prefix" {
-  type    = string
-  default = "provisioned-with-terraform"
-}
-
-variable "how_many_nodes" {
-  type    = number
-  default = 2
-}
-
-locals {
-  authorized_keys = file("~/.ssh/id_rsa.pub")
-}
-
-/*
-Available sizes:
-"Standard_D11_v2" # CPU=2 RAM=14
-"Standard_F4s_v2" # CPU=4 RAM=8
-"Standard_D1_v2"  # CPU=1 RAM=3.5
-"Standard_B1ms"   # CPU=1 RAM=2
-"Standard_B2s"    # CPU=2 RAM=4
-*/
-
-variable "size" {
-  type    = string
-  default = "Standard_F4s_v2"
-}
-
-variable "location" {
-  type    = string
-  default = "South Africa North"
-}

prepare-vms/terraform/oci/main.tf

@@ -1,48 +0,0 @@
-resource "oci_identity_compartment" "_" {
-  name          = var.prefix
-  description   = var.prefix
-  enable_delete = true
-}
-
-locals {
-  compartment_id = oci_identity_compartment._.id
-}
-
-data "oci_identity_availability_domains" "_" {
-  compartment_id = local.compartment_id
-}
-
-data "oci_core_images" "_" {
-  compartment_id           = local.compartment_id
-  shape                    = var.shape
-  operating_system         = "Canonical Ubuntu"
-  operating_system_version = "20.04"
-  #operating_system         = "Oracle Linux"
-  #operating_system_version = "7.9"
-}
-
-resource "oci_core_instance" "_" {
-  count               = var.how_many_nodes
-  display_name        = format("%s-%04d", var.prefix, count.index + 1)
-  availability_domain = data.oci_identity_availability_domains._.availability_domains[var.availability_domain].name
-  compartment_id      = local.compartment_id
-  shape               = var.shape
-  shape_config {
-    memory_in_gbs = var.memory_in_gbs_per_node
-    ocpus         = var.ocpus_per_node
-  }
-  source_details {
-    source_id   = data.oci_core_images._.images[0].id
-    source_type = "image"
-  }
-  create_vnic_details {
-    subnet_id = oci_core_subnet._.id
-  }
-  metadata = {
-    ssh_authorized_keys = local.authorized_keys
-  }
-}
-
-output "ip_addresses" {
-  value = join("", formatlist("%s\n", oci_core_instance._.*.public_ip))
-}

prepare-vms/terraform/oci/network.tf

@@ -1,63 +0,0 @@
-resource "oci_core_vcn" "_" {
-  compartment_id = local.compartment_id
-  cidr_block     = "10.0.0.0/16"
-  display_name   = "tf-vcn"
-}
-
-#
-# On OCI, you can have either "public" or "private" subnets.
-# In both cases, instances get addresses in the VCN CIDR block;
-# but instances in "public" subnets also get a public address.
-#
-# Then, to enable communication to the outside world, you need:
-# - for public subnets, an "internet gateway"
-#   (will allow inbound and outbound traffic)
-# - for private subnets, a "NAT gateway"
-#   (will only allow outbound traffic)
-# - optionally, for private subnets, a "service gateway"
-#   (to access other OCI services, e.g. object store)
-#
-# In this configuration, we use public subnets, and since we
-# need outside access, we add an internet gateway.
-#
-# Note that the default routing table in a VCN is empty, so we
-# add the internet gateway to the default routing table.
-# Similarly, the default security group in a VCN blocks almost
-# everything, so we add a blanket rule in that security group.
-#
-
-resource "oci_core_internet_gateway" "_" {
-  compartment_id = local.compartment_id
-  display_name   = "tf-igw"
-  vcn_id         = oci_core_vcn._.id
-}
-
-resource "oci_core_default_route_table" "_" {
-  manage_default_resource_id = oci_core_vcn._.default_route_table_id
-  route_rules {
-    destination       = "0.0.0.0/0"
-    destination_type  = "CIDR_BLOCK"
-    network_entity_id = oci_core_internet_gateway._.id
-  }
-}
-
-resource "oci_core_default_security_list" "_" {
-  manage_default_resource_id = oci_core_vcn._.default_security_list_id
-  ingress_security_rules {
-    protocol = "all"
-    source   = "0.0.0.0/0"
-  }
-  egress_security_rules {
-    protocol    = "all"
-    destination = "0.0.0.0/0"
-  }
-}
-
-resource "oci_core_subnet" "_" {
-  compartment_id    = local.compartment_id
-  cidr_block        = "10.0.0.0/20"
-  vcn_id            = oci_core_vcn._.id
-  display_name      = "tf-subnet"
-  route_table_id    = oci_core_default_route_table._.id
-  security_list_ids = [oci_core_default_security_list._.id]
-}

prepare-vms/terraform/oci/provider.tf

@@ -1,8 +0,0 @@
-terraform {
-  required_version = ">= 1"
-  required_providers {
-    openstack = {
-      source = "hashicorp/oci"
-    version = "4.48.0" }
-  }
-}

prepare-vms/terraform/oci/variables.tf

@@ -1,42 +0,0 @@
-variable "prefix" {
-  type    = string
-  default = "provisioned-with-terraform"
-}
-
-variable "how_many_nodes" {
-  type    = number
-  default = 2
-}
-
-locals {
-  authorized_keys = file("~/.ssh/id_rsa.pub")
-}
-
-/*
-Available flex shapes:
-"VM.Optimized3.Flex"  # Intel Ice Lake
-"VM.Standard3.Flex"   # Intel Ice Lake
-"VM.Standard.A1.Flex" # Ampere Altra
-"VM.Standard.E3.Flex" # AMD Rome
-"VM.Standard.E4.Flex" # AMD Milan
-*/
-
-variable "shape" {
-  type    = string
-  default = "VM.Standard.A1.Flex"
-}
-
-variable "availability_domain" {
-  type    = number
-  default = 0
-}
-
-variable "ocpus_per_node" {
-  type    = number
-  default = 1
-}
-
-variable "memory_in_gbs_per_node" {
-  type    = number
-  default = 4
-}

slides/_redirects

@@ -2,7 +2,7 @@
 #/ /kube-halfday.yml.html 200!
 #/ /kube-fullday.yml.html 200!
 #/ /kube-twodays.yml.html 200!
-/ /live.html 200!
+/ /kube.yml.html 200!
 
 # And this allows to do "git clone https://container.training".
 /info/refs service=git-upload-pack https://github.com/jpetazzo/container.training/info/refs?service=git-upload-pack
@@ -19,8 +19,6 @@
 #/next https://www.eventbrite.com/e/livestream-intensive-kubernetes-bootcamp-tickets-103262336428
 /next https://skillsmatter.com/courses/700-advanced-kubernetes-concepts-workshop-jerome-petazzoni
 /hi5 https://enix.io/fr/services/formation/online/
-/us https://www.ardanlabs.com/live-training-events/deploying-microservices-and-traditional-applications-with-kubernetes-march-28-2022.html
-/uk https://skillsmatter.com/workshops/827-deploying-microservices-and-traditional-applications-with-kubernetes-with-jerome-petazzoni
 
 # Survey form
 /please https://docs.google.com/forms/d/e/1FAIpQLSfIYSgrV7tpfBNm1hOaprjnBHgWKn5n-k5vtNXYJkOX1sRxng/viewform

slides/autopilot/package.json

@@ -3,7 +3,6 @@
   "version": "0.0.1",
   "dependencies": {
     "express": "^4.16.2",
-    "socket.io": "^4.5.1",
-    "socket.io-client": "^4.5.1"
+    "socket.io": "^2.4.0"
   }
 }

slides/containers/Ambassadors.md

@@ -19,7 +19,7 @@ They abstract the connection details for this services, and can help with:
 
 * fail over (how do I know to which instance of a replicated service I should connect?)
 
