Update recommended Terraform provider versions

* Sync Terraform provider plugin versions to those used internally * Update mkdocs-material from v5.5.1 to v5.5.6 * Fix minor details in docs
Update Kubernetes from v1.18.6 to v1.18.8
2025-08-04 22:21:34 +02:00 · 2020-08-14 10:05:52 -07:00 · 2020-08-13 20:47:43 -07:00 · 2020-08-13 00:36:47 -07:00 · 2020-08-12 01:54:32 -07:00 · 2020-08-09 12:40:22 -07:00
146 changed files with 2233 additions and 1152 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,33 +0,0 @@
 <!-- Fill in either the 'Bug' or 'Feature Request' section -->
 ## Bug
 ### Environment
 * Platform: aws, azure, bare-metal, google-cloud, digital-ocean
 * OS: fedora-coreos, flatcar-linux
 * Release: Typhoon version or Git SHA (reporting latest is **not** helpful)
 * Terraform: `terraform version` (reporting latest is **not** helpful)
 * Plugins: Provider plugin versions (reporting latest is **not** helpful)
 ### Problem
 Describe the problem.
 ### Desired Behavior
 Describe the goal.
 ### Steps to Reproduce
 Provide clear steps to reproduce the issue unless already covered.
 ## Feature Request
 ### Feature
 Describe the feature and what problem it solves.
 ### Tradeoffs
 What are the pros and cons of this feature? How will it be exercised and maintained?
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,39 @@
 ---
 name: Bug report
 about: Report a bug to improve the project
 title: ''
 labels: ''
 assignees: ''
 ---
 <!-- READ: Issues are used to receive focused bug reports from users and to track planned future enhancements by the authors. Topics like cluster operation, support, debugging help, advice, and Kubernetes concepts are out of scope and should not use issues-->
 **Description**
 A clear and concise description of what the bug is.
 **Steps to Reproduce**
 Provide clear steps to reproduce the bug.
 - [ ] Relevant error messages if appropriate (concise, not a dump of everything).
 - [ ] Explored using a vanilla cluster from the [tutorials](https://typhoon.psdn.io/#documentation). Ruled out [customizations](https://typhoon.psdn.io/advanced/customization/).
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Environment**
 * Platform: aws, azure, bare-metal, google-cloud, digital-ocean
 * OS: fedora-coreos, flatcar-linux (include release version)
 * Release: Typhoon version or Git SHA (reporting latest is **not** helpful)
 * Terraform: `terraform version` (reporting latest is **not** helpful)
 * Plugins: Provider plugin versions (reporting latest is **not** helpful)
 **Possible Solution**
 <!-- Most bug reports should have some inkling about solutions. Otherwise, your report may be less of a bug and more of a support request (see top).-->
 Link to a PR or description.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,5 @@
 blank_issues_enabled: true
 contact_links:
  - name: Security
    url: https://typhoon.psdn.io/topics/security/
    about: Report security vulnerabilities
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@ -0,0 +1,15 @@
 <!-- READ: Issues are used to receive focused bug reports from users and to track planned future enhancements by the authors. Topics like cluster operation, support, debugging help, advice, and Kubernetes concepts are out of scope and should not use issues-->
 ## Enhancement
 ### Overview
 One paragraph explanation of the enhancement.
 ### Motivation
 Describe the motivation and what problem this solves.
 ### Tradeoffs
 What are the pros and cons of this feature? How will it be exercised and maintained?
--- a/CHANGES.md
+++ b/CHANGES.md
@ -4,6 +4,200 @@ Notable changes between versions.
 ## Latest
 ### v1.18.8
 * Kubernetes [v1.18.8](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1188)
 * Migrate from Terraform v0.12.x to v0.13.x ([#804](https://github.com/poseidon/typhoon/pull/804)) (**action required**)
  * Recommend Terraform v0.13.x ([migration guide](https://typhoon.psdn.io/topics/maintenance/#terraform-versions))
  * Support automatic install of poseidon's provider plugins ([poseidon/ct](https://registry.terraform.io/providers/poseidon/ct/latest), [poseidon/matchbox](https://registry.terraform.io/providers/poseidon/matchbox/latest))
  * Require Terraform v0.12.26+ (migration compatibility)
  * Require `terraform-provider-ct` v0.6.1
  * Require `terraform-provider-matchbox` v0.4.1
 * Update etcd from v3.4.9 to [v3.4.10](https://github.com/etcd-io/etcd/releases/tag/v3.4.10)
 * Update CoreDNS from v1.6.7 to [v1.7.0](https://coredns.io/2020/06/15/coredns-1.7.0-release/)
 * Update Cilium from v1.8.1 to [v1.8.2](https://github.com/cilium/cilium/releases/tag/v1.8.2)
 * Update [coreos/flannel-cni](https://github.com/coreos/flannel-cni) to [poseidon/flannel-cni](https://github.com/poseidon/flannel-cni) ([#798](https://github.com/poseidon/typhoon/pull/798))
  * Update CNI plugins and fix CVEs with Flannel CNI (non-default)
  * Transition to a poseidon maintained container image
 ### AWS
 * Allow `terraform-provider-aws` v3.0+ ([#803](https://github.com/poseidon/typhoon/pull/803))
  * Recommend updating `terraform-provider-aws` to v3.0+
  * Continue to allow v2.23+, no v3.x specific features are used
 ### DigitalOcean
 * Require `terraform-provider-digitalocean` v1.21+ for Terraform v0.13.x (unenforced)
 * Require `terraform-provider-digitalocean` v1.20+ for Terraform v0.12.x
 ### Fedora CoreOS
 * Fix support for Flannel with Fedora CoreOS ([#795](https://github.com/poseidon/typhoon/pull/795))
  * Configure `flannel.1` link to select its own MAC address to solve flannel
  pod-to-pod traffic drops starting with default link changes in Fedora CoreOS
  32.20200629.3.0 ([details](https://github.com/coreos/fedora-coreos-tracker/issues/574#issuecomment-665487296))
 #### Addons
 * Update Prometheus from v2.19.2 to [v2.20.0](https://github.com/prometheus/prometheus/releases/tag/v2.20.0)
 * Update Grafana from v7.0.6 to [v7.1.3](https://github.com/grafana/grafana/releases/tag/v7.1.3)
 ## v1.18.6
 * Kubernetes [v1.18.6](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1186)
 * Update Calico from v3.15.0 to [v3.15.1](https://docs.projectcalico.org/v3.15/release-notes/)
 * Update Cilium from v1.8.0 to [v1.8.1](https://github.com/cilium/cilium/releases/tag/v1.8.1)
 #### Addons
 * Update nginx-ingress from v0.33.0 to [v0.34.1](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.34.1)
  * [ingress-nginx](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v0.34.0) will publish images only to gcr.io
 * Update Prometheus from v2.19.1 to [v2.19.2](https://github.com/prometheus/prometheus/releases/tag/v2.19.2)
 * Update Grafana from v7.0.4 to [v7.0.6](https://github.com/grafana/grafana/releases/tag/v7.0.6)
 ## v1.18.5
 * Kubernetes [v1.18.5](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1185)
 * Add Cilium v1.8.0 as a (experimental) CNI provider option ([#760](https://github.com/poseidon/typhoon/pull/760))
  * Set `networking` to "cilium" to enable
 * Update Calico from v3.14.1 to [v3.15.0](https://docs.projectcalico.org/v3.15/release-notes/)
 #### DigitalOcean
 * Isolate each cluster in an independent DigitalOcean VPC ([#776](https://github.com/poseidon/typhoon/pull/776))
  * Create droplets in a VPC per cluster (matches Typhoon AWS, Azure, and GCP)
  * Require `terraform-provider-digitalocean` v1.16.0+ (action required)
  * Output `vpc_id` for use with an attached DigitalOcean [loadbalancer](https://github.com/poseidon/typhoon/blob/v1.18.5/docs/architecture/digitalocean.md#custom-load-balancer)
 ### Fedora CoreOS
 #### Google Cloud
 * Promote Fedora CoreOS to stable
 * Remove `os_image` variable deprecated in v1.18.3 ([#777](https://github.com/poseidon/typhoon/pull/777))
  * Use `os_stream` to select a Fedora CoreOS image stream
 ### Flatcar Linux
 #### Azure
 * Allow using Flatcar Linux Edge by setting `os_image` to "flatcar-edge" ([#778](https://github.com/poseidon/typhoon/pull/778))
 #### Addons
 * Update Prometheus from v2.19.0 to [v2.19.1](https://github.com/prometheus/prometheus/releases/tag/v2.19.1)
 * Update Grafana from v7.0.3 to [v7.0.4](https://github.com/grafana/grafana/releases/tag/v7.0.4)
 ## v1.18.4
 * Kubernetes [v1.18.4](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1184)
 * Update Kubelet image publishing ([#749](https://github.com/poseidon/typhoon/pull/749))
  * Build Kubelet images internally and publish to Quay and Dockerhub
    * [quay.io/poseidon/kubelet](https://quay.io/repository/poseidon/kubelet) (official)
    * [docker.io/psdn/kubelet](https://hub.docker.com/r/psdn/kubelet) (fallback)
  * Continue offering automated image builds with an alternate tag strategy (see [docs](https://typhoon.psdn.io/topics/security/#container-images))
  * [Document](https://typhoon.psdn.io/advanced/customization/#kubelet) use of alternate Kubelet images during registry incidents
 * Update Calico from v3.14.0 to [v3.14.1](https://docs.projectcalico.org/v3.14/release-notes/)
  * Fix [CVE-2020-13597](https://github.com/kubernetes/kubernetes/issues/91507)
 * Rename controller NoSchedule taint from `node-role.kubernetes.io/master` to `node-role.kubernetes.io/controller` ([#764](https://github.com/poseidon/typhoon/pull/764))
  * Tolerate the new taint name for workloads that may run on controller nodes
 * Remove node label `node.kubernetes.io/master` from controller nodes ([#764](https://github.com/poseidon/typhoon/pull/764))
  * Use `node.kubernetes.io/controller` (present since v1.9.5, [#160](https://github.com/poseidon/typhoon/pull/160)) to node select controllers
 * Remove unused Kubelet `-lock-file` and `-exit-on-lock-contention` ([#758](https://github.com/poseidon/typhoon/pull/758))
 ### Fedora CoreOS
 #### Azure
 * Use `strict` Fedora CoreOS Config (FCC) snippet parsing ([#755](https://github.com/poseidon/typhoon/pull/755))
