to merge with previous commit on main

Add support for devince binding
In some cases we need to use block devices directly (Physical volume storage). This new variable allows the user to mount devices with the --device option for flatcar baremetal. How to use : add a list of objects like this to the cluster definition : worker_bind_devices = [ { source = "/dev/sdb" target = "/dev/sdb" }, { source = "/dev/sdc" target = "/dev/sdd" }, { source = "/dev/sdd" target = "/dev/sdd" } ] This will bind the source device on the target directory in evry node.
2025-08-21 08:14:58 +02:00 · 2023-03-03 11:25:25 +01:00 · 2023-03-03 10:41:56 +01:00
148 changed files with 332 additions and 2577 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,10 @@
 High level description of the change.
 * Specific change
 * Specific change
 ## Testing
 Describe your work to validate the change works.
 rel: issue number (if applicable)
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -4,3 +4,6 @@ updates:
  directory: "/"
  schedule:
    interval: weekly
  pull-request-branch-name:
    separator: "-"
  open-pull-requests-limit: 3
--- a/.github/release.yaml
+++ b/.github/release.yaml
@ -1,12 +0,0 @@
 changelog:
  categories:
    - title: Contributions
      labels:
        - '*'
      exclude:
        labels:
          - dependencies
          - no-release-note
    - title: Dependencies
      labels:
        - dependencies
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -1,12 +0,0 @@
 name: publish
 on:
  push:
    branches:
      - release-docs
 jobs:
  mkdocs:
    name: mkdocs
    uses: poseidon/matchbox/.github/workflows/mkdocs-pages.yaml@main
    # Add content write for GitHub Pages
    permissions:
      contents: write
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 site/
 venv/
--- a/CHANGES.md
+++ b/CHANGES.md
@ -4,155 +4,6 @@ Notable changes between versions.
 ## Latest
 ## v1.30.1
 * Kubernetes [v1.30.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1301)
 * Add firewall rules and security group rules for Cilium and Hubble metrics ([#1449](https://github.com/poseidon/typhoon/pull/1449))
 * Update Cilium from v1.15.3 to [v1.15.5](https://github.com/cilium/cilium/releases/tag/v1.15.5)
 * Update flannel from v0.24.4 to [v0.25.1](https://github.com/flannel-io/flannel/releases/tag/v0.25.1)
 * Introduce `components` variabe to enable/disable/configure pre-installed components ([#1453](https://github.com/poseidon/typhoon/pull/1453))
 * Add Terraform modules for `coredns`, `cilium`, and `flannel` components
 ### Azure
 * Add `controller_security_group_name` output for adding custom security rules ([#1450](https://github.com/poseidon/typhoon/pull/1450))
 * Add `controller_address_prefixes` output for adding custom security rules ([#1450](https://github.com/poseidon/typhoon/pull/1450))
 ## v1.30.0
 * Kubernetes [v1.30.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#v1300)
 * Update etcd from v3.5.12 to [v3.5.13](https://github.com/etcd-io/etcd/releases/tag/v3.5.13)
 * Update Cilium from v1.15.2 to [v1.15.3](https://github.com/cilium/cilium/releases/tag/v1.15.3)
 * Update Calico from v3.27.2 to [v3.27.3](https://github.com/projectcalico/calico/releases/tag/v3.27.3)
 ## v1.29.3
 * Kubernetes [v1.29.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1293)
 * Update Cilium from v1.15.1 to [v1.15.2](https://github.com/cilium/cilium/releases/tag/v1.15.2)
 * Update flannel from v0.24.2 to [v0.24.4](https://github.com/flannel-io/flannel/releases/tag/v0.24.4)
 ## v1.29.2
 * Kubernetes [v1.29.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1292)
 * Update etcd from v3.5.10 to [v3.5.12](https://github.com/etcd-io/etcd/releases/tag/v3.5.12)
 * Update Cilium from v1.14.3 to [v1.15.1](https://github.com/cilium/cilium/releases/tag/v1.15.1)
 * Update Calico from v3.26.3 to [v3.27.2](https://github.com/projectcalico/calico/releases/tag/v3.27.2)
  * Fix upstream incompatibility with Fedora CoreOS ([calico#8372](https://github.com/projectcalico/calico/issues/8372))
 * Update flannel from v0.22.2 to [v0.24.2](https://github.com/flannel-io/flannel/releases/tag/v0.24.2)
 * Add an `install_container_networking` variable (default `true`) ([#1421](https://github.com/poseidon/typhoon/pull/1421))
  * When `true`, the chosen container `networking` provider is installed during cluster bootstrap
  * Set `false` to self-manage the container networking provider. This allows flannel, Calico, or Cilium
  to be managed via Terraform (like any other Kubernetes resources). Nodes will be NotReady until you
  apply the self-managed container networking provider. This may become the default in future.
  * Continue to set `networking` to one of the three supported container networking providers. Most
  require custom firewall / security policies be present across nodes so they have some infra tie-ins.