-* load balancing (how do I spread my requests across multiple instances of a service?)
+* load balancing (how to I spread my requests across multiple instances of a service?)
 
 * authentication (what if my service requires credentials, certificates, or otherwise?)
 

slides/containers/Buildkit.md

@@ -1,362 +0,0 @@
-# Buildkit
-
-- "New" backend for Docker builds
-
-  - announced in 2017
-
-  - ships with Docker Engine 18.09
-
-  - enabled by default on Docker Desktop in 2021
-
-- Huge improvements in build efficiency
-
-- 100% compatible with existing Dockerfiles
-
-- New features for multi-arch
-
-- Not just for building container images
-
----
-
-## Old vs New
-
-- Classic `docker build`:
-
-  - copy whole build context
-  - linear execution
-  - `docker run` + `docker commit` + `docker run` + `docker commit`...
-
-- Buildkit:
-
-  - copy files only when they are needed; cache them
-  - compute dependency graph (dependencies are expressed by `COPY`)
-  - parallel execution
-  - doesn't rely on Docker, but on internal runner/snapshotter
-  - can run in "normal" containers (including in Kubernetes pods)
-
----
-
-## Parallel execution
-
-- In multi-stage builds, all stages can be built in parallel
-
-  (example: https://github.com/jpetazzo/shpod; [before] and [after])
-
-- Stages are built only when they are necessary
-
-  (i.e. if their output is tagged or used in another necessary stage)
-
-- Files are copied from context only when needed
-
-- Files are cached in the builder
-
-[before]: https://github.com/jpetazzo/shpod/blob/c6efedad6d6c3dc3120dbc0ae0a6915f85862474/Dockerfile
-[after]: https://github.com/jpetazzo/shpod/blob/d20887bbd56b5fcae2d5d9b0ce06cae8887caabf/Dockerfile
-
----
-
-## Turning it on and off
-
-- On recent version of Docker Desktop (since 2021):
-
-  *enabled by default*
-
-- On older versions, or on Docker CE (Linux):
-
-  `export DOCKER_BUILDKIT=1`
-
-- Turning it off:
-
-  `export DOCKER_BUILDKIT=0`
-
----
-
-## Multi-arch support
-
-- Historically, Docker only ran on x86_64 / amd64
-
-  (Intel/AMD 64 bits architecture)
-
-- Folks have been running it on 32-bit ARM for ages
-
-  (e.g. Raspberry Pi)
-
-- This required a Go compiler and appropriate base images
-
-  (which means changing/adapting Dockerfiles to use these base images)
-
-- Docker [image manifest v2 schema 2][manifest] introduces multi-arch images
-
-  (`FROM alpine` automatically gets the right image for your architecture)
-
-[manifest]: https://docs.docker.com/registry/spec/manifest-v2-2/
-
----
-
-## Why?
-
-- Raspberry Pi (32-bit and 64-bit ARM)
-
-- Other ARM-based embedded systems (ODROID, NVIDIA Jetson...)
-
-- Apple M1
-
-- AWS Graviton
-
-- Ampere Altra (e.g. on Oracle Cloud)
-
-- ...
-
----
-
-## Multi-arch builds in a nutshell
-
-Use the `docker buildx build` command:
-
-```bash
-docker buildx build … \
-       --platform linux/amd64,linux/arm64,linux/arm/v7,linux/386 \
-       [--tag jpetazzo/hello --push]
-```
-
-- Requires all base images to be available for these platforms
-
-- Must not use binary downloads with hard-coded architectures!
-
-  (streamlining a Dockerfile for multi-arch: [before], [after])
-
-[before]: https://github.com/jpetazzo/shpod/blob/d20887bbd56b5fcae2d5d9b0ce06cae8887caabf/Dockerfile
-[after]: https://github.com/jpetazzo/shpod/blob/c50789e662417b34fea6f5e1d893721d66d265b7/Dockerfile
-
----
-
-## Native vs emulated vs cross
-
-- Native builds:
-
-  *aarch64 machine running aarch64 programs building aarch64 images/binaries*
-
-- Emulated builds:
-
-  *x86_64 machine running aarch64 programs building aarch64 images/binaries*
-
-- Cross builds:
-
-  *x86_64 machine running x86_64 programs building aarch64 images/binaries*
-
----
-
-## Native
-
-- Dockerfiles are (relatively) simple to write
-
-  (nothing special to do to handle multi-arch; just avoid hard-coded archs)
-
-- Best performance
-
-- Requires "exotic" machines
-
-- Requires setting up a build farm
-
----
-
-## Emulated
-
-- Dockerfiles are (relatively) simple to write
-
-- Emulation performance can vary
-
-  (from "OK" to "ouch this is slow")
-
-- Emulation isn't always perfect
-
-  (weird bugs/crashes are rare but can happen)
-
-- Doesn't require special machines
-
-- Supports arbitrary architectures thanks to QEMU
-
----
-
-## Cross
-
-- Dockerfiles are more complicated to write
-
-- Requires cross-compilation toolchains
-
-- Performance is good
-
-- Doesn't require special machines
-
----
-
-## Native builds
-
-- Requires base images to be available
-
-- To view available architectures for an image:
-  ```bash
-  regctl manifest get --list <imagename>
-  docker manifest inspect <imagename>
-  ```
-
-- Nothing special to do, *except* when downloading binaries!
-
-  ```
-  https://releases.hashicorp.com/terraform/1.1.5/terraform_1.1.5_linux_`amd64`.zip
-  ```
-
----
-
-## Finding the right architecture
-
-`uname -m` → armv7l, aarch64, i686, x86_64
-
-`GOARCH` (from `go env`) → arm, arm64, 386, amd64
-
-In Dockerfile, add `ARG TARGETARCH` (or `ARG TARGETPLATFORM`)
-
-- `TARGETARCH` matches `GOARCH`
-
-- `TARGETPLAFORM` → linux/arm/v7, linux/arm64, linux/386, linux/amd64
-
----
-
-class: extra-details
-
-## Welp
-
-Sometimes, binary releases be like:
-
-```
-Linux_arm64.tar.gz
-Linux_ppc64le.tar.gz
-Linux_s390x.tar.gz
-Linux_x86_64.tar.gz 
-```
-
-This needs a bit of custom mapping.
-
----
-
-## Emulation
-
-- Leverages `binfmt_misc` and QEMU on Linux
-
-- Enabling:
-  ```bash
-  docker run --rm --privileged aptman/qus -s -- -p
-  ```
-
-- Disabling:
-  ```bash
-  docker run --rm --privileged aptman/qus -- -r
-  ```
-
-- Checking status:
-  ```bash
-  ls -l /proc/sys/fs/binfmt_misc
-  ```
-
----
-
-class: extra-details
-
-## How it works
-
-- `binfmt_misc` lets us register _interpreters_ for binaries, e.g.:
-
-  - [DOSBox][dosbox] for DOS programs
-
-  - [Wine][wine] for Windows programs
-
-  - [QEMU][qemu] for Linux programs for other architectures
-
-- When we try to execute e.g. a SPARC binary on our x86_64 machine:
-
-  - `binfmt_misc` detects the binary format and invokes `qemu-<arch> the-binary ...`
-
-  - QEMU translates SPARC instructions to x86_64 instructions
-
-  - system calls go straight to the kernel
-
-[dosbox]: https://www.dosbox.com/
-[QEMU]: https://www.qemu.org/
-[wine]: https://www.winehq.org/
-
----
-
-class: extra-details
-
-## QEMU registration
-
-- The `aptman/qus` image mentioned earlier contains static QEMU builds
-
-- It registers all these interpreters with the kernel
-
-- For more details, check:
-
-  - https://github.com/dbhi/qus
-
-  - https://dbhi.github.io/qus/
-
----
-
-## Cross-compilation
-
-- Cross-compilation is about 10x faster than emulation
-
-  (non-scientific benchmarks!)
-
-- In Dockerfile, add:
-
-  `ARG BUILDARCH BUILDPLATFORM TARGETARCH TARGETPLATFORM`
-
-- Can use `FROM --platform=$BUILDPLATFORM <image>`
-
-- Then use `$TARGETARCH` or `$TARGETPLATFORM`
-
-  (e.g. for Go, `export GOARCH=$TARGETARCH`)
-
-- Check [tonistiigi/xx][xx] and [Toni's blog][toni] for some amazing cross tools!
-
-[xx]: https://github.com/tonistiigi/xx
-[toni]: https://medium.com/@tonistiigi/faster-multi-platform-builds-dockerfile-cross-compilation-guide-part-1-ec087c719eaf
-
----
-
-## Checking runtime capabilities
-
-Build and run the following Dockerfile:
-
-```dockerfile
-FROM --platform=linux/amd64 busybox AS amd64
-FROM --platform=linux/arm64 busybox AS arm64
-FROM --platform=linux/arm/v7 busybox AS arm32
-FROM --platform=linux/386 busybox AS ia32
-FROM alpine
-RUN apk add file
-WORKDIR /root
-COPY --from=amd64 /bin/busybox /root/amd64/busybox
-COPY --from=arm64 /bin/busybox /root/arm64/busybox
-COPY --from=arm32 /bin/busybox /root/arm32/busybox
-COPY --from=ia32 /bin/busybox /root/ia32/busybox
-CMD for A in *; do echo "$A => $($A/busybox uname -a)"; done
-```
-
-It will indicate which executables can be run on your engine.
-
----
-
-## More than builds
-
-- Buildkit is also used in other systems:
-
-  - [Earthly] - generic repeatable build pipelines
-
-  - [Dagger] - CICD pipelines that run anywhere
-
-  - and more!
-
-[Earthly]: https://earthly.dev/
-[Dagger]: https://dagger.io/