 * Reduce Calico vxlan interface MTU to maintain performance ([#767](https://github.com/poseidon/typhoon/pull/766))
 #### AWS
 * Fix Kubelet service race with hostname update ([#766](https://github.com/poseidon/typhoon/pull/766))
  * Wait for a hostname to avoid Kubelet trying to register as `localhost`
 ### Flatcar Linux
 * Use `strict` Container Linux Config (CLC) snippet parsing ([#755](https://github.com/poseidon/typhoon/pull/755))
  * Require `terraform-provider-ct` v0.4+, recommend v0.5+ (**action required**)
 ### Addons
 * Update nginx-ingress from v0.32.0 to [v0.33.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.33.0)
 * Update Prometheus from v2.18.1 to [v2.19.0](https://github.com/prometheus/prometheus/releases/tag/v2.19.0)
 * Update node-exporter from v1.0.0-rc.1 to [v1.0.1](https://github.com/prometheus/node_exporter/releases/tag/v1.0.1)
 * Update kube-state-metrics from v1.9.6 to v1.9.7
 * Update Grafana from v7.0.0 to v7.0.3
 ## v1.18.3
 * Kubernetes [v1.18.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183)
 * Use Kubelet [TLS bootstrap](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) with bootstrap token authentication ([#713](https://github.com/poseidon/typhoon/pull/713))
  * Enable Node [Authorization](https://kubernetes.io/docs/reference/access-authn-authz/node/) and [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) to reduce authorization scope
  * Renew Kubelet certificates every 72 hours
 * Update etcd from v3.4.7 to [v3.4.9](https://github.com/etcd-io/etcd/releases/tag/v3.4.9)
 * Update Calico from v3.13.1 to [v3.14.0](https://docs.projectcalico.org/v3.14/release-notes/)
 * Add CoreDNS node affinity preference for controller nodes ([#188](https://github.com/poseidon/terraform-render-bootstrap/pull/188))
 * Deprecate CoreOS Container Linux support (no OS [updates](https://coreos.com/os/eol/) after May 2020)
  * Use a `fedora-coreos` module for Fedora CoreOS
  * Use a `container-linux` module for Flatcar Linux
 ### AWS
 * Fix Terraform plan error when `controller_count` exceeds AWS zones (e.g. 5 controllers) ([#714](https://github.com/poseidon/typhoon/pull/714))
  * Regressed in v1.17.1 ([#605](https://github.com/poseidon/typhoon/pull/605))
 ### Azure
 * Update Azure subnets to set `address_prefixes` list ([#730](https://github.com/poseidon/typhoon/pull/730))
  * Fix warning that `address_prefix` is deprecated
  * Require `terraform-provider-azurerm` v2.8.0+ (action required)
 ### DigitalOcean
 * Promote DigitalOcean to beta on both Fedora CoreOS and Flatcar Linux
 ### Fedora CoreOS
 * Fix Calico `install-cni` crashloop on Pod restarts ([#724](https://github.com/poseidon/typhoon/pull/724))
  * SELinux enforcement requires consistent file context MCS level
  * Restarting a node resolved the issue as a previous workaround
 #### AWS
 * Support Fedora CoreOS [image streams](https://docs.fedoraproject.org/en-US/fedora-coreos/update-streams/) ([#727](https://github.com/poseidon/typhoon/pull/727))
  * Add `os_stream` variable to set the stream to `stable` (default), `testing`, or `next`
  * Remove unused `os_image` variable
 #### Google
 * Support Fedora CoreOS [image streams](https://docs.fedoraproject.org/en-US/fedora-coreos/update-streams/) ([#723](https://github.com/poseidon/typhoon/pull/723))
  * Add `os_stream` variable to set the stream to `stable` (default), `testing`, or `next`
  * Deprecate `os_image` variable. Manual image uploads are no longer needed
 ### Flatcar Linux
 #### Azure
 * Use the Flatcar Linux Azure Marketplace image
  * Restore [#664](https://github.com/poseidon/typhoon/pull/664) (reverted in [#707](https://github.com/poseidon/typhoon/pull/707)) but use Flatcar Linux new free offer (not byol)
 * Change `os_image` to use a `flatcar-stable` default
 #### Google
 * Promote Flatcar Linux to beta
 ### Addons
 * Update nginx-ingress from v0.30.0 to [v0.32.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.32.0)
  * Add support for [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
 * Update Prometheus from v2.17.1 to v2.18.1
  * Update kube-state-metrics from v1.9.5 to [v1.9.6](https://github.com/kubernetes/kube-state-metrics/releases/tag/v1.9.6)
  * Update node-exporter from v1.0.0-rc.0 to [v1.0.0-rc.1](https://github.com/prometheus/node_exporter/releases/tag/v1.0.0-rc.1)
 * Update Grafana from v6.7.2 to [v7.0.0](https://grafana.com/docs/grafana/latest/guides/whats-new-in-v7-0/)
 ## v1.18.2
 * Kubernetes [v1.18.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1182)
--- a/README.md
+++ b/README.md
@ -11,9 +11,9 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
-* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [preemptible](https://typhoon.psdn.io/cl/google-cloud/#preemption) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
 * Ready for Ingress, Prometheus, Grafana, CSI, or other [addons](https://typhoon.psdn.io/addons/overview/)
@ -28,35 +28,25 @@ Typhoon is available for [Fedora CoreOS](https://getfedora.org/coreos/).
 | AWS           | Fedora CoreOS | [aws/fedora-coreos/kubernetes](aws/fedora-coreos/kubernetes) | stable |
 | Azure         | Fedora CoreOS | [azure/fedora-coreos/kubernetes](azure/fedora-coreos/kubernetes) | alpha |
 | Bare-Metal    | Fedora CoreOS | [bare-metal/fedora-coreos/kubernetes](bare-metal/fedora-coreos/kubernetes) | beta |
-| DigitalOcean  | Fedora CoreOS | [digital-ocean/fedora-coreos/kubernetes](digital-ocean/fedora-coreos/kubernetes) | alpha |
+| DigitalOcean  | Fedora CoreOS | [digital-ocean/fedora-coreos/kubernetes](digital-ocean/fedora-coreos/kubernetes) | beta |
-| Google Cloud  | Fedora CoreOS | [google-cloud/fedora-coreos/kubernetes](google-cloud/fedora-coreos/kubernetes) | beta |
+| Google Cloud  | Fedora CoreOS | [google-cloud/fedora-coreos/kubernetes](google-cloud/fedora-coreos/kubernetes) | stable |
-Typhoon is available for [Flatcar Container Linux](https://www.flatcar-linux.org/releases/).
+Typhoon is available for [Flatcar Linux](https://www.flatcar-linux.org/releases/).
 | Platform      | Operating System | Terraform Module | Status |
 |---------------|------------------|------------------|--------|
 | AWS           | Flatcar Linux    | [aws/container-linux/kubernetes](aws/container-linux/kubernetes) | stable |
 | Azure         | Flatcar Linux    | [azure/container-linux/kubernetes](azure/container-linux/kubernetes) | alpha |
 | Bare-Metal    | Flatcar Linux    | [bare-metal/container-linux/kubernetes](bare-metal/container-linux/kubernetes) | stable |
-| DigitalOcean | Flatcar Linux  | [digital-ocean/container-linux/kubernetes](digital-ocean/container-linux/kubernetes) | alpha |
+| DigitalOcean | Flatcar Linux  | [digital-ocean/container-linux/kubernetes](digital-ocean/container-linux/kubernetes) | beta |
-| Google Cloud  | Flatcar Linux  | [google-cloud/container-linux/kubernetes](google-cloud/container-linux/kubernetes) | alpha |
+| Google Cloud  | Flatcar Linux  | [google-cloud/container-linux/kubernetes](google-cloud/container-linux/kubernetes) | beta |
 Typhoon is available for CoreOS Container Linux ([no updates](https://coreos.com/os/eol/) after May 2020).
 | Platform      | Operating System | Terraform Module | Status |
 |---------------|------------------|------------------|--------|
 | AWS           | Container Linux  | [aws/container-linux/kubernetes](aws/container-linux/kubernetes) | stable |
 | Azure         | Container Linux  | [azure/container-linux/kubernetes](azure/container-linux/kubernetes) | alpha |
 | Bare-Metal    | Container Linux  | [bare-metal/container-linux/kubernetes](bare-metal/container-linux/kubernetes) | stable |
 | Digital Ocean | Container Linux  | [digital-ocean/container-linux/kubernetes](digital-ocean/container-linux/kubernetes) | beta |
 | Google Cloud  | Container Linux  | [google-cloud/container-linux/kubernetes](google-cloud/container-linux/kubernetes) | stable |
 ## Documentation
 * [Docs](https://typhoon.psdn.io)
 * Architecture [concepts](https://typhoon.psdn.io/architecture/concepts/) and [operating systems](https://typhoon.psdn.io/architecture/operating-systems/)
 * Fedora CoreOS tutorials for [AWS](docs/fedora-coreos/aws.md), [Azure](docs/fedora-coreos/azure.md), [Bare-Metal](docs/fedora-coreos/bare-metal.md), [DigitalOcean](docs/fedora-coreos/digitalocean.md), and [Google Cloud](docs/fedora-coreos/google-cloud.md)
-* Flatcar Linux tutorials for [AWS](docs/cl/aws.md), [Azure](docs/cl/azure.md), [Bare-Metal](docs/cl/bare-metal.md), [DigitalOcean](docs/cl/digital-ocean.md), and [Google Cloud](docs/cl/google-cloud.md)
+* Flatcar Linux tutorials for [AWS](docs/flatcar-linux/aws.md), [Azure](docs/flatcar-linux/azure.md), [Bare-Metal](docs/flatcar-linux/bare-metal.md), [DigitalOcean](docs/flatcar-linux/digitalocean.md), and [Google Cloud](docs/flatcar-linux/google-cloud.md)
 ## Usage
@ -64,7 +54,7 @@ Define a Kubernetes cluster by using the Terraform module for your chosen platfo
 ```tf
 module "yavin" {
-  source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes?ref=v1.18.2"
+  source = "git::https://github.com/poseidon/typhoon//google-cloud/fedora-coreos/kubernetes?ref=v1.18.8"
  # Google Cloud
  cluster_name  = "yavin"
@ -103,9 +93,9 @@ In 4-8 minutes (varies by platform), the cluster will be ready. This Google Clou
 $ export KUBECONFIG=/home/user/.kube/configs/yavin-config
 $ kubectl get nodes
 NAME                                       ROLES    STATUS  AGE  VERSION
-yavin-controller-0.c.example-com.internal  <none>   Ready   6m   v1.18.2
+yavin-controller-0.c.example-com.internal  <none>   Ready   6m   v1.18.8
-yavin-worker-jrbf.c.example-com.internal   <none>   Ready   5m   v1.18.2
+yavin-worker-jrbf.c.example-com.internal   <none>   Ready   5m   v1.18.8
-yavin-worker-mzdm.c.example-com.internal   <none>   Ready   5m   v1.18.2
+yavin-worker-mzdm.c.example-com.internal   <none>   Ready   5m   v1.18.8
 ```
 List the pods.