 ## v1.29.1
 * Kubernetes [v1.29.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1291)
 ### AWS
 * Continue to support AWS IMDSv1 ([#1412](https://github.com/poseidon/typhoon/pull/1412))
 ### Known Issues
 * Calico and Fedora CoreOS cannot be used together currently ([calico#8372](https://github.com/projectcalico/calico/issues/8372))
 ## v1.29.0
 * Kubernetes [v1.29.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#v1290)
 ### Known Issues
 * Calico and Fedora CoreOS cannot be used together currently ([calico#8372](https://github.com/projectcalico/calico/issues/8372))
 ## v1.28.4
 * Kubernetes [v1.28.4](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1284)
 ## v1.28.3
 * Kubernetes [v1.28.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1283)
 * Update etcd from v3.5.9 to [v3.5.10](https://github.com/etcd-io/etcd/releases/tag/v3.5.10)
 * Update Cilium from v1.14.2 to [v1.14.3](https://github.com/cilium/cilium/releases/tag/v1.14.3)
 * Workaround problems in Cilium v1.14's partial `kube-proxy` implementation ([#365](https://github.com/poseidon/terraform-render-bootstrap/pull/365))
 * Update Calico from v3.26.1 to [v3.26.3](https://github.com/projectcalico/calico/releases/tag/v3.26.3)
 ### Google Cloud
 * Allow upgrading Google Cloud Terraform provider to v5.x
 ## v1.28.2
 * Kubernetes [v1.28.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1282)
 * Update Cilium from v1.14.1 to [v1.14.2](https://github.com/cilium/cilium/releases/tag/v1.14.2)
 ### Azure
 * Add optional `azure_authorized_key` variable
  * Azure obtusely inspects public keys, requires RSA keys, and forbids more secure key formats (e.g. ed25519)
  * Allow passing a dummy RSA key via `azure_authorized_key` (delete the private key) to satisfy Azure validations, then the usual `ssh_authorized_key` variable can new newer formats (e.g. ed25519)
 ## v1.28.1
 * Kubernetes [v1.28.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1281)
 ## v1.28.0
 * Kubernetes [v1.28.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#v1280)
 * Update Cilium from v1.13.4 to [v1.14.1](https://github.com/cilium/cilium/releases/tag/v1.14.1)
 * Update flannel from v0.22.0 to [v0.22.2](https://github.com/flannel-io/flannel/releases/tag/v0.22.2)
 ## v1.27.4
 * Kubernetes [v1.27.4](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1274)
 ## v1.27.3
 * Kubernetes [v1.27.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1273)
 * Update etcd from v3.5.7 to [v3.5.9](https://github.com/etcd-io/etcd/releases/tag/v3.5.9)
 * Update Cilium from v1.13.2 to [v1.13.4](https://github.com/cilium/cilium/releases/tag/v1.13.4)
 * Update Calico from v3.25.1 to [v3.26.1](https://github.com/projectcalico/calico/releases/tag/v3.26.1)
 * Update flannel from v0.21.2 to [v0.22.0](https://github.com/flannel-io/flannel/releases/tag/v0.22.0)
 ### AWS
 * Allow upgrading AWS Terraform provider to v5.x ([#1353](https://github.com/poseidon/typhoon/pull/1353))
 ### Azure
 * Enable boot diagnostics for controller and worker VMs ([#1351](https://github.com/poseidon/typhoon/pull/1351))
 ## v1.27.2
 * Kubernetes [v1.27.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1272)
 ### Fedora CoreOS
 * Update Butane Config version from v1.4.0 to v1.5.0
  * Require any custom Butane [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) update to v1.5.0
 * Require Fedora CoreOS `37.20230303.3.0` or newer (with ignition v2.15)
 * Require poseidon/ct v0.13+ (**action required**)
 ## v1.27.1
 * Kubernetes [v1.27.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#v1271)
 * Update etcd from v3.5.7 to [v3.5.8](https://github.com/etcd-io/etcd/releases/tag/v3.5.8)
 * Update Cilium from v1.13.1 to [v1.13.2](https://github.com/cilium/cilium/releases/tag/v1.13.2)
 * Update Calico from v3.25.0 to [v3.25.1](https://github.com/projectcalico/calico/releases/tag/v3.25.1)
 ## v1.26.3
 * Kubernetes [v1.26.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1263)
 * Update Cilium from v1.12.6 to [v1.13.1](https://github.com/cilium/cilium/releases/tag/v1.13.1)
 ### Bare-Metal
 * Add `oem_type` variable for Flatcar Linux ([#1302](https://github.com/poseidon/typhoon/pull/1302))
 ## v1.26.2
 * Kubernetes [v1.26.2](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1262)
 * Update Cilium from v1.12.5 to [v1.12.6](https://github.com/cilium/cilium/releases/tag/v1.12.6)
 * Update flannel from v0.20.2 to [v0.21.2](https://github.com/flannel-io/flannel/releases/tag/v0.21.2)
@ -161,10 +12,6 @@ Notable changes between versions.
 * Add a `worker` module to allow customizing individual worker nodes ([#1295](https://github.com/poseidon/typhoon/pull/1295))
 ### Known Issues
 * Fedora CoreOS [issue](https://github.com/coreos/fedora-coreos-tracker/issues/1423) fix is progressing through channels
 ## v1.26.1
 * Kubernetes [v1.26.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#v1261)
--- a/README.md
+++ b/README.md
@ -1,9 +1,4 @@
-# Typhoon
+# Typhoon [![Release](https://img.shields.io/github/v/release/poseidon/typhoon)](https://github.com/poseidon/typhoon/releases) [![Stars](https://img.shields.io/github/stars/poseidon/typhoon)](https://github.com/poseidon/typhoon/stargazers) [![Sponsors](https://img.shields.io/github/sponsors/poseidon?logo=github)](https://github.com/sponsors/poseidon) [![Mastodon](https://img.shields.io/badge/follow-news-6364ff?logo=mastodon)](https://fosstodon.org/@typhoon)
 [![Release](https://img.shields.io/github/v/release/poseidon/typhoon?style=flat-square)](https://github.com/poseidon/typhoon/releases)
 [![Stars](https://img.shields.io/github/stars/poseidon/typhoon?style=flat-square)](https://github.com/poseidon/typhoon/stargazers)
 [![Sponsors](https://img.shields.io/github/sponsors/poseidon?logo=github&style=flat-square)](https://github.com/sponsors/poseidon)
 [![Mastodon](https://img.shields.io/badge/follow-news-6364ff?logo=mastodon&style=flat-square)](https://fosstodon.org/@typhoon)
 <img align="right" src="https://storage.googleapis.com/poseidon/typhoon-logo.png">
@ -18,7 +13,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [preemptible](https://typhoon.psdn.io/flatcar-linux/google-cloud/#preemption) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
@ -26,7 +21,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Modules
-Typhoon provides a Terraform Module for defining a Kubernetes cluster on each supported operating system and platform.
+Typhoon provides a Terraform Module for each supported operating system and platform.
 Typhoon is available for [Fedora CoreOS](https://getfedora.org/coreos/).