slides/containers/Compose_For_Dev_Stacks.md

@@ -58,7 +58,7 @@ class: pic
 
   - it uses different concepts (Compose services ≠ Kubernetes services)
 
-  - it needs a Docker Engine (although containerd support might be coming)
+  - it needs a Docker Engine (althought containerd support might be coming)
 
 ---
 
@@ -96,7 +96,7 @@ Compose will be smart, and only recreate the containers that have changed.
 
 When working with interpreted languages:
 
-- don't rebuild each time
+- dont' rebuild each time
 
 - leverage a `volumes` section instead
 
@@ -250,24 +250,6 @@ For the full list, check: https://docs.docker.com/compose/compose-file/
 
 ---
 
-## Configuring a Compose stack
-
-- Follow [12-factor app configuration principles][12factorconfig]
-
-  (configure the app through environment variables)
-
-- Provide (in the repo) a default environment file suitable for development
-
-  (no secret or sensitive value)
-
-- Copy the default environment file to `.env` and tweak it
-
-  (or: provide a script to generate `.env` from a template)
-
-[12factorconfig]: https://12factor.net/config
-
----
-
 ## Running multiple copies of a stack
 
 - Copy the stack in two different directories, e.g. `front` and `frontcopy`
@@ -349,7 +331,7 @@ Use `docker-compose down -v` to remove everything including volumes.
 
 - The data in the old container is lost...
 
-- ...Except if the container is using a *volume*
+- ... Except if the container is using a *volume*
 
 - Compose will then re-attach that volume to the new container
 
@@ -361,102 +343,6 @@ Use `docker-compose down -v` to remove everything including volumes.
 
 ---
 
-## Gotchas with volumes
-
-- Unfortunately, Docker volumes don't have labels or metadata
-
-- Compose tracks volumes thanks to their associated container
-
-- If the container is deleted, the volume gets orphaned
-
-- Example: `docker-compose down && docker-compose up`
-
-  - the old volume still exists, detached from its container
-
-  - a new volume gets created
-
-- `docker-compose down -v`/`--volumes` deletes volumes
-
-  (but **not** `docker-compose down && docker-compose down -v`!)
- 
----
-
-## Managing volumes explicitly
-
-Option 1: *named volumes*
-
-```yaml
-services:
-  app:
-    volumes:
-    - data:/some/path
-volumes:
-  data:
-```
-
-- Volume will be named `<project>_data`
-
-- It won't be orphaned with `docker-compose down`
-
-- It will correctly be removed with `docker-compose down -v`
-
----
-
-## Managing volumes explicitly
-
-Option 2: *relative paths*
-
-```yaml
-services:
-  app:
-    volumes:
-    - ./data:/some/path
-```
-
-- Makes it easy to colocate the app and its data
-
-  (for migration, backups, disk usage accounting...)
-
-- Won't be removed by `docker-compose down -v`
-
----
-
-## Managing complex stacks
-
-- Compose provides multiple features to manage complex stacks
-
-  (with many containers)
-
-- `-f`/`--file`/`$COMPOSE_FILE` can be a list of Compose files
-
-  (separated by `:` and merged together)
-
-- Services can be assigned to one or more *profiles*
-
-- `--profile`/`$COMPOSE_PROFILE` can be a list of comma-separated profiles
-
-  (see [Using service profiles][profiles] in the Compose documentation)
-
-- These variables can be set in `.env`
-
-[profiles]: https://docs.docker.com/compose/profiles/
-
----
-
-## Dependencies
-
-- A service can have a `depends_on` section
-
-  (listing one or more other services)
-
-- This is used when bringing up individual services
-
-  (e.g. `docker-compose up blah` or `docker-compose run foo`)
-
-⚠️ It doesn't make a service "wait" for another one to be up!
-
----
-
 class: extra-details
 