--- a/addons/grafana/dashboards-coredns.yaml
+++ b/addons/grafana/dashboards-coredns.yaml
@ -72,7 +72,7 @@ data:
              "steppedLine": false,
              "targets": [
                {
-                  "expr": "sum(rate(coredns_dns_request_count_total{instance=~\"$instance\"}[5m])) by (proto)",
+                  "expr": "sum(rate(coredns_dns_requests_total{instance=~\"$instance\"}[5m])) by (proto)",
                  "format": "time_series",
                  "intervalFactor": 2,
                  "legendFormat": "{{proto}}",
@ -163,7 +163,7 @@ data:
              "steppedLine": false,
              "targets": [
                {
-                  "expr": "sum(rate(coredns_dns_request_type_count_total{instance=~\"$instance\"}[5m])) by (type)",
+                  "expr": "sum(rate(coredns_dns_requests_total{instance=~\"$instance\"}[5m])) by (type)",
                  "format": "time_series",
                  "intervalFactor": 2,
                  "legendFormat": "{{type}}",
@ -254,7 +254,7 @@ data:
              "steppedLine": false,
              "targets": [
                {
-                  "expr": "sum(rate(coredns_dns_request_count_total{instance=~\"$instance\"}[5m])) by (zone)",
+                  "expr": "sum(rate(coredns_dns_requests_total{instance=~\"$instance\"}[5m])) by (zone)",
                  "format": "time_series",
                  "intervalFactor": 2,
                  "legendFormat": "{{zone}}",
@ -463,7 +463,7 @@ data:
              "steppedLine": false,
              "targets": [
                {
-                  "expr": "sum(rate(coredns_dns_response_rcode_count_total{instance=~\"$instance\"}[5m])) by (rcode)",
+                  "expr": "sum(rate(coredns_dns_responses_total{instance=~\"$instance\"}[5m])) by (rcode)",
                  "format": "time_series",
                  "intervalFactor": 2,
                  "legendFormat": "{{rcode}}",
@ -790,7 +790,7 @@ data:
              "steppedLine": false,
              "targets": [
                {
-                  "expr": "sum(coredns_cache_size{instance=~\"$instance\"}) by (type)",
+                  "expr": "sum(coredns_cache_entries{instance=~\"$instance\"}) by (type)",
                  "format": "time_series",
                  "intervalFactor": 2,
                  "legendFormat": "{{type}}",
--- a/addons/grafana/deployment.yaml
+++ b/addons/grafana/deployment.yaml
@ -23,7 +23,7 @@ spec:
    spec:
      containers:
        - name: grafana
-          image: docker.io/grafana/grafana:6.7.2
+          image: docker.io/grafana/grafana:7.1.3
          env:
            - name: GF_PATHS_CONFIG
              value: "/etc/grafana/custom.ini"
--- a/addons/nginx-ingress/aws/class.yaml
+++ b/addons/nginx-ingress/aws/class.yaml
@ -0,0 +1,6 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: IngressClass
 metadata:
  name: public
 spec:
  controller: k8s.io/ingress-nginx
--- a/addons/nginx-ingress/aws/deployment.yaml
+++ b/addons/nginx-ingress/aws/deployment.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
+          image: us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1
          args:
            - /nginx-ingress-controller
            - --ingress-class=public
--- a/addons/nginx-ingress/aws/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/aws/rbac/cluster-role.yaml
@ -51,3 +51,12 @@ rules:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
--- a/addons/nginx-ingress/azure/class.yaml
+++ b/addons/nginx-ingress/azure/class.yaml
@ -0,0 +1,6 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: IngressClass
 metadata:
  name: public
 spec:
  controller: k8s.io/ingress-nginx
--- a/addons/nginx-ingress/azure/deployment.yaml
+++ b/addons/nginx-ingress/azure/deployment.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
+          image: us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1
          args:
            - /nginx-ingress-controller
            - --ingress-class=public
--- a/addons/nginx-ingress/azure/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/azure/rbac/cluster-role.yaml
@ -51,3 +51,12 @@ rules:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
--- a/addons/nginx-ingress/bare-metal/class.yaml
+++ b/addons/nginx-ingress/bare-metal/class.yaml
@ -0,0 +1,6 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: IngressClass
 metadata:
  name: public
 spec:
  controller: k8s.io/ingress-nginx
--- a/addons/nginx-ingress/bare-metal/deployment.yaml
+++ b/addons/nginx-ingress/bare-metal/deployment.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
+          image: us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1
          args:
            - /nginx-ingress-controller
            - --ingress-class=public
--- a/addons/nginx-ingress/bare-metal/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/bare-metal/rbac/cluster-role.yaml
@ -51,3 +51,12 @@ rules:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
--- a/addons/nginx-ingress/digital-ocean/class.yaml
+++ b/addons/nginx-ingress/digital-ocean/class.yaml
@ -0,0 +1,6 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: IngressClass
 metadata:
  name: public
 spec:
  controller: k8s.io/ingress-nginx
--- a/addons/nginx-ingress/digital-ocean/daemonset.yaml
+++ b/addons/nginx-ingress/digital-ocean/daemonset.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
+          image: us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1
          args:
            - /nginx-ingress-controller
            - --ingress-class=public
--- a/addons/nginx-ingress/digital-ocean/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/digital-ocean/rbac/cluster-role.yaml
@ -51,3 +51,12 @@ rules:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
--- a/addons/nginx-ingress/google-cloud/class.yaml
+++ b/addons/nginx-ingress/google-cloud/class.yaml
@ -0,0 +1,6 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: IngressClass
 metadata:
  name: public
 spec:
  controller: k8s.io/ingress-nginx
--- a/addons/nginx-ingress/google-cloud/deployment.yaml
+++ b/addons/nginx-ingress/google-cloud/deployment.yaml
@ -22,7 +22,7 @@ spec:
    spec:
      containers:
        - name: nginx-ingress-controller
-          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
+          image: us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller:v0.34.1
          args:
            - /nginx-ingress-controller
            - --ingress-class=public
--- a/addons/nginx-ingress/google-cloud/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/google-cloud/rbac/cluster-role.yaml
@ -51,3 +51,12 @@ rules:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
--- a/addons/prometheus/deployment.yaml
+++ b/addons/prometheus/deployment.yaml
@ -20,7 +20,7 @@ spec:
      serviceAccountName: prometheus
      containers:
        - name: prometheus
-          image: quay.io/prometheus/prometheus:v2.17.1
+          image: quay.io/prometheus/prometheus:v2.20.0
          args:
            - --web.listen-address=0.0.0.0:9090
            - --config.file=/etc/prometheus/prometheus.yaml
--- a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml
+++ b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml
@ -24,7 +24,7 @@ spec:
      serviceAccountName: kube-state-metrics
      containers:
      - name: kube-state-metrics
-        image: quay.io/coreos/kube-state-metrics:v1.9.5
+        image: quay.io/coreos/kube-state-metrics:v1.9.7
        ports:
          - name: metrics
            containerPort: 8080
--- a/addons/prometheus/exporters/node-exporter/daemonset.yaml
+++ b/addons/prometheus/exporters/node-exporter/daemonset.yaml
@ -28,7 +28,7 @@ spec:
      hostPID: true
      containers:
      - name: node-exporter
-        image: quay.io/prometheus/node-exporter:v1.0.0-rc.0
+        image: quay.io/prometheus/node-exporter:v1.0.1
        args:
          - --path.procfs=/host/proc
          - --path.sysfs=/host/sys
--- a/addons/prometheus/rules.yaml
+++ b/addons/prometheus/rules.yaml
@ -882,10 +882,10 @@ data:
            {
              "alert": "KubeClientCertificateExpiration",
              "annotations": {
-                "message": "A client certificate used to authenticate to the apiserver is expiring in less than 7.0 days.",
+                "message": "A client certificate used to authenticate to the apiserver is expiring in less than 1.0 hours.",
                "runbook_url": "https://github.com/kubernetes-monitoring/kubernetes-mixin/tree/master/runbook.md#alert-name-kubeclientcertificateexpiration"
              },
-              "expr": "apiserver_client_certificate_expiration_seconds_count{job=\"apiserver\"} > 0 and on(job) histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job=\"apiserver\"}[5m]))) < 604800\n",
+              "expr": "apiserver_client_certificate_expiration_seconds_count{job=\"apiserver\"} > 0 and on(job) histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job=\"apiserver\"}[5m]))) < 3600\n",
              "labels": {
                "severity": "warning"
              }
@ -893,10 +893,10 @@ data:
            {
              "alert": "KubeClientCertificateExpiration",
              "annotations": {
-                "message": "A client certificate used to authenticate to the apiserver is expiring in less than 24.0 hours.",
+                "message": "A client certificate used to authenticate to the apiserver is expiring in less than 0.1 hours.",
                "runbook_url": "https://github.com/kubernetes-monitoring/kubernetes-mixin/tree/master/runbook.md#alert-name-kubeclientcertificateexpiration"
              },
-              "expr": "apiserver_client_certificate_expiration_seconds_count{job=\"apiserver\"} > 0 and on(job) histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job=\"apiserver\"}[5m]))) < 86400\n",
+              "expr": "apiserver_client_certificate_expiration_seconds_count{job=\"apiserver\"} > 0 and on(job) histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job=\"apiserver\"}[5m]))) < 300\n",
              "labels": {
                "severity": "critical"
              }
--- a/aws/container-linux/kubernetes/README.md
+++ b/aws/container-linux/kubernetes/README.md
@ -11,11 +11,11 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot](https://typhoon.psdn.io/cl/aws/#spot) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
-* Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
+* Ready for Ingress, Prometheus, Grafana, CSI, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
 ## Docs
--- a/aws/container-linux/kubernetes/bootstrap.tf
+++ b/aws/container-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name          = var.cluster_name
  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
--- a/aws/container-linux/kubernetes/cl/controller.yaml
+++ b/aws/container-linux/kubernetes/cl/controller.yaml
@ -2,12 +2,12 @@
 systemd:
  units:
    - name: etcd-member.service
-      enable: true
+      enabled: true
      dropins:
        - name: 40-etcd-cluster.conf
          contents: |
            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.4.7"
+            Environment="ETCD_IMAGE_TAG=v3.4.10"
            Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd"
            Environment="RKT_RUN_ARGS=--insecure-options=image"
            Environment="ETCD_NAME=${etcd_name}"
@ -28,11 +28,11 @@ systemd:
            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
            Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -46,12 +46,13 @@ systemd:
        RequiredBy=kubelet.service
        RequiredBy=etcd-member.service
    - name: kubelet.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -91,25 +92,24 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -134,7 +134,7 @@ systemd:
            --volume script,kind=host,source=/opt/bootstrap/apply \
            --mount volume=script,target=/apply \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/apply
@ -142,6 +142,11 @@ systemd:
        [Install]
        WantedBy=multi-user.target
 storage:
  directories:
    - path: /var/lib/etcd
      filesystem: root
      mode: 0700
      overwrite: true
  files:
    - path: /etc/kubernetes/kubeconfig
      filesystem: root
@ -163,13 +168,14 @@ storage:
          mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
          chown -R etcd:etcd /etc/ssl/etcd
          chmod -R 500 /etc/ssl/etcd
          chmod -R 700 /var/lib/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      filesystem: root
@ -188,6 +194,7 @@ storage:
          done
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
--- a/aws/container-linux/kubernetes/controllers.tf
+++ b/aws/container-linux/kubernetes/controllers.tf
@ -36,7 +36,7 @@ resource "aws_instance" "controllers" {
  # network
  associate_public_ip_address = true
-  subnet_id                   = aws_subnet.public.*.id[count.index]
+  subnet_id                   = element(aws_subnet.public.*.id, count.index)
  vpc_security_group_ids      = [aws_security_group.controller.id]
  lifecycle {
@ -49,10 +49,10 @@ resource "aws_instance" "controllers" {
 # Controller Ignition configs
 data "ct_config" "controller-ignitions" {
-  count        = var.controller_count
+  count    = var.controller_count
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = var.controller_snippets
+  snippets = var.controller_snippets
 }
 # Controller Container Linux configs
--- a/aws/container-linux/kubernetes/security.tf