@ -57,14 +52,6 @@ Typhoon is available for [Flatcar Linux](https://www.flatcar-linux.org/releases/
 | AWS           | Flatcar Linux (ARM64) | [aws/flatcar-linux/kubernetes](aws/flatcar-linux/kubernetes) | alpha |
 | Azure         | Flatcar Linux (ARM64) | [azure/flatcar-linux/kubernetes](azure/flatcar-linux/kubernetes) | alpha |
 Typhoon also provides Terraform Modules for optionally managing individual components applied onto clusters.
 | Name    | Terraform Module | Status |
 |---------|------------------|--------|
 | CoreDNS | [addons/coredns](addons/coredns) | beta |
 | Cilium  | [addons/cilium](addons/cilium) | beta |
 | flannel | [addons/flannel](addons/flannel) | beta |
 ## Documentation
 * [Docs](https://typhoon.psdn.io)
@ -78,7 +65,7 @@ Define a Kubernetes cluster by using the Terraform module for your chosen platfo
 ```tf
 module "yavin" {
-  source = "git::https://github.com/poseidon/typhoon//google-cloud/fedora-coreos/kubernetes?ref=v1.30.2"
+  source = "git::https://github.com/poseidon/typhoon//google-cloud/fedora-coreos/kubernetes?ref=v1.26.2"
  # Google Cloud
  cluster_name  = "yavin"
@ -117,9 +104,9 @@ In 4-8 minutes (varies by platform), the cluster will be ready. This Google Clou
 $ export KUBECONFIG=/home/user/.kube/configs/yavin-config
 $ kubectl get nodes
 NAME                                       ROLES    STATUS  AGE  VERSION
-yavin-controller-0.c.example-com.internal  <none>   Ready   6m   v1.30.2
+yavin-controller-0.c.example-com.internal  <none>   Ready   6m   v1.26.2
-yavin-worker-jrbf.c.example-com.internal   <none>   Ready   5m   v1.30.2
+yavin-worker-jrbf.c.example-com.internal   <none>   Ready   5m   v1.26.2
-yavin-worker-mzdm.c.example-com.internal   <none>   Ready   5m   v1.30.2
+yavin-worker-mzdm.c.example-com.internal   <none>   Ready   5m   v1.26.2
 ```
 List the pods.
--- a/addons/cilium/cluster-role-binding.tf
+++ b/addons/cilium/cluster-role-binding.tf
@ -1,36 +0,0 @@
 resource "kubernetes_cluster_role_binding" "operator" {
  metadata {
    name = "cilium-operator"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cilium-operator"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "cilium-operator"
    namespace = "kube-system"
  }
 }
 resource "kubernetes_cluster_role_binding" "agent" {
  metadata {
    name = "cilium-agent"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cilium-agent"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "cilium-agent"
    namespace = "kube-system"
  }
 }
--- a/addons/cilium/cluster-role.tf
+++ b/addons/cilium/cluster-role.tf
@ -1,112 +0,0 @@
 resource "kubernetes_cluster_role" "operator" {
  metadata {
    name = "cilium-operator"
  }
  # detect and restart [core|kube]dns pods on startup
  rule {
    verbs      = ["get", "list", "watch", "delete"]
    api_groups = [""]
    resources  = ["pods"]
  }
  rule {
    verbs      = ["list", "watch"]
    api_groups = [""]
    resources  = ["nodes"]
  }
  rule {
    verbs      = ["patch"]
    api_groups = [""]
    resources  = ["nodes", "nodes/status"]
  }
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = ["discovery.k8s.io"]
    resources  = ["endpointslices"]
  }
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = [""]
    resources  = ["services"]
  }
  # Perform LB IP allocation for BGP
  rule {
    verbs      = ["update"]
    api_groups = [""]
    resources  = ["services/status"]
  }
  # Perform the translation of a CNP that contains `ToGroup` to its endpoints
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = [""]
    resources  = ["services", "endpoints", "namespaces"]
  }
  rule {
    verbs      = ["*"]
    api_groups = ["cilium.io"]
    resources  = ["ciliumnetworkpolicies", "ciliumnetworkpolicies/status", "ciliumnetworkpolicies/finalizers", "ciliumclusterwidenetworkpolicies", "ciliumclusterwidenetworkpolicies/status", "ciliumclusterwidenetworkpolicies/finalizers", "ciliumendpoints", "ciliumendpoints/status", "ciliumendpoints/finalizers", "ciliumnodes", "ciliumnodes/status", "ciliumnodes/finalizers", "ciliumidentities", "ciliumidentities/status", "ciliumidentities/finalizers", "ciliumlocalredirectpolicies", "ciliumlocalredirectpolicies/status", "ciliumlocalredirectpolicies/finalizers", "ciliumendpointslices", "ciliumloadbalancerippools", "ciliumloadbalancerippools/status", "ciliumcidrgroups", "ciliuml2announcementpolicies", "ciliuml2announcementpolicies/status", "ciliumpodippools"]
  }
  rule {
    verbs      = ["create", "get", "list", "update", "watch"]
    api_groups = ["apiextensions.k8s.io"]
    resources  = ["customresourcedefinitions"]
  }
  # Cilium leader elects if among multiple operator replicas
  rule {
    verbs      = ["create", "get", "update"]
    api_groups = ["coordination.k8s.io"]
    resources  = ["leases"]
  }
 }
 resource "kubernetes_cluster_role" "agent" {
  metadata {
    name = "cilium-agent"
  }
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = ["networking.k8s.io"]
    resources  = ["networkpolicies"]
  }
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = ["discovery.k8s.io"]
    resources  = ["endpointslices"]
  }
  rule {
    verbs      = ["get", "list", "watch"]
    api_groups = [""]
    resources  = ["namespaces", "services", "pods", "endpoints", "nodes"]
  }
  rule {
    verbs      = ["patch"]
    api_groups = [""]
    resources  = ["nodes/status"]
  }
  rule {
    verbs      = ["create", "get", "list", "watch", "update"]
    api_groups = ["apiextensions.k8s.io"]
    resources  = ["customresourcedefinitions"]
  }
  rule {
    verbs      = ["*"]
    api_groups = ["cilium.io"]
    resources  = ["ciliumnetworkpolicies", "ciliumnetworkpolicies/status", "ciliumclusterwidenetworkpolicies", "ciliumclusterwidenetworkpolicies/status", "ciliumendpoints", "ciliumendpoints/status", "ciliumnodes", "ciliumnodes/status", "ciliumidentities", "ciliumidentities/status", "ciliumlocalredirectpolicies", "ciliumlocalredirectpolicies/status", "ciliumegressnatpolicies", "ciliumendpointslices", "ciliumcidrgroups", "ciliuml2announcementpolicies", "ciliuml2announcementpolicies/status", "ciliumpodippools"]
  }
 }
--- a/addons/cilium/config.tf
+++ b/addons/cilium/config.tf
@ -1,196 +0,0 @@
 resource "kubernetes_config_map" "cilium" {
  metadata {
    name      = "cilium"
    namespace = "kube-system"