 ## A bit of history and trivia

slides/containers/Dockerfile_Tips.md

@@ -111,7 +111,7 @@ CMD ["python", "app.py"]
     RUN wget http://.../foo.tar.gz \
      && tar -zxf foo.tar.gz \
      && mv foo/fooctl /usr/local/bin \
-     && rm -rf foo foo.tar.gz
+     && rm -rf foo
   ...
   ```
 

slides/containers/Local_Development_Workflow.md

@@ -317,11 +317,9 @@ class: extra-details
 ## Trash your servers and burn your code
 
 *(This is the title of a
-[2013 blog post][immutable-deployments]
+[2013 blog post](http://chadfowler.com/2013/06/23/immutable-deployments.html)
 by Chad Fowler, where he explains the concept of immutable infrastructure.)*
 
-[immutable-deployments]: https://web.archive.org/web/20160305073617/http://chadfowler.com/blog/2013/06/23/immutable-deployments/
-
 --
 
 * Let's majorly mess up our container.

slides/containers/Namespaces_Cgroups.md

@@ -32,432 +32,6 @@ The last item should be done for educational purposes only!
 
 ---
 
-# Control groups
-
-- Control groups provide resource *metering* and *limiting*.
-
-- This covers a number of "usual suspects" like:
-
-  - memory
-
-  - CPU
-
-  - block I/O
-
-  - network (with cooperation from iptables/tc)
-
-- And a few exotic ones:
-
-  - huge pages (a special way to allocate memory)
-
-  - RDMA (resources specific to InfiniBand / remote memory transfer)
-
----
-
-## Crowd control
-
-- Control groups also allow to group processes for special operations:
-
-  - freezer (conceptually similar to a "mass-SIGSTOP/SIGCONT")
-
-  - perf_event (gather performance events on multiple processes)
-
-  - cpuset (limit or pin processes to specific CPUs)
-
-- There is a "pids" cgroup to limit the number of processes in a given group.
-
-- There is also a "devices" cgroup to control access to device nodes.
-
-  (i.e. everything in `/dev`.)
-
----
-
-## Generalities
-
-- Cgroups form a hierarchy (a tree).
-
-- We can create nodes in that hierarchy.
-
-- We can associate limits to a node.
-
-- We can move a process (or multiple processes) to a node.
-
-- The process (or processes) will then respect these limits.
-
-- We can check the current usage of each node.
-
-- In other words: limits are optional (if we only want accounting).
-
-- When a process is created, it is placed in its parent's groups.
-
----
-
-## Example
-
-The numbers are PIDs.
-
-The names are the names of our nodes (arbitrarily chosen).
-
-.small[
-```bash
-cpu                      memory
-├── batch                ├── stateless
-│   ├── cryptoscam       │   ├── 25
-│   │   └── 52           │   ├── 26
-│   └── ffmpeg           │   ├── 27
-│       ├── 109          │   ├── 52
-│       └── 88           │   ├── 109
-└── realtime             │   └── 88
-    ├── nginx            └── databases
-    │   ├── 25               ├── 1008
-    │   ├── 26               └── 524
-    │   └── 27
-    ├── postgres
-    │   └── 524
-    └── redis
-        └── 1008
-```
-]
-
----
-
-class: extra-details, deep-dive
-
-## Cgroups v1 vs v2
-
-- Cgroups v1 are available on all systems (and widely used).
-
-- Cgroups v2 are a huge refactor.
-
-  (Development started in Linux 3.10, released in 4.5.)
-
-- Cgroups v2 have a number of differences:
-
-  - single hierarchy (instead of one tree per controller),
-
-  - processes can only be on leaf nodes (not inner nodes),
-
-  - and of course many improvements / refactorings.
-
-- Cgroups v2 enabled by default on Fedora 31 (2019), Ubuntu 21.10...
-
----
-
-## Memory cgroup: accounting
-
-- Keeps track of pages used by each group:
-
-  - file (read/write/mmap from block devices),
-  - anonymous (stack, heap, anonymous mmap),
-  - active (recently accessed),
-  - inactive (candidate for eviction).
-
-- Each page is "charged" to a group.
-
-- Pages can be shared across multiple groups.
-
-  (Example: multiple processes reading from the same files.)
-
-- To view all the counters kept by this cgroup:
-
-  ```bash
-  $ cat /sys/fs/cgroup/memory/memory.stat
-  ```
-
----
-
-## Memory cgroup v1: limits
-
-- Each group can have (optional) hard and soft limits.
-
-- Limits can be set for different kinds of memory:
-
-  - physical memory,
-
-  - kernel memory,
-
-  - total memory (including swap).
-
----
-
-## Soft limits and hard limits
-
-- Soft limits are not enforced.
-
-  (But they influence reclaim under memory pressure.)
-
-- Hard limits *cannot* be exceeded:
-
-  - if a group of processes exceeds a hard limit,
-
-  - and if the kernel cannot reclaim any memory,
-
-  - then the OOM (out-of-memory) killer is triggered,
-
-  - and processes are killed until memory gets below the limit again.
-
----
-
-class: extra-details, deep-dive
-
-## Avoiding the OOM killer
-
-- For some workloads (databases and stateful systems), killing
-  processes because we run out of memory is not acceptable.
-
-- The "oom-notifier" mechanism helps with that.
-
-- When "oom-notifier" is enabled and a hard limit is exceeded:
-
-  - all processes in the cgroup are frozen,
-
-  - a notification is sent to user space (instead of killing processes),
-
-  - user space can then raise limits, migrate containers, etc.,
-
-  - once the memory usage is below the hard limit, unfreeze the cgroup.
-
----
-
-class: extra-details, deep-dive
-
-## Overhead of the memory cgroup
-
-- Each time a process grabs or releases a page, the kernel update counters.
-
-- This adds some overhead.
-
-- Unfortunately, this cannot be enabled/disabled per process.
-
-- It has to be done system-wide, at boot time.
-
-- Also, when multiple groups use the same page:
-
-  - only the first group gets "charged",
-
-  - but if it stops using it, the "charge" is moved to another group.
-
----
-
-class: extra-details, deep-dive
-
-## Setting up a limit with the memory cgroup
-
-Create a new memory cgroup:
-
-```bash
-$ CG=/sys/fs/cgroup/memory/onehundredmegs
-$ sudo mkdir $CG
-```
-
-Limit it to approximately 100MB of memory usage:
-
-```bash
-$ sudo tee $CG/memory.memsw.limit_in_bytes <<< 100000000
-```
-
-Move the current process to that cgroup:
-
-```bash
-$ sudo tee $CG/tasks <<< $$
-```
-
-The current process *and all its future children* are now limited.
-
-(Confused about `<<<`? Look at the next slide!)
-
----
-
-class: extra-details, deep-dive
-
-## What's `<<<`?
-
-- This is a "here string". (It is a non-POSIX shell extension.)
-
-- The following commands are equivalent:
-
-  ```bash
-  foo <<< hello
-  ```
-
-  ```bash
-  echo hello | foo
-  ```
-
-  ```bash
-  foo <<EOF
-  hello
-  EOF
-  ```
-
-- Why did we use that?
-
----
-
-class: extra-details, deep-dive
-
-## Writing to cgroups pseudo-files requires root
-
-Instead of:
-
-```bash
-sudo tee $CG/tasks <<< $$
-```
-
-We could have done:
-
-```bash
-sudo sh -c "echo $$ > $CG/tasks"
-```
-
-The following commands, however, would be invalid:
-
-```bash
-sudo echo $$ > $CG/tasks
-```
-
-```bash
-sudo -i # (or su)
-echo $$ > $CG/tasks
-```
-
----
-
-class: extra-details, deep-dive
-
-## Testing the memory limit
-
-Start the Python interpreter:
-
-```bash
-$ python
-Python 3.6.4 (default, Jan  5 2018, 02:35:40)
-[GCC 7.2.1 20171224] on linux
-Type "help", "copyright", "credits" or "license" for more information.
->>>
-```
-
-Allocate 80 megabytes:
-
-```python
->>> s = "!" * 1000000 * 80
-```
-
-Add 20 megabytes more:
-
-```python
->>> t = "!" * 1000000 * 20
-Killed
-```
-
----
-
-## Memory cgroup v2: limits
-
-- `memory.min` = hard reservation (guaranteed memory for this cgroup)
-
-- `memory.low` = soft reservation ("*try* not to reclaim memory if we're below this")
-
-- `memory.high` = soft limit (aggressively reclaim memory; don't trigger OOMK)
-
-- `memory.max` = hard limit (triggers OOMK)
-