+++ b/aws/container-linux/kubernetes/security.tf
@ -13,6 +13,30 @@ resource "aws_security_group" "controller" {
  }
 }
 resource "aws_security_group_rule" "controller-icmp" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "icmp"
  from_port                = 8
  to_port                  = 0
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-icmp-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "icmp"
  from_port = 8
  to_port   = 0
  self      = true
 }
 resource "aws_security_group_rule" "controller-ssh" {
  security_group_id = aws_security_group.controller.id
@ -44,39 +68,31 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
  source_security_group_id = aws_security_group.worker.id
 }
-# Allow Prometheus to scrape kube-proxy
+resource "aws_security_group_rule" "controller-cilium-health" {
-resource "aws_security_group_rule" "kube-proxy-metrics" {
+  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
-  from_port                = 10249
+  from_port                = 4240
-  to_port                  = 10249
+  to_port                  = 4240
  source_security_group_id = aws_security_group.worker.id
 }
-# Allow Prometheus to scrape kube-scheduler
+resource "aws_security_group_rule" "controller-cilium-health-self" {
-resource "aws_security_group_rule" "controller-scheduler-metrics" {
+  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
-  type                     = "ingress"
+  type      = "ingress"
-  protocol                 = "tcp"
+  protocol  = "tcp"
-  from_port                = 10251
+  from_port = 4240
-  to_port                  = 10251
+  to_port   = 4240
-  source_security_group_id = aws_security_group.worker.id
+  self      = true
 }
 # Allow Prometheus to scrape kube-controller-manager
 resource "aws_security_group_rule" "controller-manager-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10252
  to_port                  = 10252
  source_security_group_id = aws_security_group.worker.id
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "controller-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -111,6 +127,31 @@ resource "aws_security_group_rule" "controller-apiserver" {
  cidr_blocks = ["0.0.0.0/0"]
 }
 # Linux VXLAN default
 resource "aws_security_group_rule" "controller-linux-vxlan" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "udp"
  from_port                = 8472
  to_port                  = 8472
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-linux-vxlan-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "udp"
  from_port = 8472
  to_port   = 8472
  self      = true
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
  security_group_id = aws_security_group.controller.id
@ -122,6 +163,17 @@ resource "aws_security_group_rule" "controller-node-exporter" {
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow Prometheus to scrape kube-proxy
 resource "aws_security_group_rule" "kube-proxy-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10249
  to_port                  = 10249
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
  security_group_id = aws_security_group.controller.id
@ -143,6 +195,28 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
  self      = true
 }
 # Allow Prometheus to scrape kube-scheduler
 resource "aws_security_group_rule" "controller-scheduler-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10251
  to_port                  = 10251
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow Prometheus to scrape kube-controller-manager
 resource "aws_security_group_rule" "controller-manager-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10252
  to_port                  = 10252
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-bgp" {
  security_group_id = aws_security_group.controller.id
@ -227,6 +301,30 @@ resource "aws_security_group" "worker" {
  }
 }
 resource "aws_security_group_rule" "worker-icmp" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "icmp"
  from_port                = 8
  to_port                  = 0
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-icmp-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "icmp"
  from_port = 8
  to_port   = 0
  self      = true
 }
 resource "aws_security_group_rule" "worker-ssh" {
  security_group_id = aws_security_group.worker.id
@ -257,6 +355,31 @@ resource "aws_security_group_rule" "worker-https" {
  cidr_blocks = ["0.0.0.0/0"]
 }
 resource "aws_security_group_rule" "worker-cilium-health" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 4240
  to_port                  = 4240
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-cilium-health-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 4240
  to_port   = 4240
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "worker-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -281,6 +404,31 @@ resource "aws_security_group_rule" "worker-vxlan-self" {
  self      = true
 }
 # Linux VXLAN default
 resource "aws_security_group_rule" "worker-linux-vxlan" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "udp"
  from_port                = 8472
  to_port                  = 8472
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-linux-vxlan-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "udp"
  from_port = 8472
  to_port   = 8472
  self      = true
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
  security_group_id = aws_security_group.worker.id
--- a/aws/container-linux/kubernetes/versions.tf
+++ b/aws/container-linux/kubernetes/versions.tf
@ -1,11 +1,15 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    aws      = "~> 2.23"
+    aws      = ">= 2.23, <= 4.0"
    ct       = "~> 0.3"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/aws/container-linux/kubernetes/workers/cl/worker.yaml
+++ b/aws/container-linux/kubernetes/workers/cl/worker.yaml
@ -2,11 +2,11 @@
 systemd:
  units:
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -19,12 +19,13 @@ systemd:
        [Install]
        RequiredBy=kubelet.service
    - name: kubelet.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -64,19 +65,18 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in split(",", node_labels) ~}
@ -84,6 +84,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -112,6 +113,7 @@ storage:
          ${kubeconfig}
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
@ -127,7 +129,7 @@ storage:
            --volume config,kind=host,source=/etc/kubernetes \
            --mount volume=config,target=/etc/kubernetes \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/usr/local/bin/kubectl -- --kubeconfig=/etc/kubernetes/kubeconfig delete node $(hostname)
--- a/aws/container-linux/kubernetes/workers/versions.tf
+++ b/aws/container-linux/kubernetes/workers/versions.tf
@ -1,4 +1,14 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    aws      = ">= 2.23, <= 4.0"
    template = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/aws/container-linux/kubernetes/workers/workers.tf
+++ b/aws/container-linux/kubernetes/workers/workers.tf
@ -71,9 +71,9 @@ resource "aws_launch_configuration" "worker" {
 # Worker Ignition config
 data "ct_config" "worker-ignition" {
-  content      = data.template_file.worker-config.rendered
+  content  = data.template_file.worker-config.rendered
-  pretty_print = false
+  strict   = true
-  snippets     = var.snippets
+  snippets = var.snippets
 }
 # Worker Container Linux config
--- a/aws/fedora-coreos/kubernetes/README.md
+++ b/aws/fedora-coreos/kubernetes/README.md
@ -11,11 +11,11 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
-* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot](https://typhoon.psdn.io/cl/aws/#spot) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
-* Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
+* Ready for Ingress, Prometheus, Grafana, CSI, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
 ## Docs
--- a/aws/fedora-coreos/kubernetes/ami.tf
+++ b/aws/fedora-coreos/kubernetes/ami.tf
@ -13,16 +13,8 @@ data "aws_ami" "fedora-coreos" {
    values = ["hvm"]
  }
  filter {
    name   = "name"
    values = ["fedora-coreos-31.*.*.*-hvm"]
  }
  filter {
    name   = "description"
-    values = ["Fedora CoreOS stable*"]
+    values = ["Fedora CoreOS ${var.os_stream} *"]
  }
  # try to filter out dev images (AWS filters can't)
  name_regex = "^fedora-coreos-31.[0-9]*.[0-9]*.[0-9]*-hvm*"
 }
--- a/aws/fedora-coreos/kubernetes/bootstrap.tf
+++ b/aws/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name          = var.cluster_name
  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
--- a/aws/fedora-coreos/kubernetes/controllers.tf
+++ b/aws/fedora-coreos/kubernetes/controllers.tf
@ -36,7 +36,7 @@ resource "aws_instance" "controllers" {
  # network
  associate_public_ip_address = true
-  subnet_id                   = aws_subnet.public.*.id[count.index]
+  subnet_id                   = element(aws_subnet.public.*.id, count.index)
  vpc_security_group_ids      = [aws_security_group.controller.id]
  lifecycle {
--- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml
+++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml
@ -28,7 +28,7 @@ systemd:
          --network host \
          --volume /var/lib/etcd:/var/lib/etcd:rw,Z \
          --volume /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
-          quay.io/coreos/etcd:v3.4.7
+          quay.io/coreos/etcd:v3.4.10
        ExecStop=/usr/bin/podman stop etcd
        [Install]
        WantedBy=multi-user.target
@ -38,11 +38,12 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Wait for DNS entries
+        Description=Wait for DNS and hostname
        Before=kubelet.service
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStartPre=/bin/sh -c 'while [ `hostname -s` == "localhost" ]; do sleep 1; done;'
        ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
        [Install]
        RequiredBy=kubelet.service
@ -51,9 +52,10 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -79,10 +81,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -90,16 +93,14 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -123,11 +124,13 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.18.2
+            quay.io/poseidon/kubelet:v1.18.8
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
  directories:
    - path: /var/lib/etcd
      mode: 0700
    - path: /etc/kubernetes
    - path: /opt/bootstrap
  files:
@ -151,11 +154,11 @@ storage:
          chmod -R 500 /etc/ssl/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
@ -175,6 +178,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/aws/fedora-coreos/kubernetes/security.tf
+++ b/aws/fedora-coreos/kubernetes/security.tf
@ -13,6 +13,30 @@ resource "aws_security_group" "controller" {
  }
 }
 resource "aws_security_group_rule" "controller-icmp" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "icmp"
  from_port                = 8
  to_port                  = 0
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-icmp-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "icmp"
  from_port = 8
  to_port   = 0
  self      = true
 }
 resource "aws_security_group_rule" "controller-ssh" {
  security_group_id = aws_security_group.controller.id
@ -44,39 +68,31 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
  source_security_group_id = aws_security_group.worker.id
 }
-# Allow Prometheus to scrape kube-proxy
+resource "aws_security_group_rule" "controller-cilium-health" {
-resource "aws_security_group_rule" "kube-proxy-metrics" {
+  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
-  from_port                = 10249
+  from_port                = 4240
-  to_port                  = 10249
+  to_port                  = 4240
  source_security_group_id = aws_security_group.worker.id
 }
-# Allow Prometheus to scrape kube-scheduler
+resource "aws_security_group_rule" "controller-cilium-health-self" {
-resource "aws_security_group_rule" "controller-scheduler-metrics" {
+  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
-  type                     = "ingress"
+  type      = "ingress"
-  protocol                 = "tcp"
+  protocol  = "tcp"
-  from_port                = 10251
+  from_port = 4240
-  to_port                  = 10251
+  to_port   = 4240
-  source_security_group_id = aws_security_group.worker.id
+  self      = true
 }
 # Allow Prometheus to scrape kube-controller-manager
 resource "aws_security_group_rule" "controller-manager-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10252
  to_port                  = 10252
  source_security_group_id = aws_security_group.worker.id
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "controller-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -111,6 +127,31 @@ resource "aws_security_group_rule" "controller-apiserver" {
  cidr_blocks = ["0.0.0.0/0"]
 }
 # Linux VXLAN default
 resource "aws_security_group_rule" "controller-linux-vxlan" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "udp"
  from_port                = 8472
  to_port                  = 8472
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-linux-vxlan-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "udp"
  from_port = 8472
  to_port   = 8472
  self      = true
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
  security_group_id = aws_security_group.controller.id
@ -122,6 +163,17 @@ resource "aws_security_group_rule" "controller-node-exporter" {