  }
  data = {
    # Identity allocation mode selects how identities are shared between cilium
    # nodes by setting how they are stored. The options are "crd" or "kvstore".
    # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
    #   These can be queried with:
    #     kubectl get ciliumid
    # - "kvstore" stores identities in a kvstore, etcd or consul, that is
    #   configured below. Cilium versions before 1.6 supported only the kvstore
    #   backend. Upgrades from these older cilium versions should continue using
    #   the kvstore by commenting out the identity-allocation-mode below, or
    #   setting it to "kvstore".
    identity-allocation-mode    = "crd"
    cilium-endpoint-gc-interval = "5m0s"
    nodes-gc-interval           = "5m0s"
    # If you want to run cilium in debug mode change this value to true
    debug = "false"
    # The agent can be put into the following three policy enforcement modes
    # default, always and never.
    # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes
    enable-policy = "default"
    # Prometheus
    enable-metrics                 = "true"
    prometheus-serve-addr          = ":9962"
    operator-prometheus-serve-addr = ":9963"
    proxy-prometheus-port          = "9964" # envoy
    # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
    # address.
    enable-ipv4 = "true"
    # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
    # address.
    enable-ipv6 = "false"
    # Enable probing for a more efficient clock source for the BPF datapath
    enable-bpf-clock-probe = "true"
    # Enable use of transparent proxying mechanisms (Linux 5.7+)
    enable-bpf-tproxy = "false"
    # If you want cilium monitor to aggregate tracing for packets, set this level
    # to "low", "medium", or "maximum". The higher the level, the less packets
    # that will be seen in monitor output.
    monitor-aggregation = "medium"
    # The monitor aggregation interval governs the typical time between monitor
    # notification events for each allowed connection.
    #
    # Only effective when monitor aggregation is set to "medium" or higher.
    monitor-aggregation-interval = "5s"
    # The monitor aggregation flags determine which TCP flags which, upon the
    # first observation, cause monitor notifications to be generated.
    #
    # Only effective when monitor aggregation is set to "medium" or higher.
    monitor-aggregation-flags = "all"
    # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
    # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
    bpf-map-dynamic-size-ratio = "0.0025"
    # bpf-policy-map-max specified the maximum number of entries in endpoint
    # policy map (per endpoint)
    bpf-policy-map-max = "16384"
    # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
    # backend and affinity maps.
    bpf-lb-map-max = "65536"
    # Pre-allocation of map entries allows per-packet latency to be reduced, at
    # the expense of up-front memory allocation for the entries in the maps. The
    # default value below will minimize memory usage in the default installation;
    # users who are sensitive to latency may consider setting this to "true".
    #
    # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
    # this option and behave as though it is set to "true".
    #
    # If this value is modified, then during the next Cilium startup the restore
    # of existing endpoints and tracking of ongoing connections may be disrupted.
    # As a result, reply packets may be dropped and the load-balancing decisions
    # for established connections may change.
    #
    # If this option is set to "false" during an upgrade from 1.3 or earlier to
    # 1.4 or later, then it may cause one-time disruptions during the upgrade.
    preallocate-bpf-maps = "false"
    # Name of the cluster. Only relevant when building a mesh of clusters.
    cluster-name = "default"
    # Unique ID of the cluster. Must be unique across all conneted clusters and
    # in the range of 1 and 255. Only relevant when building a mesh of clusters.
    cluster-id = "0"
    # Encapsulation mode for communication between nodes
    # Possible values:
    #   - disabled
    #   - vxlan (default)
    #   - geneve
    routing-mode = "tunnel"
    tunnel       = "vxlan"
    # Enables L7 proxy for L7 policy enforcement and visibility
    enable-l7-proxy = "true"
    auto-direct-node-routes = "false"
    # enableXTSocketFallback enables the fallback compatibility solution
    # when the xt_socket kernel module is missing and it is needed for
    # the datapath L7 redirection to work properly.  See documentation
    # for details on when this can be disabled:
    # http://docs.cilium.io/en/latest/install/system_requirements/#admin-kernel-version.
    enable-xt-socket-fallback = "true"