-- `memory.swap.high` = aggressively reclaim memory when using that much swap
-
-- `memory.swap.max` = prevent using more swap than this
-
----
-
-## CPU cgroup
-
-- Keeps track of CPU time used by a group of processes.
-
-  (This is easier and more accurate than `getrusage` and `/proc`.)
-
-- Keeps track of usage per CPU as well.
-
-  (i.e., "this group of process used X seconds of CPU0 and Y seconds of CPU1".)
-
-- Allows setting relative weights used by the scheduler.
-
----
-
-## Cpuset cgroup
-
-- Pin groups to specific CPU(s).
-
-- Use-case: reserve CPUs for specific apps.
-
-- Warning: make sure that "default" processes aren't using all CPUs!
-
-- CPU pinning can also avoid performance loss due to cache flushes.
-
-- This is also relevant for NUMA systems.
-
-- Provides extra dials and knobs.
-
-  (Per zone memory pressure, process migration costs...)
-
----
-
-## Blkio cgroup
-
-- Keeps track of I/Os for each group:
-
-  - per block device
-  - read vs write
-  - sync vs async
-
-- Set throttle (limits) for each group:
-
-  - per block device
-  - read vs write
-  - ops vs bytes
-
-- Set relative weights for each group.
-
-- Note: most writes go through the page cache.
-  <br/>(So classic writes will appear to be unthrottled at first.)
-
----
-
-## Net_cls and net_prio cgroup
-
-- Only works for egress (outgoing) traffic.
-
-- Automatically set traffic class or priority
-  for traffic generated by processes in the group.
-
-- Net_cls will assign traffic to a class.
-
-- Classes have to be matched with tc or iptables, otherwise traffic just flows normally.
-
-- Net_prio will assign traffic to a priority.
-
-- Priorities are used by queuing disciplines.
-
----
-
-## Devices cgroup
-
-- Controls what the group can do on device nodes
-
-- Permissions include read/write/mknod
-
-- Typical use:
-
-  - allow `/dev/{tty,zero,random,null}` ...
-  - deny everything else
-
-- A few interesting nodes:
-
-  - `/dev/net/tun` (network interface manipulation)
-  - `/dev/fuse` (filesystems in user space)
-  - `/dev/kvm` (VMs in containers, yay inception!)
-  - `/dev/dri` (GPU)
-
----
-
 # Namespaces
 
 - Provide processes with their own view of the system.
@@ -472,8 +46,6 @@ Killed
   - uts
   - ipc
   - user
-  - time
-  - cgroup
 
   (We are going to detail them individually.)
 
@@ -1047,25 +619,411 @@ class: extra-details, deep-dive
 
 ---
 
-## Time namespace
+# Control groups
 
-- Virtualize time
+- Control groups provide resource *metering* and *limiting*.
 
-- Expose a slower/faster clock to some processes
+- This covers a number of "usual suspects" like:
 
-  (for e.g. simulation purposes)
+  - memory
 
-- Expose a clock offset to some processes
+  - CPU
 
-  (simulation, suspend/restore...)
+  - block I/O
+
+  - network (with cooperation from iptables/tc)
+
+- And a few exotic ones:
+
+  - huge pages (a special way to allocate memory)
+
+  - RDMA (resources specific to InfiniBand / remote memory transfer)
 
 ---
 
-## Cgroup namespace
+## Crowd control
 
-- Virtualize access to `/proc/<PID>/cgroup`
+- Control groups also allow to group processes for special operations:
 
-- Lets containerized processes view their relative cgroup tree
+  - freezer (conceptually similar to a "mass-SIGSTOP/SIGCONT")
+
+  - perf_event (gather performance events on multiple processes)
+
+  - cpuset (limit or pin processes to specific CPUs)
+
+- There is a "pids" cgroup to limit the number of processes in a given group.
+
+- There is also a "devices" cgroup to control access to device nodes.
+
+  (i.e. everything in `/dev`.)
+
+---
+
+## Generalities
+
+- Cgroups form a hierarchy (a tree).
+
+- We can create nodes in that hierarchy.
+
+- We can associate limits to a node.
+
+- We can move a process (or multiple processes) to a node.
+
+- The process (or processes) will then respect these limits.
+
+- We can check the current usage of each node.
+
+- In other words: limits are optional (if we only want accounting).
+
+- When a process is created, it is placed in its parent's groups.
+
+---
+
+## Example
+
+The numbers are PIDs.
+
+The names are the names of our nodes (arbitrarily chosen).
+
+.small[
+```bash
+cpu                      memory
+├── batch                ├── stateless
+│   ├── cryptoscam       │   ├── 25
+│   │   └── 52           │   ├── 26
+│   └── ffmpeg           │   ├── 27
+│       ├── 109          │   ├── 52
+│       └── 88           │   ├── 109
+└── realtime             │   └── 88
+    ├── nginx            └── databases
+    │   ├── 25               ├── 1008
+    │   ├── 26               └── 524
+    │   └── 27
+    ├── postgres
+    │   └── 524
+    └── redis
+        └── 1008
+```
+]
+
+---
+
+class: extra-details, deep-dive
+
+## Cgroups v1 vs v2
+
+- Cgroups v1 are available on all systems (and widely used).
+
+- Cgroups v2 are a huge refactor.
+
+  (Development started in Linux 3.10, released in 4.5.)
+
+- Cgroups v2 have a number of differences:
+
+  - single hierarchy (instead of one tree per controller),
+
+  - processes can only be on leaf nodes (not inner nodes),
+
+  - and of course many improvements / refactorings.
+
+---
+
+## Memory cgroup: accounting
+
+- Keeps track of pages used by each group:
+
+  - file (read/write/mmap from block devices),
+  - anonymous (stack, heap, anonymous mmap),
+  - active (recently accessed),
+  - inactive (candidate for eviction).
+
+- Each page is "charged" to a group.
+
+- Pages can be shared across multiple groups.
+
+  (Example: multiple processes reading from the same files.)
+
+- To view all the counters kept by this cgroup:
+
+  ```bash
+  $ cat /sys/fs/cgroup/memory/memory.stat
+  ```
+
+---
+
+## Memory cgroup: limits
+
+- Each group can have (optional) hard and soft limits.
+
+- Limits can be set for different kinds of memory:
+
+  - physical memory,
+
+  - kernel memory,
+
+  - total memory (including swap).
+
+---
+
+## Soft limits and hard limits
+
+- Soft limits are not enforced.
+
+  (But they influence reclaim under memory pressure.)
+
+- Hard limits *cannot* be exceeded:
+
+  - if a group of processes exceeds a hard limit,
+
+  - and if the kernel cannot reclaim any memory,
+
+  - then the OOM (out-of-memory) killer is triggered,
+
+  - and processes are killed until memory gets below the limit again.
+
+---
+
+class: extra-details, deep-dive
+
+## Avoiding the OOM killer
+
+- For some workloads (databases and stateful systems), killing
+  processes because we run out of memory is not acceptable.
+
+- The "oom-notifier" mechanism helps with that.
+
+- When "oom-notifier" is enabled and a hard limit is exceeded:
+
+  - all processes in the cgroup are frozen,
+
+  - a notification is sent to user space (instead of killing processes),
+
+  - user space can then raise limits, migrate containers, etc.,
+
+  - once the memory usage is below the hard limit, unfreeze the cgroup.
+
+---
+
+class: extra-details, deep-dive
+
+## Overhead of the memory cgroup
+
+- Each time a process grabs or releases a page, the kernel update counters.
+
+- This adds some overhead.
+
+- Unfortunately, this cannot be enabled/disabled per process.
+
+- It has to be done system-wide, at boot time.
+
+- Also, when multiple groups use the same page:
+
+  - only the first group gets "charged",
+
+  - but if it stops using it, the "charge" is moved to another group.
+
+---
+
+class: extra-details, deep-dive
+
+## Setting up a limit with the memory cgroup
+
+Create a new memory cgroup:
+
+```bash
+$ CG=/sys/fs/cgroup/memory/onehundredmegs
+$ sudo mkdir $CG
+```
+
+Limit it to approximately 100MB of memory usage:
+
+```bash
+$ sudo tee $CG/memory.memsw.limit_in_bytes <<< 100000000
+```
+
+Move the current process to that cgroup:
+
+```bash
+$ sudo tee $CG/tasks <<< $$