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow Prometheus to scrape kube-proxy
 resource "aws_security_group_rule" "kube-proxy-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10249
  to_port                  = 10249
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
  security_group_id = aws_security_group.controller.id
@ -143,6 +195,28 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
  self      = true
 }
 # Allow Prometheus to scrape kube-scheduler
 resource "aws_security_group_rule" "controller-scheduler-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10251
  to_port                  = 10251
  source_security_group_id = aws_security_group.worker.id
 }
 # Allow Prometheus to scrape kube-controller-manager
 resource "aws_security_group_rule" "controller-manager-metrics" {
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 10252
  to_port                  = 10252
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-bgp" {
  security_group_id = aws_security_group.controller.id
@ -227,6 +301,30 @@ resource "aws_security_group" "worker" {
  }
 }
 resource "aws_security_group_rule" "worker-icmp" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "icmp"
  from_port                = 8
  to_port                  = 0
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-icmp-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "icmp"
  from_port = 8
  to_port   = 0
  self      = true
 }
 resource "aws_security_group_rule" "worker-ssh" {
  security_group_id = aws_security_group.worker.id
@ -257,6 +355,31 @@ resource "aws_security_group_rule" "worker-https" {
  cidr_blocks = ["0.0.0.0/0"]
 }
 resource "aws_security_group_rule" "worker-cilium-health" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 4240
  to_port                  = 4240
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-cilium-health-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 4240
  to_port   = 4240
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "worker-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -281,6 +404,31 @@ resource "aws_security_group_rule" "worker-vxlan-self" {
  self      = true
 }
 # Linux VXLAN default
 resource "aws_security_group_rule" "worker-linux-vxlan" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "udp"
  from_port                = 8472
  to_port                  = 8472
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-linux-vxlan-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "udp"
  from_port = 8472
  to_port   = 8472
  self      = true
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
  security_group_id = aws_security_group.worker.id
--- a/aws/fedora-coreos/kubernetes/variables.tf
+++ b/aws/fedora-coreos/kubernetes/variables.tf
@ -41,9 +41,9 @@ variable "worker_type" {
  default     = "t3.small"
 }
-variable "os_image" {
+variable "os_stream" {
  type        = string
-  description = "AMI channel for Fedora CoreOS (not yet used)"
+  description = "Fedora CoreOs image stream for instances (e.g. stable, testing, next)"
  default     = "stable"
 }
--- a/aws/fedora-coreos/kubernetes/versions.tf
+++ b/aws/fedora-coreos/kubernetes/versions.tf
@ -1,11 +1,15 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    aws      = "~> 2.23"
+    aws      = ">= 2.23, <= 4.0"
    ct       = "~> 0.4"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/aws/fedora-coreos/kubernetes/workers.tf
+++ b/aws/fedora-coreos/kubernetes/workers.tf
@ -8,7 +8,7 @@ module "workers" {
  security_groups = [aws_security_group.worker.id]
  worker_count    = var.worker_count
  instance_type   = var.worker_type
-  os_image        = var.os_image
+  os_stream       = var.os_stream
  disk_size       = var.disk_size
  spot_price      = var.worker_price
  target_groups   = var.worker_target_groups
--- a/aws/fedora-coreos/kubernetes/workers/ami.tf
+++ b/aws/fedora-coreos/kubernetes/workers/ami.tf
@ -13,16 +13,8 @@ data "aws_ami" "fedora-coreos" {
    values = ["hvm"]
  }
  filter {
    name   = "name"
    values = ["fedora-coreos-31.*.*.*-hvm"]
  }
  filter {
    name   = "description"
-    values = ["Fedora CoreOS stable*"]
+    values = ["Fedora CoreOS ${var.os_stream} *"]
  }
  # try to filter out dev images (AWS filters can't)
  name_regex = "^fedora-coreos-31.[0-9]*.[0-9]*.[0-9]*-hvm*"
 }
--- a/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml
+++ b/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml
@ -9,11 +9,12 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Wait for DNS entries
+        Description=Wait for DNS and hostname
        Before=kubelet.service
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStartPre=/bin/sh -c 'while [ `hostname -s` == "localhost" ]; do sleep 1; done;'
        ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
        [Install]
        RequiredBy=kubelet.service
@ -21,9 +22,10 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -49,10 +51,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -60,10 +63,8 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in split(",", node_labels) ~}
@ -71,6 +72,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -87,7 +89,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/true
-        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.2 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
+        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.8 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
        [Install]
        WantedBy=multi-user.target
 storage:
@ -103,6 +105,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/aws/fedora-coreos/kubernetes/workers/variables.tf
+++ b/aws/fedora-coreos/kubernetes/workers/variables.tf
@ -34,9 +34,9 @@ variable "instance_type" {
  default     = "t3.small"
 }
-variable "os_image" {
+variable "os_stream" {
  type        = string
-  description = "AMI channel for Fedora CoreOS (not yet used)"
+  description = "Fedora CoreOs image stream for instances (e.g. stable, testing, next)"
  default     = "stable"
 }
--- a/aws/fedora-coreos/kubernetes/workers/versions.tf
+++ b/aws/fedora-coreos/kubernetes/workers/versions.tf
@ -1,4 +1,14 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    aws      = ">= 2.23, <= 4.0"
    template = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/azure/container-linux/kubernetes/README.md
+++ b/azure/container-linux/kubernetes/README.md
@ -11,8 +11,8 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [low-priority](https://typhoon.psdn.io/cl/azure/#low-priority) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
 * Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
--- a/azure/container-linux/kubernetes/bootstrap.tf
+++ b/azure/container-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
--- a/azure/container-linux/kubernetes/cl/controller.yaml
+++ b/azure/container-linux/kubernetes/cl/controller.yaml
@ -2,12 +2,12 @@
 systemd:
  units:
    - name: etcd-member.service
-      enable: true
+      enabled: true
      dropins:
        - name: 40-etcd-cluster.conf
          contents: |
            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.4.7"
+            Environment="ETCD_IMAGE_TAG=v3.4.10"
            Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd"
            Environment="RKT_RUN_ARGS=--insecure-options=image"
            Environment="ETCD_NAME=${etcd_name}"
@ -28,11 +28,11 @@ systemd:
            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
            Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -46,12 +46,14 @@ systemd:
        RequiredBy=kubelet.service
        RequiredBy=etcd-member.service
    - name: kubelet.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -90,24 +92,24 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -132,7 +134,7 @@ systemd:
            --volume script,kind=host,source=/opt/bootstrap/apply \
            --mount volume=script,target=/apply \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/apply
@ -140,6 +142,11 @@ systemd:
        [Install]
        WantedBy=multi-user.target
 storage:
  directories:
    - path: /var/lib/etcd
      filesystem: root
      mode: 0700
      overwrite: true
  files:
    - path: /etc/kubernetes/kubeconfig
      filesystem: root
@ -161,13 +168,14 @@ storage:
          mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
          chown -R etcd:etcd /etc/ssl/etcd
          chmod -R 500 /etc/ssl/etcd
          chmod -R 700 /var/lib/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      filesystem: root
@ -186,6 +194,7 @@ storage:
          done
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
--- a/azure/container-linux/kubernetes/controllers.tf
+++ b/azure/container-linux/kubernetes/controllers.tf
@ -53,18 +53,24 @@ resource "azurerm_linux_virtual_machine" "controllers" {
    storage_account_type = "Premium_LRS"
  }
-  // CoreOS Container Linux or Flatcar Container Linux (manual upload)
+  # CoreOS Container Linux or Flatcar Container Linux
-  dynamic "source_image_reference" {
+  source_image_reference {
-    for_each = local.flavor == "coreos" ? [1] : []
+    publisher = local.flavor == "flatcar" ? "Kinvolk" : "CoreOS"
    offer     = local.flavor == "flatcar" ? "flatcar-container-linux-free" : "CoreOS"
    sku       = local.channel
    version   = "latest"
  }
  # Gross hack for Flatcar Linux
  dynamic "plan" {
    for_each = local.flavor == "flatcar" ? [1] : []
    content {
-      publisher = "CoreOS"
+      name      = local.channel
-      offer     = "CoreOS"
+      publisher = "kinvolk"
-      sku       = local.channel
+      product   = "flatcar-container-linux-free"
      version   = "latest"
    }
  }
  source_image_id = local.flavor == "coreos" ? null : var.os_image
  # network
  network_interface_ids = [
@ -133,10 +139,10 @@ resource "azurerm_network_interface_backend_address_pool_association" "controlle
 # Controller Ignition configs
 data "ct_config" "controller-ignitions" {
-  count        = var.controller_count
+  count    = var.controller_count
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = var.controller_snippets
+  snippets = var.controller_snippets
 }
 # Controller Container Linux configs
@ -151,6 +157,7 @@ data "template_file" "controller-configs" {
    etcd_domain = "${var.cluster_name}-etcd${count.index}.${var.dns_zone}"
    # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
    etcd_initial_cluster   = join(",", data.template_file.etcds.*.rendered)
    cgroup_driver          = local.flavor == "flatcar" && local.channel == "edge" ? "systemd" : "cgroupfs"
    kubeconfig             = indent(10, module.bootstrap.kubeconfig-kubelet)
    ssh_authorized_key     = var.ssh_authorized_key
    cluster_dns_service_ip = cidrhost(var.service_cidr, 10)
--- a/azure/container-linux/kubernetes/network.tf
+++ b/azure/container-linux/kubernetes/network.tf
@ -21,7 +21,7 @@ resource "azurerm_subnet" "controller" {
  name                 = "controller"
  virtual_network_name = azurerm_virtual_network.network.name
-  address_prefix       = cidrsubnet(var.host_cidr, 1, 0)
+  address_prefixes     = [cidrsubnet(var.host_cidr, 1, 0)]
 }
 resource "azurerm_subnet_network_security_group_association" "controller" {
@ -34,7 +34,7 @@ resource "azurerm_subnet" "worker" {
  name                 = "worker"
  virtual_network_name = azurerm_virtual_network.network.name
-  address_prefix       = cidrsubnet(var.host_cidr, 1, 1)
+  address_prefixes     = [cidrsubnet(var.host_cidr, 1, 1)]
 }
 resource "azurerm_subnet_network_security_group_association" "worker" {
--- a/azure/container-linux/kubernetes/security.tf
+++ b/azure/container-linux/kubernetes/security.tf
@ -7,6 +7,21 @@ resource "azurerm_network_security_group" "controller" {
  location = azurerm_resource_group.cluster.location
 }
 resource "azurerm_network_security_rule" "controller-icmp" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-icmp"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "1995"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Icmp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-ssh" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -100,6 +115,22 @@ resource "azurerm_network_security_rule" "controller-apiserver" {
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-cilium-health" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                        = "allow-cilium-health"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "2019"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "4240"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -115,6 +146,21 @@ resource "azurerm_network_security_rule" "controller-vxlan" {
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-linux-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-linux-vxlan"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "2021"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Udp"
  source_port_range           = "*"
  destination_port_range      = "8472"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "azurerm_network_security_rule" "controller-node-exporter" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -191,6 +237,21 @@ resource "azurerm_network_security_group" "worker" {
  location = azurerm_resource_group.cluster.location
 }
 resource "azurerm_network_security_rule" "worker-icmp" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-icmp"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "1995"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Icmp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-ssh" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -236,6 +297,22 @@ resource "azurerm_network_security_rule" "worker-https" {