    # installIptablesRules enables installation of iptables rules to allow for
    # TPROXY (L7 proxy injection), itpables based masquerading and compatibility
    # with kube-proxy. See documentation for details on when this can be
    # disabled.
    install-iptables-rules = "true"
    # masquerade traffic leaving the node destined for outside
    enable-ipv4-masquerade = "true"
    enable-ipv6-masquerade = "false"
    # bpfMasquerade enables masquerading with BPF instead of iptables
    enable-bpf-masquerade = "true"
    # kube-proxy
    kube-proxy-replacement                      = "false"
    kube-proxy-replacement-healthz-bind-address = ""
    enable-session-affinity                     = "true"
    # ClusterIPs from host namespace
    bpf-lb-sock = "true"
    # ClusterIPs from external nodes
    bpf-lb-external-clusterip = "true"
    # NodePort
    enable-node-port             = "true"
    enable-health-check-nodeport = "false"
    # ExternalIPs
    enable-external-ips = "true"
    # HostPort
    enable-host-port = "true"
    # IPAM
    ipam                        = "cluster-pool"
    disable-cnp-status-updates  = "true"
    cluster-pool-ipv4-cidr      = "${var.pod_cidr}"
    cluster-pool-ipv4-mask-size = "24"
    # Health
    agent-health-port               = "9876"
    enable-health-checking          = "true"
    enable-endpoint-health-checking = "true"
    # Identity
    enable-well-known-identities = "false"
    enable-remote-node-identity  = "true"
    # Hubble server
    enable-hubble                  = var.enable_hubble
    hubble-disable-tls             = "false"
    hubble-listen-address          = ":4244"
    hubble-socket-path             = "/var/run/cilium/hubble.sock"
    hubble-tls-client-ca-files     = "/var/lib/cilium/tls/hubble/client-ca.crt"
    hubble-tls-cert-file           = "/var/lib/cilium/tls/hubble/server.crt"
    hubble-tls-key-file            = "/var/lib/cilium/tls/hubble/server.key"
    hubble-export-file-max-backups = "5"
    hubble-export-file-max-size-mb = "10"
    # Hubble metrics
    hubble-metrics-server      = ":9965"
    hubble-metrics             = "dns drop tcp flow port-distribution icmp httpV2"
    enable-hubble-open-metrics = "false"
    # Misc
    enable-bandwidth-manager        = "false"
    enable-local-redirect-policy    = "false"
    policy-audit-mode               = "false"
    operator-api-serve-addr         = "127.0.0.1:9234"
    enable-l2-neigh-discovery       = "true"
    enable-k8s-terminating-endpoint = "true"
    enable-k8s-networkpolicy        = "true"
    external-envoy-proxy            = "false"
    write-cni-conf-when-ready       = "/host/etc/cni/net.d/05-cilium.conflist"
    cni-exclusive                   = "true"
    cni-log-file                    = "/var/run/cilium/cilium-cni.log"
  }
 }
--- a/addons/cilium/daemonset.tf
+++ b/addons/cilium/daemonset.tf
@ -1,379 +0,0 @@
 resource "kubernetes_daemonset" "cilium" {
  wait_for_rollout = false
  metadata {
    name      = "cilium"
    namespace = "kube-system"
    labels = {
      k8s-app = "cilium"
    }
  }
  spec {
    strategy {
      type = "RollingUpdate"
      rolling_update {
        max_unavailable = "1"
      }
    }
    selector {
      match_labels = {
        k8s-app = "cilium-agent"
      }
    }
    template {
      metadata {
        labels = {
          k8s-app = "cilium-agent"
        }
        annotations = {
          "prometheus.io/port"   = "9962"
          "prometheus.io/scrape" = "true"
        }
      }
      spec {
        host_network         = true
        priority_class_name  = "system-node-critical"
        service_account_name = "cilium-agent"
        security_context {
          seccomp_profile {
            type = "RuntimeDefault"
          }
        }
        toleration {
          key      = "node-role.kubernetes.io/controller"
          operator = "Exists"
        }
        toleration {
          key      = "node.kubernetes.io/not-ready"
          operator = "Exists"
        }
        dynamic "toleration" {
          for_each = var.daemonset_tolerations
          content {
            key      = toleration.value
            operator = "Exists"
          }
        }
        automount_service_account_token = true
        enable_service_links            = false
        # Cilium v1.13.1 starts installing CNI plugins in yet another init container
        # https://github.com/cilium/cilium/pull/24075
        init_container {
          name    = "install-cni"
          image   = "quay.io/cilium/cilium:v1.15.6"
          command = ["/install-plugin.sh"]
          security_context {
            allow_privilege_escalation = true
            privileged                 = true
            capabilities {
              drop = ["ALL"]
            }
          }
          volume_mount {
            name       = "cni-bin-dir"
            mount_path = "/host/opt/cni/bin"
          }
        }
        # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
        # We use nsenter command with host's cgroup and mount namespaces enabled.
        init_container {
          name  = "mount-cgroup"
          image = "quay.io/cilium/cilium:v1.15.6"
          command = [
            "sh",
            "-ec",
            # The statically linked Go program binary is invoked to avoid any
            # dependency on utilities like sh and mount that can be missing on certain
            # distros installed on the underlying host. Copy the binary to the
            # same directory where we install cilium cni plugin so that exec permissions
            # are available.
            "cp /usr/bin/cilium-mount /hostbin/cilium-mount && nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt \"$${BIN_PATH}/cilium-mount\" $CGROUP_ROOT; rm /hostbin/cilium-mount"
          ]
          env {
            name  = "CGROUP_ROOT"
            value = "/run/cilium/cgroupv2"
          }
          env {
            name  = "BIN_PATH"
            value = "/opt/cni/bin"
          }
          security_context {
            allow_privilege_escalation = true
            privileged                 = true
          }
          volume_mount {
            name       = "hostproc"
            mount_path = "/hostproc"
          }
          volume_mount {
            name       = "cni-bin-dir"
            mount_path = "/hostbin"
          }
        }
        init_container {
          name    = "clean-cilium-state"
          image   = "quay.io/cilium/cilium:v1.15.6"
          command = ["/init-container.sh"]
          security_context {
            allow_privilege_escalation = true
            privileged                 = true
          }
          volume_mount {
            name       = "sys-fs-bpf"
            mount_path = "/sys/fs/bpf"
          }
          volume_mount {
            name       = "var-run-cilium"
            mount_path = "/var/run/cilium"
          }
          # Required to mount cgroup filesystem from the host to cilium agent pod
          volume_mount {
            name              = "cilium-cgroup"
            mount_path        = "/run/cilium/cgroupv2"
            mount_propagation = "HostToContainer"
          }
        }
        container {
          name    = "cilium-agent"
          image   = "quay.io/cilium/cilium:v1.15.6"
          command = ["cilium-agent"]
          args = [
            "--config-dir=/tmp/cilium/config-map"
          ]
          env {
            name = "K8S_NODE_NAME"
            value_from {
              field_ref {