+```
+
+The current process *and all its future children* are now limited.
+
+(Confused about `<<<`? Look at the next slide!)
+
+---
+
+class: extra-details, deep-dive
+
+## What's `<<<`?
+
+- This is a "here string". (It is a non-POSIX shell extension.)
+
+- The following commands are equivalent:
+
+  ```bash
+  foo <<< hello
+  ```
+
+  ```bash
+  echo hello | foo
+  ```
+
+  ```bash
+  foo <<EOF
+  hello
+  EOF
+  ```
+
+- Why did we use that?
+
+---
+
+class: extra-details, deep-dive
+
+## Writing to cgroups pseudo-files requires root
+
+Instead of:
+
+```bash
+sudo tee $CG/tasks <<< $$
+```
+
+We could have done:
+
+```bash
+sudo sh -c "echo $$ > $CG/tasks"
+```
+
+The following commands, however, would be invalid:
+
+```bash
+sudo echo $$ > $CG/tasks
+```
+
+```bash
+sudo -i # (or su)
+echo $$ > $CG/tasks
+```
+
+---
+
+class: extra-details, deep-dive
+
+## Testing the memory limit
+
+Start the Python interpreter:
+
+```bash
+$ python
+Python 3.6.4 (default, Jan  5 2018, 02:35:40)
+[GCC 7.2.1 20171224] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>>
+```
+
+Allocate 80 megabytes:
+
+```python
+>>> s = "!" * 1000000 * 80
+```
+
+Add 20 megabytes more:
+
+```python
+>>> t = "!" * 1000000 * 20
+Killed
+```
+
+---
+
+## CPU cgroup
+
+- Keeps track of CPU time used by a group of processes.
+
+  (This is easier and more accurate than `getrusage` and `/proc`.)
+
+- Keeps track of usage per CPU as well.
+
+  (i.e., "this group of process used X seconds of CPU0 and Y seconds of CPU1".)
+
+- Allows setting relative weights used by the scheduler.
+
+---
+
+## Cpuset cgroup
+
+- Pin groups to specific CPU(s).
+
+- Use-case: reserve CPUs for specific apps.
+
+- Warning: make sure that "default" processes aren't using all CPUs!
+
+- CPU pinning can also avoid performance loss due to cache flushes.
+
+- This is also relevant for NUMA systems.
+
+- Provides extra dials and knobs.
+
+  (Per zone memory pressure, process migration costs...)
+
+---
+
+## Blkio cgroup
+
+- Keeps track of I/Os for each group:
+
+  - per block device
+  - read vs write
+  - sync vs async
+
+- Set throttle (limits) for each group:
+
+  - per block device
+  - read vs write
+  - ops vs bytes
+
+- Set relative weights for each group.
+
+- Note: most writes go through the page cache.
+  <br/>(So classic writes will appear to be unthrottled at first.)
+
+---
+
+## Net_cls and net_prio cgroup
+
+- Only works for egress (outgoing) traffic.
+
+- Automatically set traffic class or priority
+  for traffic generated by processes in the group.
+
+- Net_cls will assign traffic to a class.
+
+- Classes have to be matched with tc or iptables, otherwise traffic just flows normally.
+
+- Net_prio will assign traffic to a priority.
+
+- Priorities are used by queuing disciplines.
+
+---
+
+## Devices cgroup
+
+- Controls what the group can do on device nodes
+
+- Permissions include read/write/mknod
+
+- Typical use:
+
+  - allow `/dev/{tty,zero,random,null}` ...
+  - deny everything else
+
+- A few interesting nodes:
+
+  - `/dev/net/tun` (network interface manipulation)
+  - `/dev/fuse` (filesystems in user space)
+  - `/dev/kvm` (VMs in containers, yay inception!)
+  - `/dev/dri` (GPU)
 
 ---
 
@@ -1168,8 +1126,8 @@ See `man capabilities` for the full list and details.
 ???
 
 :EN:Containers internals
-:EN:- Control groups (cgroups)
 :EN:- Linux kernel namespaces
+:EN:- Control groups (cgroups)
 :FR:Fonctionnement interne des conteneurs
-:FR:- Les "control groups" (cgroups)
 :FR:- Les namespaces du noyau Linux
+:FR:- Les "control groups" (cgroups)

slides/containers/intro.md

@@ -13,7 +13,7 @@
 - ... Or be comfortable spending some time reading the Docker
  [documentation](https://docs.docker.com/) ...
 
-- ... And looking for answers in the [Docker forums](https://forums.docker.com),
+- ... And looking for answers in the [Docker forums](forums.docker.com),
   [StackOverflow](http://stackoverflow.com/questions/tagged/docker),
   and other outlets
 

slides/docker.yml

@@ -1,68 +0,0 @@
-title: |
-  Docker Training
-
-chat: "[Mattermost](https://live.container.training/mattermost)"
-
-gitrepo: github.com/jpetazzo/container.training
-
-slides: https://2022-11-live.container.training/
-
-#slidenumberprefix: "#SomeHashTag — "
-
-exclude:
-- self-paced
-
-content:
-- shared/title.md
-- logistics.md
-- containers/intro.md
-- shared/about-slides.md
-- shared/chat-room-im.md
-#- shared/chat-room-zoom-meeting.md
-#- shared/chat-room-zoom-webinar.md
-- shared/toc.md
-- # DAY 1
-  #- containers/Docker_Overview.md
-  #- containers/Docker_History.md
-  - containers/Training_Environment.md
-  #- containers/Installing_Docker.md
-  - containers/First_Containers.md
-  - containers/Background_Containers.md
-  - containers/Initial_Images.md
-  - containers/Building_Images_Interactively.md
-  - containers/Building_Images_With_Dockerfiles.md
-  - containers/Cmd_And_Entrypoint.md
-  - containers/Copying_Files_During_Build.md
-  - containers/Exercise_Dockerfile_Basic.md
-- # DAY 2
-  - containers/Container_Networking_Basics.md
-  - containers/Local_Development_Workflow.md
-  - containers/Container_Network_Model.md
-  - containers/Compose_For_Dev_Stacks.md
-  - containers/Exercise_Composefile.md
-- # DAY 3
-  - containers/Start_And_Attach.md
-  - containers/Naming_And_Inspecting.md
-  - containers/Labels.md
-  - containers/Getting_Inside.md
-  - containers/Dockerfile_Tips.md
-  - containers/Advanced_Dockerfiles.md
-  - containers/Multi_Stage_Builds.md
-  - containers/Publishing_To_Docker_Hub.md
-  - containers/Exercise_Dockerfile_Advanced.md
-- # DAY 4
-  - containers/Buildkit.md
-  - containers/Network_Drivers.md
-  - containers/Namespaces_Cgroups.md
-  #- containers/Copy_On_Write.md
-  - containers/Orchestration_Overview.md
-  #- containers/Docker_Machine.md
-  #- containers/Init_Systems.md
-  #- containers/Application_Configuration.md
-  #- containers/Logging.md
-  #- containers/Containers_From_Scratch.md
-  #- containers/Container_Engines.md
-  #- containers/Pods_Anatomy.md
-  #- containers/Ecosystem.md
-  - shared/thankyou.md
-  #- containers/links.md

slides/exercises/healthchecks-brief.md

@@ -4,6 +4,6 @@
 
   (we will use the `rng` service in the dockercoins app)
 
-- See what happens when the load increases
+- See what happens when the load increses
 
   (spoiler alert: it involves timeouts!)

slides/exercises/ingress-brief.md

@@ -2,7 +2,7 @@
 
 - Add an ingress controller to a Kubernetes cluster
 
-- Create an ingress resource for a couple of web apps on that cluster
+- Create an ingress resource for a web app on that cluster
 
 - Challenge: accessing/exposing port 80
 

slides/exercises/ingress-details.md

@@ -1,131 +1,49 @@
 # Exercise — Ingress
 
-- We want to expose a couple of web apps through an ingress controller
+- We want to expose a web app through an ingress controller
 
 - This will require:
 
-  - the web apps (e.g. two instances of `jpetazzo/color`)
+  - the web app itself (dockercoins, NGINX, whatever we want)
 
   - an ingress controller
 
+  - a domain name (`use \*.nip.io` or `\*.localdev.me`)
+
   - an ingress resource
 
 ---
 
-## Different scenarios
+## Goal
 
-We will use a different deployment mechanism depending on the cluster that we have:
+- We want to be able to access the web app using a URL like:
 
-- Managed cluster with working `LoadBalancer` Services
+  http://webapp.localdev.me
 
-- Local development cluster
+  *or*
 
-- Cluster without `LoadBalancer` Services (e.g. deployed with `kubeadm`)
+  http://webapp.A.B.C.D.nip.io
 
----
-
-## The apps
-
-- The web apps will be deployed similarly, regardless of the scenario
-
-- Let's start by deploying two web apps, e.g.:
-