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-cilium-health" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                        = "allow-cilium-health"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "2014"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "4240"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -251,6 +328,21 @@ resource "azurerm_network_security_rule" "worker-vxlan" {
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-linux-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-linux-vxlan"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "2016"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Udp"
  source_port_range           = "*"
  destination_port_range      = "8472"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "azurerm_network_security_rule" "worker-node-exporter" {
  resource_group_name = azurerm_resource_group.cluster.name
--- a/azure/container-linux/kubernetes/variables.tf
+++ b/azure/container-linux/kubernetes/variables.tf
@ -48,7 +48,8 @@ variable "worker_type" {
 variable "os_image" {
  type        = string
-  description = "Channel for a Container Linux derivative (/subscriptions/some-flatcar-upload, coreos-stable, coreos-beta, coreos-alpha)"
+  description = "Channel for a Container Linux derivative (flatcar-stable, flatcar-beta, flatcar-alpha, flatcar-edge, coreos-stable, coreos-beta, coreos-alpha)"
  default     = "flatcar-stable"
 }
 variable "disk_size" {
--- a/azure/container-linux/kubernetes/versions.tf
+++ b/azure/container-linux/kubernetes/versions.tf
@ -1,12 +1,16 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    azurerm  = "~> 2.0"
+    azurerm  = "~> 2.8"
    ct       = "~> 0.3"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/azure/container-linux/kubernetes/workers/cl/worker.yaml
+++ b/azure/container-linux/kubernetes/workers/cl/worker.yaml
@ -2,11 +2,11 @@
 systemd:
  units:
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -19,12 +19,14 @@ systemd:
        [Install]
        RequiredBy=kubelet.service
    - name: kubelet.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -63,18 +65,18 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in split(",", node_labels) ~}
@ -82,6 +84,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -89,7 +92,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: delete-node.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Waiting to delete Kubernetes node on shutdown
@ -110,6 +113,7 @@ storage:
          ${kubeconfig}
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
@ -125,7 +129,7 @@ storage:
            --volume config,kind=host,source=/etc/kubernetes \
            --mount volume=config,target=/etc/kubernetes \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/usr/local/bin/kubectl -- --kubeconfig=/etc/kubernetes/kubeconfig delete node $(hostname | tr '[:upper:]' '[:lower:]')
--- a/azure/container-linux/kubernetes/workers/variables.tf
+++ b/azure/container-linux/kubernetes/workers/variables.tf
@ -46,7 +46,7 @@ variable "vm_type" {
 variable "os_image" {
  type        = string
-  description = "Channel for a Container Linux derivative (flatcar-stable, flatcar-beta, coreos-stable, coreos-beta, coreos-alpha)"
+  description = "Channel for a Container Linux derivative (flatcar-stable, flatcar-beta, flatcar-alpha, flatcar-edge, coreos-stable, coreos-beta, coreos-alpha)"
  default     = "flatcar-stable"
 }
--- a/azure/container-linux/kubernetes/workers/versions.tf
+++ b/azure/container-linux/kubernetes/workers/versions.tf
@ -1,4 +1,14 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    azurerm  = "~> 2.8"
    template = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/azure/container-linux/kubernetes/workers/workers.tf
+++ b/azure/container-linux/kubernetes/workers/workers.tf
@ -24,18 +24,24 @@ resource "azurerm_linux_virtual_machine_scale_set" "workers" {
    caching              = "ReadWrite"
  }
-  // CoreOS Container Linux or Flatcar Container Linux (manual upload)
+  # CoreOS Container Linux or Flatcar Container Linux
-  dynamic "source_image_reference" {
+  source_image_reference {
-    for_each = local.flavor == "coreos" ? [1] : []
+    publisher = local.flavor == "flatcar" ? "Kinvolk" : "CoreOS"
    offer     = local.flavor == "flatcar" ? "flatcar-container-linux-free" : "CoreOS"
    sku       = local.channel
    version   = "latest"
  }
  # Gross hack for Flatcar Linux
  dynamic "plan" {
    for_each = local.flavor == "flatcar" ? [1] : []
    content {
-      publisher = "CoreOS"
+      name      = local.channel
-      offer     = "CoreOS"
+      publisher = "kinvolk"
-      sku       = local.channel
+      product   = "flatcar-container-linux-free"
      version   = "latest"
    }
  }
  source_image_id = local.flavor == "coreos" ? null : var.os_image
  # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
  admin_username = "core"
@ -91,9 +97,9 @@ resource "azurerm_monitor_autoscale_setting" "workers" {
 # Worker Ignition configs
 data "ct_config" "worker-ignition" {
-  content      = data.template_file.worker-config.rendered
+  content  = data.template_file.worker-config.rendered
-  pretty_print = false
+  strict   = true
-  snippets     = var.snippets
+  snippets = var.snippets
 }
 # Worker Container Linux configs
@ -105,6 +111,7 @@ data "template_file" "worker-config" {
    ssh_authorized_key     = var.ssh_authorized_key
    cluster_dns_service_ip = cidrhost(var.service_cidr, 10)
    cluster_domain_suffix  = var.cluster_domain_suffix
    cgroup_driver          = local.flavor == "flatcar" && local.channel == "edge" ? "systemd" : "cgroupfs"
    node_labels            = join(",", var.node_labels)
  }
 }
--- a/azure/fedora-coreos/kubernetes/README.md
+++ b/azure/fedora-coreos/kubernetes/README.md
@ -11,9 +11,9 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
-* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot priority](https://typhoon.psdn.io/fedora-coreos/azure/#low-priority) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/) customization
 * Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
--- a/azure/fedora-coreos/kubernetes/bootstrap.tf
+++ b/azure/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
@ -10,8 +10,9 @@ module "bootstrap" {
  networking = var.networking
  # only effective with Calico networking
  # we should be able to use 1450 MTU, but in practice, 1410 was needed
  network_encapsulation = "vxlan"
-  network_mtu           = "1450"
+  network_mtu           = "1410"
  pod_cidr              = var.pod_cidr
  service_cidr          = var.service_cidr
--- a/azure/fedora-coreos/kubernetes/controllers.tf
+++ b/azure/fedora-coreos/kubernetes/controllers.tf
@ -113,10 +113,10 @@ resource "azurerm_network_interface_backend_address_pool_association" "controlle
 # Controller Ignition configs
 data "ct_config" "controller-ignitions" {
-  count        = var.controller_count
+  count    = var.controller_count
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = var.controller_snippets
+  snippets = var.controller_snippets
 }
 # Controller Fedora CoreOS configs
--- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml
+++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml
@ -28,7 +28,7 @@ systemd:
          --network host \
          --volume /var/lib/etcd:/var/lib/etcd:rw,Z \
          --volume /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
-          quay.io/coreos/etcd:v3.4.7
+          quay.io/coreos/etcd:v3.4.10
        ExecStop=/usr/bin/podman stop etcd
        [Install]
        WantedBy=multi-user.target
@ -51,9 +51,10 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -79,10 +80,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -90,16 +92,14 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -123,11 +123,13 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.18.2
+            quay.io/poseidon/kubelet:v1.18.8
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
  directories:
    - path: /var/lib/etcd
      mode: 0700
    - path: /etc/kubernetes
    - path: /opt/bootstrap
  files:
@ -151,11 +153,11 @@ storage:
          chmod -R 500 /etc/ssl/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
@ -175,6 +177,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/azure/fedora-coreos/kubernetes/network.tf
+++ b/azure/fedora-coreos/kubernetes/network.tf
@ -21,7 +21,7 @@ resource "azurerm_subnet" "controller" {
  name                 = "controller"
  virtual_network_name = azurerm_virtual_network.network.name
-  address_prefix       = cidrsubnet(var.host_cidr, 1, 0)
+  address_prefixes     = [cidrsubnet(var.host_cidr, 1, 0)]
 }
 resource "azurerm_subnet_network_security_group_association" "controller" {
@ -34,7 +34,7 @@ resource "azurerm_subnet" "worker" {
  name                 = "worker"
  virtual_network_name = azurerm_virtual_network.network.name
-  address_prefix       = cidrsubnet(var.host_cidr, 1, 1)
+  address_prefixes     = [cidrsubnet(var.host_cidr, 1, 1)]
 }
 resource "azurerm_subnet_network_security_group_association" "worker" {
--- a/azure/fedora-coreos/kubernetes/security.tf
+++ b/azure/fedora-coreos/kubernetes/security.tf
@ -7,6 +7,21 @@ resource "azurerm_network_security_group" "controller" {
  location = azurerm_resource_group.cluster.location
 }
 resource "azurerm_network_security_rule" "controller-icmp" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-icmp"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "1995"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Icmp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-ssh" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -100,6 +115,22 @@ resource "azurerm_network_security_rule" "controller-apiserver" {
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-cilium-health" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                        = "allow-cilium-health"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "2019"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "4240"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -115,6 +146,21 @@ resource "azurerm_network_security_rule" "controller-vxlan" {
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 resource "azurerm_network_security_rule" "controller-linux-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-linux-vxlan"
  network_security_group_name = azurerm_network_security_group.controller.name
  priority                    = "2021"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Udp"
  source_port_range           = "*"
  destination_port_range      = "8472"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.controller.address_prefix
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "azurerm_network_security_rule" "controller-node-exporter" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -191,6 +237,21 @@ resource "azurerm_network_security_group" "worker" {
  location = azurerm_resource_group.cluster.location
 }
 resource "azurerm_network_security_rule" "worker-icmp" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-icmp"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "1995"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Icmp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-ssh" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -236,6 +297,22 @@ resource "azurerm_network_security_rule" "worker-https" {
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-cilium-health" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                        = "allow-cilium-health"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "2014"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "4240"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
@ -251,6 +328,21 @@ resource "azurerm_network_security_rule" "worker-vxlan" {
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 resource "azurerm_network_security_rule" "worker-linux-vxlan" {
  resource_group_name = azurerm_resource_group.cluster.name
  name                        = "allow-linux-vxlan"
  network_security_group_name = azurerm_network_security_group.worker.name
  priority                    = "2016"
  access                      = "Allow"
  direction                   = "Inbound"
  protocol                    = "Udp"
  source_port_range           = "*"
  destination_port_range      = "8472"
  source_address_prefixes     = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix]
  destination_address_prefix  = azurerm_subnet.worker.address_prefix
 }
 # Allow Prometheus to scrape node-exporter daemonset
 resource "azurerm_network_security_rule" "worker-node-exporter" {
  resource_group_name = azurerm_resource_group.cluster.name
--- a/azure/fedora-coreos/kubernetes/versions.tf
+++ b/azure/fedora-coreos/kubernetes/versions.tf
@ -1,12 +1,16 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    azurerm  = "~> 2.0"
+    azurerm  = "~> 2.8"
    ct       = "~> 0.3"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml
+++ b/azure/fedora-coreos/kubernetes/workers/fcc/worker.yaml
@ -21,9 +21,10 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -49,10 +50,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -60,10 +62,8 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in split(",", node_labels) ~}