                api_version = "v1"
                field_path  = "spec.nodeName"
              }
            }
          }
          env {
            name = "CILIUM_K8S_NAMESPACE"
            value_from {
              field_ref {
                api_version = "v1"
                field_path  = "metadata.namespace"
              }
            }
          }
          env {
            name = "KUBERNETES_SERVICE_HOST"
            value_from {
              config_map_key_ref {
                name = "in-cluster"
                key  = "apiserver-host"
              }
            }
          }
          env {
            name = "KUBERNETES_SERVICE_PORT"
            value_from {
              config_map_key_ref {
                name = "in-cluster"
                key  = "apiserver-port"
              }
            }
          }
          port {
            name           = "peer-service"
            protocol       = "TCP"
            container_port = 4244
          }
          # Metrics
          port {
            name           = "metrics"
            protocol       = "TCP"
            container_port = 9962
          }
          port {
            name           = "envoy-metrics"
            protocol       = "TCP"
            container_port = 9964
          }
          port {
            name           = "hubble-metrics"
            protocol       = "TCP"
            container_port = 9965
          }
          # Not yet used, prefer exec's
          port {
            name           = "health"
            protocol       = "TCP"
            container_port = 9876
          }
          lifecycle {
            pre_stop {
              exec {
                command = ["/cni-uninstall.sh"]
              }
            }
          }
          security_context {
            allow_privilege_escalation = true
            privileged                 = true
          }
          liveness_probe {
            exec {
              command = ["cilium", "status", "--brief"]
            }
            initial_delay_seconds = 120
            timeout_seconds       = 5
            period_seconds        = 30
            success_threshold     = 1
            failure_threshold     = 10
          }
          readiness_probe {
            exec {
              command = ["cilium", "status", "--brief"]
            }
            initial_delay_seconds = 5
            timeout_seconds       = 5
            period_seconds        = 20
            success_threshold     = 1
            failure_threshold     = 3
          }
          # Load kernel modules
          volume_mount {
            name       = "lib-modules"
            read_only  = true
            mount_path = "/lib/modules"
          }
          # Access iptables concurrently
          volume_mount {
            name       = "xtables-lock"
            mount_path = "/run/xtables.lock"
          }
          # Keep state between restarts
          volume_mount {
            name       = "var-run-cilium"
            mount_path = "/var/run/cilium"
          }
          volume_mount {
            name              = "sys-fs-bpf"
            mount_path        = "/sys/fs/bpf"
            mount_propagation = "Bidirectional"
          }
          # Configuration
          volume_mount {
            name       = "config"
            read_only  = true
            mount_path = "/tmp/cilium/config-map"
          }
          # Install config on host
          volume_mount {
            name       = "cni-conf-dir"
            mount_path = "/host/etc/cni/net.d"
          }
          # Hubble
          volume_mount {
            name       = "hubble-tls"
            mount_path = "/var/lib/cilium/tls/hubble"
            read_only  = true
          }
        }
        termination_grace_period_seconds = 1
        # Load kernel modules
        volume {
          name = "lib-modules"
          host_path {
            path = "/lib/modules"
          }
        }
        # Access iptables concurrently with other processes (e.g. kube-proxy)
        volume {
          name = "xtables-lock"
          host_path {
            path = "/run/xtables.lock"
            type = "FileOrCreate"
          }
        }
        # Keep state between restarts
        volume {
          name = "var-run-cilium"
          host_path {
            path = "/var/run/cilium"
            type = "DirectoryOrCreate"
          }
        }
        # Keep state for bpf maps between restarts
        volume {
          name = "sys-fs-bpf"
          host_path {
            path = "/sys/fs/bpf"
            type = "DirectoryOrCreate"
          }
        }
        # Mount host cgroup2 filesystem
        volume {
          name = "hostproc"
          host_path {
            path = "/proc"
            type = "Directory"
          }
        }
        volume {
          name = "cilium-cgroup"
          host_path {
            path = "/run/cilium/cgroupv2"
            type = "DirectoryOrCreate"
          }
        }
        # Read configuration
        volume {
          name = "config"
          config_map {
            name = "cilium"
          }
        }
        # Install CNI plugin and config on host
        volume {
          name = "cni-bin-dir"
          host_path {
            path = "/opt/cni/bin"
            type = "DirectoryOrCreate"
          }
        }
        volume {
          name = "cni-conf-dir"
          host_path {
            path = "/etc/cni/net.d"
            type = "DirectoryOrCreate"
          }
        }
        # Hubble TLS (optional)
        volume {
          name = "hubble-tls"
          projected {
            default_mode = "0400"
            sources {
              secret {
                name     = "hubble-server-certs"
                optional = true
                items {
                  key  = "ca.crt"
                  path = "client-ca.crt"
                }
                items {
                  key  = "tls.crt"
                  path = "server.crt"
                }
                items {
                  key  = "tls.key"
                  path = "server.key"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/addons/cilium/deployment.tf
+++ b/addons/cilium/deployment.tf
@ -1,163 +0,0 @@
 resource "kubernetes_deployment" "operator" {
  wait_for_rollout = false
  metadata {
    name      = "cilium-operator"
    namespace = "kube-system"
  }
  spec {
    replicas = 1
    strategy {
      type = "RollingUpdate"
      rolling_update {
        max_unavailable = "1"
      }
    }
    selector {
      match_labels = {
        name = "cilium-operator"
      }
    }
    template {
      metadata {
        labels = {
          name = "cilium-operator"
        }
        annotations = {
          "prometheus.io/scrape" = "true"
          "prometheus.io/port"   = "9963"
        }
      }
      spec {
        host_network         = true
        priority_class_name  = "system-cluster-critical"
        service_account_name = "cilium-operator"
        security_context {
          seccomp_profile {
            type = "RuntimeDefault"
          }
        }
        toleration {
          key      = "node-role.kubernetes.io/controller"
          operator = "Exists"
        }
        toleration {
          key      = "node.kubernetes.io/not-ready"
          operator = "Exists"
        }
        topology_spread_constraint {
          max_skew           = 1
          topology_key       = "kubernetes.io/hostname"
          when_unsatisfiable = "DoNotSchedule"