-  a Deployment called `blue` and another called `green`, using image `jpetazzo/color`
-
-- Expose them with two `ClusterIP` Services
-
----
-
-## Scenario "classic cloud Kubernetes"
-
-*Difficulty: easy*
-
-For this scenario, we need a cluster with working `LoadBalancer` Services.
-
-(For instance, a managed Kubernetes cluster from a cloud provider.)
-
-We suggest to use "Ingress NGINX" with its default settings.
-
-It can be installed with `kubectl apply` or with `helm`.
-
-Both methods are described in [the documentation][ingress-nginx-deploy].
-
-We want our apps to be available on e.g. http://X.X.X.X/blue and http://X.X.X.X/green
-<br/>
-(where X.X.X.X is the IP address of the `LoadBalancer` allocated by Ingress NGINX).
-
-[ingress-nginx-deploy]: https://kubernetes.github.io/ingress-nginx/deploy/
-
----
-
-## Scenario "local development cluster"
-
-*Difficulty: easy-hard (depends on the type of cluster!)*
-
-For this scenario, we want to use a local cluster like KinD, minikube, etc.
-
-We suggest to use "Ingress NGINX" again, like for the previous scenario.
-
-Furthermore, we want to use `localdev.me`.
-
-We want our apps to be available on e.g. `blue.localdev.me` and `green.localdev.me`.
-
-The difficulty is to ensure that `localhost:80` will map to the ingress controller.
-
-(See next slide for hints!)
+  (where A.B.C.D is the IP address of one of our nodes)
 
 ---
 
 ## Hints
 
-- With clusters like Docker Desktop, the first `LoadBalancer` service uses `localhost`
+- For the ingress controller, we can use:
 
-  (if the ingress controller is the first `LoadBalancer` service, we're all set!)
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/index.md)
 
-- With clusters like K3D and KinD, it is possible to define extra port mappings
+  - the [Traefik Helm chart](https://doc.traefik.io/traefik/getting-started/install-traefik/#use-the-helm-chart)
 
-  (and map e.g. `localhost:80` to port 30080 on the node; then use that as a `NodePort`)
+  - the container.training [Traefik DaemonSet](https://raw.githubusercontent.com/jpetazzo/container.training/main/k8s/traefik-v2.yaml)
 
----
+- If our cluster supports LoadBalancer Services: easy
 
-## Scenario "on premises cluster", take 1
+  (nothing special to do)
 
-*Difficulty: easy*
+- For local clusters, things can be more difficult; two options:
 
-For this scenario, we need a cluster with nodes that are publicly accessible.
+  - map localhost:80 to e.g. a NodePort service, and use `\*.localdev.me`
 
-We want to deploy the ingress controller so that it listens on port 80 on all nodes.
-
-This can be done e.g. with the manifests in @@LINK[k8s/traefik.yaml].
-
-We want our apps to be available on e.g. http://X.X.X.X/blue and http://X.X.X.X/green
-<br/>
-(where X.X.X.X is the IP address of any of our nodes).
-
----
-
-## Scenario "on premises cluster", take 2
-
-*Difficulty: medium*
-
-We want to deploy the ingress controller so that it listens on port 80 on all nodes.
-
-But this time, we want to use a Helm chart to install the ingress controller.
-
-We can use either the Ingress NGINX Helm chart, or the Traefik Helm chart.
-
-Test with an untainted node first.
-
-Feel free to make it work on tainted nodes (e.g. control plane nodes) later.
-
----
-
-## Scenario "on premises cluster", take 3
-
-*Difficulty: hard*
-
-This is similar to the previous scenario, but with two significant changes:
-
-1. We only want to run the ingress controller on nodes that have the role `ingress`.
-
-2. We don't want to use `hostNetwork`, but a list of `externalIPs` instead.
+  - use hostNetwork, or ExternalIP, and use `\*.nip.io`

slides/exercises/netpol-brief.md

@@ -1,7 +0,0 @@
-## Exercise — Network Policies
-
-- Implement a system with 3 levels of security
-
-  (private pods, public pods, namespace pods)
-
-- Apply it to the DockerCoins demo app

slides/exercises/netpol-details.md

@@ -1,63 +0,0 @@
-# Exercise — Network Policies
-
-We want to to implement a generic network security mechanism.
-
-Instead of creating one policy per service, we want to
-create a fixed number of policies, and use a single label
-to indicate the security level of our pods.
-
-Then, when adding a new service to the stack, instead
-of writing a new network policy for that service, we
-only need to add the right label to the pods of that service.
-
----
-
-## Specifications
-
-We will use the label `security` to classify our pods.
-
-- If `security=private`:
-
-  *the pod shouldn't accept any traffic*
-
-- If `security=public`:
-
-  *the pod should accept all traffic*
-
-- If `security=namespace`:
-
-  *the pod should only accept connections coming from the same namespace*
-
-If `security` isn't set, assume it's `private`.
-
----
-
-## Test setup
-
-- Deploy a copy of the DockerCoins app in a new namespace
-
-- Modify the pod templates so that:
-
-  - `webui` has `security=public`
-
-  - `worker` has `security=private`
-
-  - `hasher`, `redis`, `rng` have `security=namespace`
-
----
-
-## Implement and test policies
-
-- Write the network policies
-
-  (feel free to draw inspiration from the ones we've seen so far)
-
-- Check that:
-
-  - you can connect to the `webui` from outside the cluster
-
-  - the application works correctly (shows 3-4 hashes/second)
-
-  - you cannot connect to the `hasher`, `redis`, `rng` services
-
-  - you cannot connect or even ping the `worker` pods

slides/exercises/rbac-brief.md

@@ -1,9 +0,0 @@
-## Exercise — RBAC
-
-- Create two namespaces for users `alice` and `bob`
-
-- Give each user full access to their own namespace
-
-- Give each user read-only access to the other's namespace
-
-- Let `alice` view the nodes of the cluster as well

slides/exercises/rbac-details.md

@@ -1,97 +0,0 @@
-# Exercise — RBAC
-
-We want to:
-
-- Create two namespaces for users `alice` and `bob`
-
-- Give each user full access to their own namespace
-
-- Give each user read-only access to the other's namespace
-
-- Let `alice` view the nodes of the cluster as well
-
----
-
-## Initial setup
-
-- Create two namespaces named `alice` and `bob`
-
-- Check that if we impersonate Alice, we can't access her namespace yet:
-  ```bash
-  kubectl --as alice get pods --namespace alice
-  ```
-
----
-
-## Access for Alice
-
-- Grant Alice full access to her own namespace
-
-  (you can use a pre-existing Cluster Role)
-
-- Check that Alice can create stuff in her namespace:
-  ```bash
-  kubectl --as alice create deployment hello --image nginx --namespace alice
-  ```
-
-- But that she can't create stuff in Bob's namespace:
-  ```bash
-  kubectl --as alice create deployment hello --image nginx --namespace bob
-  ```
-
----
-
-## Access for Bob
-
-- Similarly, grant Bob full access to his own namespace
-
-- Check that Bob can create stuff in his namespace:
-  ```bash
-  kubectl --as bob create deployment hello --image nginx --namespace bob
-  ```
-
-- But that he can't create stuff in Alice's namespace:
-  ```bash
-  kubectl --as bob create deployment hello --image nginx --namespace alice
-  ```
-
----
-
-## Read-only access
-
-- Now, give Alice read-only access to Bob's namespace
-
-- Check that Alice can view Bob's stuff:
-  ```bash
-  kubectl --as alice get pods --namespace bob
-  ```
-
-- But that she can't touch this:
-  ```bash
-  kubectl --as alice delete pods --namespace bob --all
-  ```
-
-- Likewise, give Bob read-only access to Alice's namespace
-
----
-
-## Nodes
-
-- Give Alice read-only access to the cluster nodes
-
-  (this will require creating a custom Cluster Role)
-
-- Check that Alice can view the nodes:
-  ```bash
-  kubectl --as alice get nodes
-  ```
-
-- But that Bob cannot:
-  ```bash
-  kubectl --as bob get nodes
-  ```