@ -71,6 +71,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -87,7 +88,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/true
-        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.2 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
+        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.8 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
        [Install]
        WantedBy=multi-user.target
 storage:
@ -103,6 +104,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/azure/fedora-coreos/kubernetes/workers/versions.tf
+++ b/azure/fedora-coreos/kubernetes/workers/versions.tf
@ -1,4 +1,14 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    azurerm  = "~> 2.8"
    template = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
  }
 }
--- a/azure/fedora-coreos/kubernetes/workers/workers.tf
+++ b/azure/fedora-coreos/kubernetes/workers/workers.tf
@ -72,9 +72,9 @@ resource "azurerm_monitor_autoscale_setting" "workers" {
 # Worker Ignition configs
 data "ct_config" "worker-ignition" {
-  content      = data.template_file.worker-config.rendered
+  content  = data.template_file.worker-config.rendered
-  pretty_print = false
+  strict   = true
-  snippets     = var.snippets
+  snippets = var.snippets
 }
 # Worker Fedora CoreOS configs
--- a/bare-metal/container-linux/kubernetes/README.md
+++ b/bare-metal/container-linux/kubernetes/README.md
@ -11,8 +11,8 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
 * Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
--- a/bare-metal/container-linux/kubernetes/bootstrap.tf
+++ b/bare-metal/container-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name                    = var.cluster_name
  api_servers                     = [var.k8s_domain_name]
--- a/bare-metal/container-linux/kubernetes/cl/controller.yaml
+++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml
@ -2,12 +2,12 @@
 systemd:
  units:
    - name: etcd-member.service
-      enable: true
+      enabled: true
      dropins:
        - name: 40-etcd-cluster.conf
          contents: |
            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.4.7"
+            Environment="ETCD_IMAGE_TAG=v3.4.10"
            Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd"
            Environment="RKT_RUN_ARGS=--insecure-options=image"
            Environment="ETCD_NAME=${etcd_name}"
@ -28,11 +28,11 @@ systemd:
            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
            Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
@ -41,7 +41,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -57,9 +57,10 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -103,26 +104,25 @@ systemd:
          --mount volume=etc-iscsi,target=/etc/iscsi \
          --volume usr-sbin-iscsiadm,kind=host,source=/usr/sbin/iscsiadm \
          --mount volume=usr-sbin-iscsiadm,target=/sbin/iscsiadm \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=${domain_name} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -147,7 +147,7 @@ systemd:
            --volume script,kind=host,source=/opt/bootstrap/apply \
            --mount volume=script,target=/apply \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/apply
@ -156,8 +156,13 @@ systemd:
        WantedBy=multi-user.target
 storage:
  directories:
    - path: /var/lib/etcd
      filesystem: root
      mode: 0700
      overwrite: true
    - path: /etc/kubernetes
      filesystem: root
      mode: 0755
  files:
    - path: /etc/hostname
      filesystem: root
@ -179,13 +184,14 @@ storage:
          mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
          chown -R etcd:etcd /etc/ssl/etcd
          chmod -R 500 /etc/ssl/etcd
          chmod -R 700 /var/lib/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      filesystem: root
@ -204,6 +210,7 @@ storage:
          done
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
--- a/bare-metal/container-linux/kubernetes/cl/install.yaml
+++ b/bare-metal/container-linux/kubernetes/cl/install.yaml
@ -2,7 +2,7 @@
 systemd:
  units:
    - name: installer.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Requires=network-online.target
--- a/bare-metal/container-linux/kubernetes/cl/worker.yaml
+++ b/bare-metal/container-linux/kubernetes/cl/worker.yaml
@ -2,11 +2,11 @@
 systemd:
  units:
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
@ -15,7 +15,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -30,9 +30,10 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -76,20 +77,19 @@ systemd:
          --mount volume=etc-iscsi,target=/etc/iscsi \
          --volume usr-sbin-iscsiadm,kind=host,source=/usr/sbin/iscsiadm \
          --mount volume=usr-sbin-iscsiadm,target=/sbin/iscsiadm \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=${domain_name} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in compact(split(",", node_labels)) ~}
@ -100,6 +100,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -111,6 +112,7 @@ storage:
  directories:
    - path: /etc/kubernetes
      filesystem: root
      mode: 0755
  files:
    - path: /etc/hostname
      filesystem: root
@ -120,6 +122,7 @@ storage:
          ${domain_name}
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
--- a/bare-metal/container-linux/kubernetes/profiles.tf
+++ b/bare-metal/container-linux/kubernetes/profiles.tf
@ -141,10 +141,10 @@ resource "matchbox_profile" "controllers" {
 }
 data "ct_config" "controller-ignitions" {
-  count        = length(var.controllers)
+  count    = length(var.controllers)
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = lookup(var.snippets, var.controllers.*.name[count.index], [])
+  snippets = lookup(var.snippets, var.controllers.*.name[count.index], [])
 }
 data "template_file" "controller-configs" {
@ -171,10 +171,10 @@ resource "matchbox_profile" "workers" {
 }
 data "ct_config" "worker-ignitions" {
-  count        = length(var.workers)
+  count    = length(var.workers)
-  content      = data.template_file.worker-configs.*.rendered[count.index]
+  content  = data.template_file.worker-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = lookup(var.snippets, var.workers.*.name[count.index], [])
+  snippets = lookup(var.snippets, var.workers.*.name[count.index], [])
 }
 data "template_file" "worker-configs" {
--- a/bare-metal/container-linux/kubernetes/versions.tf
+++ b/bare-metal/container-linux/kubernetes/versions.tf
@ -1,12 +1,20 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    matchbox = "~> 0.3.0"
    ct       = "~> 0.3"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
    matchbox = {
      source  = "poseidon/matchbox"
      version = "~> 0.4.1"
    }
  }
 }
--- a/bare-metal/fedora-coreos/kubernetes/README.md
+++ b/bare-metal/fedora-coreos/kubernetes/README.md
@ -11,9 +11,9 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
-* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
 * Ready for Ingress, Prometheus, Grafana, and other optional [addons](https://typhoon.psdn.io/addons/overview/)
--- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
+++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name                    = var.cluster_name
  api_servers                     = [var.k8s_domain_name]
--- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml
@ -28,7 +28,7 @@ systemd:
          --network host \
          --volume /var/lib/etcd:/var/lib/etcd:rw,Z \
          --volume /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
-          quay.io/coreos/etcd:v3.4.7
+          quay.io/coreos/etcd:v3.4.10
        ExecStop=/usr/bin/podman stop etcd
        [Install]
        WantedBy=multi-user.target
@ -50,9 +50,10 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -80,10 +81,11 @@ systemd:
          --volume /opt/cni/bin:/opt/cni/bin:z \
          --volume /etc/iscsi:/etc/iscsi \
          --volume /sbin/iscsiadm:/sbin/iscsiadm \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -91,17 +93,15 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=${domain_name} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -134,11 +134,13 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.18.2
+            quay.io/poseidon/kubelet:v1.18.8
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
  directories:
    - path: /var/lib/etcd
      mode: 0700
    - path: /etc/kubernetes
    - path: /opt/bootstrap
  files:
@ -162,11 +164,11 @@ storage:
          chmod -R 500 /etc/ssl/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
@ -186,6 +188,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml
@ -20,9 +20,10 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -50,10 +51,11 @@ systemd:
          --volume /opt/cni/bin:/opt/cni/bin:z \
          --volume /etc/iscsi:/etc/iscsi \
          --volume /sbin/iscsiadm:/sbin/iscsiadm \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -61,11 +63,9 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=${domain_name} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in compact(split(",", node_labels)) ~}
@ -76,6 +76,7 @@ systemd:
          %{~ endfor ~}
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -105,6 +106,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/bare-metal/fedora-coreos/kubernetes/versions.tf
+++ b/bare-metal/fedora-coreos/kubernetes/versions.tf
@ -1,11 +1,19 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
    matchbox = "~> 0.3.0"
    ct       = "~> 0.4"
    template = "~> 2.1"
    null     = "~> 2.1"
    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
    matchbox = {
      source  = "poseidon/matchbox"
      version = "~> 0.4.1"
    }
  }
 }
--- a/digital-ocean/container-linux/kubernetes/README.md
+++ b/digital-ocean/container-linux/kubernetes/README.md
@ -11,8 +11,8 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
-* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
+* Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#container-linux) customization
 * Ready for Ingress, Prometheus, Grafana, CSI, and other [addons](https://typhoon.psdn.io/addons/overview/)
--- a/digital-ocean/container-linux/kubernetes/bootstrap.tf
+++ b/digital-ocean/container-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
--- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml
+++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml
@ -2,12 +2,12 @@
 systemd:
  units:
    - name: etcd-member.service
-      enable: true
+      enabled: true
      dropins:
        - name: 40-etcd-cluster.conf
          contents: |
            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.4.7"
+            Environment="ETCD_IMAGE_TAG=v3.4.10"
            Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd"
            Environment="RKT_RUN_ARGS=--insecure-options=image"
            Environment="ETCD_NAME=${etcd_name}"
@ -28,11 +28,11 @@ systemd:
            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
            Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
@ -41,7 +41,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -57,11 +57,12 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Requires=coreos-metadata.service
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -101,25 +102,24 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -144,7 +144,7 @@ systemd:
            --volume script,kind=host,source=/opt/bootstrap/apply \
            --mount volume=script,target=/apply \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/apply
@ -153,8 +153,13 @@ systemd:
        WantedBy=multi-user.target
 storage:
  directories:
    - path: /var/lib/etcd
      filesystem: root
      mode: 0700
      overwrite: true
    - path: /etc/kubernetes
      filesystem: root
      mode: 0755
  files:
    - path: /opt/bootstrap/layout
      filesystem: root
@ -170,13 +175,14 @@ storage:
          mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
          chown -R etcd:etcd /etc/ssl/etcd
          chmod -R 500 /etc/ssl/etcd
          chmod -R 700 /var/lib/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      filesystem: root
@ -195,6 +201,7 @@ storage:
          done
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
--- a/digital-ocean/container-linux/kubernetes/cl/worker.yaml
+++ b/digital-ocean/container-linux/kubernetes/cl/worker.yaml
@ -2,11 +2,11 @@
 systemd:
  units:
    - name: docker.service
-      enable: true
+      enabled: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
@ -15,7 +15,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
@ -30,11 +30,12 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube
+        Description=Kubelet
        Requires=coreos-metadata.service
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.18.8
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -74,23 +75,23 @@ systemd:
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
-          docker://quay.io/poseidon/kubelet:v1.18.2 -- \
+          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
@ -98,7 +99,7 @@ systemd:
        [Install]
        WantedBy=multi-user.target
    - name: delete-node.service
-      enable: true
+      enabled: true
      contents: |
        [Unit]
        Description=Waiting to delete Kubernetes node on shutdown
@ -113,9 +114,11 @@ storage:
  directories:
    - path: /etc/kubernetes
      filesystem: root
      mode: 0755
  files:
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
@ -131,7 +134,7 @@ storage:
            --volume config,kind=host,source=/etc/kubernetes \