          label_selector {
            match_labels = {
              name = "cilium-operator"
            }
          }
        }
        automount_service_account_token = true
        enable_service_links            = false
        container {
          name    = "cilium-operator"
          image   = "quay.io/cilium/operator-generic:v1.15.6"
          command = ["cilium-operator-generic"]
          args = [
            "--config-dir=/tmp/cilium/config-map",
            "--debug=$(CILIUM_DEBUG)"
          ]
          env {
            name = "K8S_NODE_NAME"
            value_from {
              field_ref {
                api_version = "v1"
                field_path  = "spec.nodeName"
              }
            }
          }
          env {
            name = "CILIUM_K8S_NAMESPACE"
            value_from {
              field_ref {
                api_version = "v1"
                field_path  = "metadata.namespace"
              }
            }
          }
          env {
            name = "KUBERNETES_SERVICE_HOST"
            value_from {
              config_map_key_ref {
                name = "in-cluster"
                key  = "apiserver-host"
              }
            }
          }
          env {
            name = "KUBERNETES_SERVICE_PORT"
            value_from {
              config_map_key_ref {
                name = "in-cluster"
                key  = "apiserver-port"
              }
            }
          }
          env {
            name = "CILIUM_DEBUG"
            value_from {
              config_map_key_ref {
                name     = "cilium"
                key      = "debug"
                optional = true
              }
            }
          }
          port {
            name           = "metrics"
            protocol       = "TCP"
            host_port      = 9963
            container_port = 9963
          }
          port {
            name           = "health"
            container_port = 9234
            protocol       = "TCP"
          }
          liveness_probe {
            http_get {
              scheme = "HTTP"
              host   = "127.0.0.1"
              port   = "9234"
              path   = "/healthz"
            }
            initial_delay_seconds = 60
            timeout_seconds       = 3
            period_seconds        = 10
          }
          readiness_probe {
            http_get {
              scheme = "HTTP"
              host   = "127.0.0.1"
              port   = "9234"
              path   = "/healthz"
            }
            timeout_seconds   = 3
            period_seconds    = 15
            failure_threshold = 5
          }
          volume_mount {
            name       = "config"
            read_only  = true
            mount_path = "/tmp/cilium/config-map"
          }
        }
        volume {
          name = "config"
          config_map {
            name = "cilium"
          }
        }
      }
    }
  }
 }
--- a/addons/cilium/service-account.tf
+++ b/addons/cilium/service-account.tf
@ -1,15 +0,0 @@
 resource "kubernetes_service_account" "operator" {
  metadata {
    name      = "cilium-operator"
    namespace = "kube-system"
  }
  automount_service_account_token = false
 }
 resource "kubernetes_service_account" "agent" {
  metadata {
    name      = "cilium-agent"
    namespace = "kube-system"
  }
  automount_service_account_token = false
 }
--- a/addons/cilium/variables.tf
+++ b/addons/cilium/variables.tf
@ -1,17 +0,0 @@
 variable "pod_cidr" {
  type        = string
  description = "CIDR IP range to assign Kubernetes pods"
  default     = "10.2.0.0/16"
 }
 variable "daemonset_tolerations" {
  type        = list(string)
  description = "List of additional taint keys kube-system DaemonSets should tolerate (e.g. ['custom-role', 'gpu-role'])"
  default     = []
 }
 variable "enable_hubble" {
  type        = bool
  description = "Run the embedded Hubble Server and mount hubble-server-certs Secret"
  default     = true
 }
--- a/addons/cilium/versions.tf
+++ b/addons/cilium/versions.tf
@ -1,8 +0,0 @@
 terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.8"
    }
  }
 }
--- a/addons/coredns/cluster-role.tf
+++ b/addons/coredns/cluster-role.tf
@ -1,37 +0,0 @@
 resource "kubernetes_cluster_role" "coredns" {
  metadata {
    name = "system:coredns"
  }
  rule {
    api_groups = [""]
    resources = [
      "endpoints",
      "services",
      "pods",
      "namespaces",
    ]
    verbs = [
      "list",
      "watch",
    ]
  }
  rule {
    api_groups = [""]
    resources = [
      "nodes",
    ]
    verbs = [
      "get",
    ]
  }
  rule {
    api_groups = ["discovery.k8s.io"]
    resources = [
      "endpointslices",
    ]
    verbs = [
      "list",
      "watch",
    ]
  }
 }
--- a/addons/coredns/config.tf
+++ b/addons/coredns/config.tf
@ -1,30 +0,0 @@
 resource "kubernetes_config_map" "coredns" {
  metadata {
    name      = "coredns"
    namespace = "kube-system"
  }
  data = {
    "Corefile" = <<-EOF
      .:53 {
          errors
          health {
            lameduck 5s
          }
          ready
          log . {
              class error
          }
          kubernetes ${var.cluster_domain_suffix} in-addr.arpa ip6.arpa {
              pods insecure
              fallthrough in-addr.arpa ip6.arpa
          }
          prometheus :9153
          forward . /etc/resolv.conf
          cache 30
          loop
          reload
          loadbalance
      }
  EOF
  }
 }
--- a/addons/coredns/deployment.tf
+++ b/addons/coredns/deployment.tf
@ -1,151 +0,0 @@
 resource "kubernetes_deployment" "coredns" {
  wait_for_rollout = false
  metadata {
    name      = "coredns"
    namespace = "kube-system"
    labels = {
      k8s-app              = "coredns"
      "kubernetes.io/name" = "CoreDNS"
    }
  }
  spec {
    replicas = var.replicas
    strategy {
      type = "RollingUpdate"
      rolling_update {
        max_unavailable = "1"
      }
    }
    selector {
      match_labels = {
        k8s-app = "coredns"
        tier    = "control-plane"
      }
    }
    template {
      metadata {
        labels = {
          k8s-app = "coredns"
          tier    = "control-plane"
        }
      }
      spec {
        affinity {
          node_affinity {
            preferred_during_scheduling_ignored_during_execution {
              weight = 100
              preference {
                match_expressions {
                  key      = "node.kubernetes.io/controller"
                  operator = "Exists"
                }
              }
            }
          }
          pod_anti_affinity {
            preferred_during_scheduling_ignored_during_execution {
              weight = 100
              pod_affinity_term {
                label_selector {
                  match_expressions {
                    key      = "tier"
                    operator = "In"
                    values   = ["control-plane"]
                  }
                  match_expressions {
                    key      = "k8s-app"
                    operator = "In"
                    values   = ["coredns"]
                  }
                }
                topology_key = "kubernetes.io/hostname"
              }
            }
          }
        }
        dns_policy          = "Default"
        priority_class_name = "system-cluster-critical"
        security_context {
          seccomp_profile {
            type = "RuntimeDefault"
          }
        }
        service_account_name = "coredns"