-
-- And that Alice can't update nodes:
-  ```bash
-  kubectl --as alice label nodes --all hello=world
-  ```

slides/interstitials.txt

@@ -13,4 +13,3 @@ https://gallant-turing-d0d520.netlify.com/containers/train-of-containers-1.jpg
 https://gallant-turing-d0d520.netlify.com/containers/train-of-containers-2.jpg
 https://gallant-turing-d0d520.netlify.com/containers/two-containers-on-a-truck.jpg
 https://gallant-turing-d0d520.netlify.com/containers/wall-of-containers.jpeg
-https://gallant-turing-d0d520.netlify.com/containers/catene-de-conteneurs.jpg

slides/k8s/architecture.md

@@ -14,6 +14,70 @@ Kubernetes also relies on underlying infrastructure:
 
 ---
 
+## Control plane location
+
+The control plane can run:
+
+- in containers, on the same nodes that run other application workloads
+
+  (default behavior for local clusters like [Minikube](https://github.com/kubernetes/minikube), [kind](https://kind.sigs.k8s.io/)...)
+
+- on a dedicated node
+
+  (default behavior when deploying with kubeadm)
+
+- on a dedicated set of nodes
+
+  ([Kubernetes The Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way); [kops](https://github.com/kubernetes/kops); also kubeadm)
+
+- outside of the cluster
+
+  (most managed clusters like AKS, DOK, EKS, GKE, Kapsule, LKE, OKE...)
+
+---
+
+class: pic
+
+![](images/control-planes/single-node-dev.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/managed-kubernetes.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/single-control-and-workers.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/stacked-control-plane.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/non-dedicated-stacked-nodes.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/advanced-control-plane.svg)
+
+---
+
+class: pic
+
+![](images/control-planes/advanced-control-plane-split-events.svg)
+
+---
+
 class: pic
 
 ![Kubernetes architecture diagram: communication between components](images/k8s-arch4-thanks-luxas.png)
@@ -93,70 +157,6 @@ The kubelet agent uses a number of special-purpose protocols and interfaces, inc
 
 ---
 
-## Control plane location
-
-The control plane can run:
-
-- in containers, on the same nodes that run other application workloads
-
-  (default behavior for local clusters like [Minikube](https://github.com/kubernetes/minikube), [kind](https://kind.sigs.k8s.io/)...)
-
-- on a dedicated node
-
-  (default behavior when deploying with kubeadm)
-
-- on a dedicated set of nodes
-
-  ([Kubernetes The Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way); [kops](https://github.com/kubernetes/kops); also kubeadm)
-
-- outside of the cluster
-
-  (most managed clusters like AKS, DOK, EKS, GKE, Kapsule, LKE, OKE...)
-
----
-
-class: pic
-
-![](images/control-planes/single-node-dev.svg)
-
----
-
-class: pic
-
-![](images/control-planes/managed-kubernetes.svg)
-
----
-
-class: pic
-
-![](images/control-planes/single-control-and-workers.svg)
-
----
-
-class: pic
-
-![](images/control-planes/stacked-control-plane.svg)
-
----
-
-class: pic
-
-![](images/control-planes/non-dedicated-stacked-nodes.svg)
-
----
-
-class: pic
-
-![](images/control-planes/advanced-control-plane.svg)
-
----
-
-class: pic
-
-![](images/control-planes/advanced-control-plane-split-events.svg)
-
----
-
 # The Kubernetes API
 
 [

slides/k8s/authn-authz.md

@@ -168,7 +168,7 @@ class: extra-details
 
   (`O=system:nodes`, `CN=system:node:name-of-the-node`)
 
-- The Kubernetes API can act as a CA
+- The Kubernetse API can act as a CA
 
   (by wrapping an X509 CSR into a CertificateSigningRequest resource)
 
@@ -246,7 +246,7 @@ class: extra-details
 
   (they don't require hand-editing a file and restarting the API server)
 
-- A service account can be associated with a set of secrets
+- A service account is associated with a set of secrets
 
   (the kind that you can view with `kubectl get secrets`)
 
@@ -256,28 +256,6 @@ class: extra-details
 
 ---
 
-## Service account tokens evolution
-
-- In Kubernetes 1.21 and above, pods use *bound service account tokens*:
-
-  - these tokens are *bound* to a specific object (e.g. a Pod)
-
-  - they are automatically invalidated when the object is deleted
-
-  - these tokens also expire quickly (e.g. 1 hour) and gets rotated automatically
-
-- In Kubernetes 1.24 and above, unbound tokens aren't created automatically
-
-  - before 1.24, we would see unbound tokens with `kubectl get secrets`
-
-  - with 1.24 and above, these tokens can be created with `kubectl create token`
-
-  - ...or with a Secret with the right [type and annotation][create-token]
-
-[create-token]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token
-
----
-
 class: extra-details
 
 ## Checking our authentication method
@@ -412,10 +390,6 @@ class: extra-details
 
 It should be named `default-token-XXXXX`.
 
-When running Kubernetes 1.24 and above, this Secret won't exist.
-<br/>
-Instead, create a token with `kubectl create token default`.
-
 ---
 
 class: extra-details

slides/k8s/bootstrap.md

@@ -202,9 +202,7 @@ class: extra-details
 
 - These are JWS signatures using HMAC-SHA256
 
-  (see [the reference documentation][configmap-signing] for more details)
-
-[configmap-signing]: https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#configmap-signing
+  (see [here](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#configmap-signing) for more details)
 
 ---
 

slides/k8s/cainjector.md

@@ -1,60 +0,0 @@
-## CA injector - overview
-
-- The Kubernetes API server can invoke various webhooks:
-
-  - conversion webhooks (registered in CustomResourceDefinitions)
-
-  - mutation webhooks (registered in MutatingWebhookConfigurations)
-
-  - validation webhooks (registered in ValidatingWebhookConfiguration)
-
-- These webhooks must be served over TLS
-
-- These webhooks must use valid TLS certificates
-
----
-
-## Webhook certificates
-
-- Option 1: certificate issued by a global CA
-
-  - doesn't work with internal services
-    <br/>
-    (their CN must be `<servicename>.<namespace>.svc`)
-
-- Option 2: certificate issued by private CA + CA certificate in system store
-
-  - requires access to API server certificates tore
-
-  - generally not doable on managed Kubernetes clusters
-
-- Option 3: certificate issued by private CA + CA certificate in `caBundle`
-
-  - pass the CA certificate in `caBundle` field
-    <br/>
-    (in CRD or webhook manifests)
-
-  - can be managed automatically by cert-manager
-
----
-
-## CA injector - details
-
-- Add annotation to *injectable* resource
-  (CustomResouceDefinition, MutatingWebhookConfiguration, ValidatingWebhookConfiguration)
-
-- Annotation refers to the thing holding the certificate:
-
-  - `cert-manager.io/inject-ca-from: <namespace>/<certificate>`
-
-  - `cert-manager.io/inject-ca-from-secret: <namespace>/<secret>`
-
-  - `cert-manager.io/inject-apiserver-ca: true` (use API server CA)
-
-- When injecting from a Secret, the Secret must have a special annotation:
-
-  `cert-manager.io/allow-direct-injection: "true"`
-
-- See [cert-manager documentation][docs] for details
-
-[docs]: https://cert-manager.io/docs/concepts/ca-injector/

slides/k8s/cluster-autoscaler.md

@@ -48,7 +48,7 @@
 
 - We must run nodes on a supported infrastructure
 
-- Check the [GitHub repo][autoscaler-providers] for a non-exhaustive list of supported providers
+- See [here] for a non-exhaustive list of supported providers
 
 - Sometimes, the cluster autoscaler is installed automatically
 
@@ -58,7 +58,7 @@
 
   (which is often non-trivial and highly provider-specific)
 
-[autoscaler-providers]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider
+[here]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider
 
 ---