            --mount volume=config,target=/etc/kubernetes \
            --insecure-options=image \
-            docker://quay.io/poseidon/kubelet:v1.18.2 \
+            docker://quay.io/poseidon/kubelet:v1.18.8 \
            --net=host \
            --dns=host \
            --exec=/usr/local/bin/kubectl -- --kubeconfig=/etc/kubernetes/kubeconfig delete node $(hostname)
--- a/digital-ocean/container-linux/kubernetes/controllers.tf
+++ b/digital-ocean/container-linux/kubernetes/controllers.tf
@ -46,9 +46,10 @@ resource "digitalocean_droplet" "controllers" {
  size  = var.controller_type
  # network
  # only official DigitalOcean images support IPv6
  ipv6               = local.is_official_image
  private_networking = true
  vpc_uuid           = digitalocean_vpc.network.id
  # TODO: Only official DigitalOcean images support IPv6
  ipv6 = false
  user_data = data.ct_config.controller-ignitions.*.rendered[count.index]
  ssh_keys  = var.ssh_fingerprints
@ -69,10 +70,10 @@ resource "digitalocean_tag" "controllers" {
 # Controller Ignition configs
 data "ct_config" "controller-ignitions" {
-  count        = var.controller_count
+  count    = var.controller_count
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  pretty_print = false
+  strict   = true
-  snippets     = var.controller_snippets
+  snippets = var.controller_snippets
 }
 # Controller Container Linux configs
--- a/digital-ocean/container-linux/kubernetes/network.tf
+++ b/digital-ocean/container-linux/kubernetes/network.tf
@ -1,3 +1,10 @@
 # Network VPC
 resource "digitalocean_vpc" "network" {
  name        = var.cluster_name
  region      = var.region
  description = "Network for ${var.cluster_name} cluster"
 }
 resource "digitalocean_firewall" "rules" {
  name = var.cluster_name
@ -6,6 +13,11 @@ resource "digitalocean_firewall" "rules" {
    digitalocean_tag.workers.name
  ]
  inbound_rule {
    protocol    = "icmp"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # allow ssh, internal flannel, internal node-exporter, internal kubelet
  inbound_rule {
    protocol         = "tcp"
@ -13,12 +25,27 @@ resource "digitalocean_firewall" "rules" {
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  # Cilium health
  inbound_rule {
    protocol    = "tcp"
    port_range  = "4240"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # IANA vxlan (flannel, calico)
  inbound_rule {
    protocol    = "udp"
    port_range  = "4789"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # Linux vxlan (Cilium)
  inbound_rule {
    protocol    = "udp"
    port_range  = "8472"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # Allow Prometheus to scrape node-exporter
  inbound_rule {
    protocol    = "tcp"
@ -33,6 +60,7 @@ resource "digitalocean_firewall" "rules" {
    source_tags = [digitalocean_tag.workers.name]
  }
  # Kubelet
  inbound_rule {
    protocol    = "tcp"
    port_range  = "10250"
--- a/digital-ocean/container-linux/kubernetes/outputs.tf
+++ b/digital-ocean/container-linux/kubernetes/outputs.tf
@ -2,6 +2,8 @@ output "kubeconfig-admin" {
  value = module.bootstrap.kubeconfig-admin
 }
 # Outputs for Kubernetes Ingress
 output "controllers_dns" {
  value = digitalocean_record.controllers[0].fqdn
 }
@ -45,3 +47,10 @@ output "worker_tag" {
  value       = digitalocean_tag.workers.name
 }
 # Outputs for custom load balancing
 output "vpc_id" {
  description = "ID of the cluster VPC"
  value       = digitalocean_vpc.network.id
 }
--- a/digital-ocean/container-linux/kubernetes/versions.tf
+++ b/digital-ocean/container-linux/kubernetes/versions.tf
@ -1,12 +1,20 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    digitalocean = "~> 1.3"
+    template = "~> 2.1"
-    ct           = "~> 0.3"
+    null     = "~> 2.1"
-    template     = "~> 2.1"
+
-    null         = "~> 2.1"
+    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "~> 1.20"
    }
  }
 }
--- a/digital-ocean/container-linux/kubernetes/workers.tf
+++ b/digital-ocean/container-linux/kubernetes/workers.tf
@ -35,9 +35,10 @@ resource "digitalocean_droplet" "workers" {
  size  = var.worker_type
  # network
  # only official DigitalOcean images support IPv6
  ipv6               = local.is_official_image
  private_networking = true
  vpc_uuid           = digitalocean_vpc.network.id
  # only official DigitalOcean images support IPv6
  ipv6 = local.is_official_image
  user_data = data.ct_config.worker-ignition.rendered
  ssh_keys  = var.ssh_fingerprints
@ -58,9 +59,9 @@ resource "digitalocean_tag" "workers" {
 # Worker Ignition config
 data "ct_config" "worker-ignition" {
-  content      = data.template_file.worker-config.rendered
+  content  = data.template_file.worker-config.rendered
-  pretty_print = false
+  strict   = true
-  snippets     = var.worker_snippets
+  snippets = var.worker_snippets
 }
 # Worker Container Linux config
--- a/digital-ocean/fedora-coreos/kubernetes/README.md
+++ b/digital-ocean/fedora-coreos/kubernetes/README.md
@ -11,9 +11,9 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.18.2 (upstream)
+* Kubernetes v1.18.8 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
-* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/) customization
 * Ready for Ingress, Prometheus, Grafana, CSI, and other [addons](https://typhoon.psdn.io/addons/overview/)
--- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=14d0b2087962a0f2557c184f3f523548ce19bbdc"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8ef2fe7c992a8c15d696bd3e3a97be713b025e64"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
--- a/digital-ocean/fedora-coreos/kubernetes/controllers.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/controllers.tf
@ -41,9 +41,10 @@ resource "digitalocean_droplet" "controllers" {
  size  = var.controller_type
  # network
  # TODO: Only official DigitalOcean images support IPv6
  ipv6               = false
  private_networking = true
  vpc_uuid           = digitalocean_vpc.network.id
  # TODO: Only official DigitalOcean images support IPv6
  ipv6 = false
  user_data = data.ct_config.controller-ignitions.*.rendered[count.index]
  ssh_keys  = var.ssh_fingerprints
@ -64,10 +65,10 @@ resource "digitalocean_tag" "controllers" {
 # Controller Ignition configs
 data "ct_config" "controller-ignitions" {
-  count        = var.controller_count
+  count    = var.controller_count
-  content      = data.template_file.controller-configs.*.rendered[count.index]
+  content  = data.template_file.controller-configs.*.rendered[count.index]
-  strict       = true
+  strict   = true
-  snippets     = var.controller_snippets
+  snippets = var.controller_snippets
 }
 # Controller Fedora CoreOS configs
--- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml
+++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml
@ -28,7 +28,7 @@ systemd:
          --network host \
          --volume /var/lib/etcd:/var/lib/etcd:rw,Z \
          --volume /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
-          quay.io/coreos/etcd:v3.4.7
+          quay.io/coreos/etcd:v3.4.10
        ExecStop=/usr/bin/podman stop etcd
        [Install]
        WantedBy=multi-user.target
@ -50,11 +50,12 @@ systemd:
    - name: kubelet.service
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Requires=afterburn.service
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -81,10 +82,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -92,17 +94,15 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/master \
          --node-labels=node.kubernetes.io/controller="true" \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
-          --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
+          --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -135,11 +135,13 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.18.2
+            quay.io/poseidon/kubelet:v1.18.8
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
  directories:
    - path: /var/lib/etcd
      mode: 0700
    - path: /etc/kubernetes
    - path: /opt/bootstrap
  files:
@ -158,11 +160,11 @@ storage:
          chmod -R 500 /etc/ssl/etcd
          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
-          sudo mkdir -p /etc/kubernetes/manifests
+          mkdir -p /etc/kubernetes/manifests
-          sudo mv static-manifests/* /etc/kubernetes/manifests/
+          mv static-manifests/* /etc/kubernetes/manifests/
-          sudo mkdir -p /opt/bootstrap/assets
+          mkdir -p /opt/bootstrap/assets
-          sudo mv manifests /opt/bootstrap/assets/manifests
+          mv manifests /opt/bootstrap/assets/manifests
-          sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
@ -182,6 +184,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml
+++ b/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml
@ -21,11 +21,12 @@ systemd:
      enabled: true
      contents: |
        [Unit]
-        Description=Kubelet via Hyperkube (System Container)
+        Description=Kubelet (System Container)
        Requires=afterburn.service
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.8
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -52,10 +53,11 @@ systemd:
          --volume /var/log:/var/log \
          --volume /var/run/lock:/var/run/lock:z \
          --volume /opt/cni/bin:/opt/cni/bin:z \
-          quay.io/poseidon/kubelet:v1.18.2 \
+          $${KUBELET_IMAGE} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --cgroup-driver=systemd \
          --cgroups-per-qos=true \
          --enforce-node-allocatable=pods \
@ -63,15 +65,14 @@ systemd:
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --exit-on-lock-contention \
          --healthz-port=0 \
          --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \
-          --kubeconfig=/etc/kubernetes/kubeconfig \
+          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/podman stop kubelet
        Delegate=yes
@ -97,7 +98,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/true
-        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.2 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
+        ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.8 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
        [Install]
        WantedBy=multi-user.target
 storage:
@ -108,6 +109,18 @@ storage:
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/sysctl.d/reverse-path-filter.conf
      contents:
        inline: |
          net.ipv4.conf.default.rp_filter=0
          net.ipv4.conf.*.rp_filter=0
    - path: /etc/systemd/network/50-flannel.link
      contents:
        inline: |
          [Match]
          OriginalName=flannel*
          [Link]
          MACAddressPolicy=none
    - path: /etc/systemd/system.conf.d/accounting.conf
      contents:
        inline: |
--- a/digital-ocean/fedora-coreos/kubernetes/network.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/network.tf
@ -1,3 +1,10 @@
 # Network VPC
 resource "digitalocean_vpc" "network" {
  name        = var.cluster_name
  region      = var.region
  description = "Network for ${var.cluster_name} cluster"
 }
 resource "digitalocean_firewall" "rules" {
  name = var.cluster_name
@ -6,6 +13,11 @@ resource "digitalocean_firewall" "rules" {
    digitalocean_tag.workers.name
  ]
  inbound_rule {
    protocol    = "icmp"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # allow ssh, internal flannel, internal node-exporter, internal kubelet
  inbound_rule {
    protocol         = "tcp"
@ -13,12 +25,27 @@ resource "digitalocean_firewall" "rules" {
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  # Cilium health
  inbound_rule {
    protocol    = "tcp"
    port_range  = "4240"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # IANA vxlan (flannel, calico)
  inbound_rule {
    protocol    = "udp"
    port_range  = "4789"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # Linux vxlan (Cilium)
  inbound_rule {
    protocol    = "udp"
    port_range  = "8472"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # Allow Prometheus to scrape node-exporter
  inbound_rule {
    protocol    = "tcp"
@ -33,6 +60,7 @@ resource "digitalocean_firewall" "rules" {
    source_tags = [digitalocean_tag.workers.name]
  }
  # Kubelet
  inbound_rule {
    protocol    = "tcp"
    port_range  = "10250"
--- a/digital-ocean/fedora-coreos/kubernetes/outputs.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/outputs.tf
@ -2,6 +2,8 @@ output "kubeconfig-admin" {
  value = module.bootstrap.kubeconfig-admin
 }
 # Outputs for Kubernetes Ingress
 output "controllers_dns" {
  value = digitalocean_record.controllers[0].fqdn
 }
@ -45,3 +47,9 @@ output "worker_tag" {
  value       = digitalocean_tag.workers.name
 }
 # Outputs for custom load balancing
 output "vpc_id" {
  description = "ID of the cluster VPC"
  value       = digitalocean_vpc.network.id
 }
--- a/digital-ocean/fedora-coreos/kubernetes/versions.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/versions.tf
@ -1,12 +1,20 @@
 # Terraform version and plugin versions
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.26, < 0.14.0"
  required_providers {
-    digitalocean = "~> 1.3"
+    template = "~> 2.1"
-    ct           = "~> 0.3"
+    null     = "~> 2.1"
-    template     = "~> 2.1"
+
-    null         = "~> 2.1"
+    ct = {
      source  = "poseidon/ct"
      version = "~> 0.6.1"
    }
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "~> 1.20"
    }
  }
 }
--- a/Show More
+++ b/Show More