        toleration {
          key    = "node-role.kubernetes.io/controller"
          effect = "NoSchedule"
        }
        container {
          name  = "coredns"
          image = "registry.k8s.io/coredns/coredns:v1.11.1"
          args  = ["-conf", "/etc/coredns/Corefile"]
          port {
            name           = "dns"
            container_port = 53
            protocol       = "UDP"
          }
          port {
            name           = "dns-tcp"
            container_port = 53
            protocol       = "TCP"
          }
          port {
            name           = "metrics"
            container_port = 9153
            protocol       = "TCP"
          }
          resources {
            requests = {
              cpu    = "100m"
              memory = "70Mi"
            }
            limits = {
              memory = "170Mi"
            }
          }
          security_context {
            capabilities {
              add  = ["NET_BIND_SERVICE"]
              drop = ["all"]
            }
            read_only_root_filesystem = true
          }
          liveness_probe {
            http_get {
              path   = "/health"
              port   = "8080"
              scheme = "HTTP"
            }
            initial_delay_seconds = 60
            timeout_seconds       = 5
            success_threshold     = 1
            failure_threshold     = 5
          }
          readiness_probe {
            http_get {
              path   = "/ready"
              port   = "8181"
              scheme = "HTTP"
            }
          }
          volume_mount {
            name       = "config"
            mount_path = "/etc/coredns"
            read_only  = true
          }
        }
        volume {
          name = "config"
          config_map {
            name = "coredns"
            items {
              key  = "Corefile"
              path = "Corefile"
            }
          }
        }
      }
    }
  }
 }
--- a/addons/coredns/service-account.tf
+++ b/addons/coredns/service-account.tf
@ -1,24 +0,0 @@
 resource "kubernetes_service_account" "coredns" {
  metadata {
    name      = "coredns"
    namespace = "kube-system"
  }
  automount_service_account_token = false
 }
 resource "kubernetes_cluster_role_binding" "coredns" {
  metadata {
    name = "system:coredns"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "system:coredns"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "coredns"
    namespace = "kube-system"
  }
 }
--- a/addons/coredns/service.tf
+++ b/addons/coredns/service.tf
@ -1,31 +0,0 @@
 resource "kubernetes_service" "coredns" {
  metadata {
    name      = "coredns"
    namespace = "kube-system"
    labels = {
      "k8s-app"            = "coredns"
      "kubernetes.io/name" = "CoreDNS"
    }
    annotations = {
      "prometheus.io/scrape" = "true"
      "prometheus.io/port"   = "9153"
    }
  }
  spec {
    type       = "ClusterIP"
    cluster_ip = var.cluster_dns_service_ip
    selector = {
      k8s-app = "coredns"
    }
    port {
      name     = "dns"
      protocol = "UDP"
      port     = 53
    }
    port {
      name     = "dns-tcp"
      protocol = "TCP"
      port     = 53
    }
  }
 }
--- a/addons/coredns/variables.tf
+++ b/addons/coredns/variables.tf
@ -1,15 +0,0 @@
 variable "replicas" {
  type        = number
  description = "CoreDNS replica count"
  default     = 2
 }
 variable "cluster_dns_service_ip" {
  description = "Must be set to `cluster_dns_service_ip` output by cluster"
  default     = "10.3.0.10"
 }
 variable "cluster_domain_suffix" {
  description = "Must be set to `cluster_domain_suffix` output by cluster"
  default     = "cluster.local"
 }
--- a/addons/coredns/versions.tf
+++ b/addons/coredns/versions.tf
@ -1,9 +0,0 @@
 terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.8"
    }
  }
 }
--- a/addons/flannel/cluster-role-binding.tf
+++ b/addons/flannel/cluster-role-binding.tf
@ -1,18 +0,0 @@
 resource "kubernetes_cluster_role_binding" "flannel" {
  metadata {
    name = "flannel"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "flannel"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "flannel"
    namespace = "kube-system"
  }
 }
--- a/addons/flannel/cluster-role.tf
+++ b/addons/flannel/cluster-role.tf
@ -1,24 +0,0 @@
 resource "kubernetes_cluster_role" "flannel" {
  metadata {
    name = "flannel"
  }
  rule {
    api_groups = [""]
    resources  = ["pods"]
    verbs      = ["get"]
  }
  rule {
    api_groups = [""]
    resources  = ["nodes"]
    verbs      = ["list", "watch"]
  }
  rule {
    api_groups = [""]
    resources  = ["nodes/status"]
    verbs      = ["patch"]
  }
 }
--- a/addons/flannel/config.tf
+++ b/addons/flannel/config.tf
@ -1,44 +0,0 @@
 resource "kubernetes_config_map" "config" {
  metadata {
    name      = "flannel-config"
    namespace = "kube-system"
    labels = {
      k8s-app = "flannel"
      tier    = "node"
    }
  }
  data = {
    "cni-conf.json" = <<-EOF
      {
        "name": "cbr0",
        "cniVersion": "0.3.1",
        "plugins": [
          {
            "type": "flannel",
            "delegate": {
              "hairpinMode": true,
              "isDefaultGateway": true
            }
          },
          {
            "type": "portmap",
            "capabilities": {
              "portMappings": true
            }
          }
        ]
      }
    EOF
    "net-conf.json" = <<-EOF
      {
        "Network": "${var.pod_cidr}",
        "Backend": {
          "Type": "vxlan",
          "Port": 4789
        }
      }
    EOF
  }
 }
--- a/addons/flannel/daemonset.tf
+++ b/addons/flannel/daemonset.tf
@ -1,167 +0,0 @@
 resource "kubernetes_daemonset" "flannel" {
  metadata {
    name      = "flannel"
    namespace = "kube-system"
    labels = {
      k8s-app = "flannel"
    }
  }
  spec {
    strategy {
      type = "RollingUpdate"
      rolling_update {
        max_unavailable = "1"
      }
    }
    selector {
      match_labels = {
        k8s-app = "flannel"
      }
    }
    template {
      metadata {
        labels = {
          k8s-app = "flannel"
        }
      }
      spec {
        host_network         = true
        priority_class_name  = "system-node-critical"
        service_account_name = "flannel"
        security_context {
          seccomp_profile {
            type = "RuntimeDefault"
          }
        }
        toleration {
          key      = "node-role.kubernetes.io/controller"
          operator = "Exists"
        }
        toleration {
          key      = "node.kubernetes.io/not-ready"
          operator = "Exists"
        }
        dynamic "toleration" {
          for_each = var.daemonset_tolerations
          content {
            key      = toleration.value
            operator = "Exists"
          }
        }
        init_container {
          name    = "install-cni"
          image   = "quay.io/poseidon/flannel-cni:v0.4.2"
          command = ["/install-cni.sh"]
          env {
            name = "CNI_NETWORK_CONFIG"
            value_from {
              config_map_key_ref {
                name = "flannel-config"
                key  = "cni-conf.json"
              }
            }
          }
          volume_mount {
            name       = "cni-bin-dir"
            mount_path = "/host/opt/cni/bin/"
          }
          volume_mount {
            name       = "cni-conf-dir"
            mount_path = "/host/etc/cni/net.d"
          }
        }
        container {
          name  = "flannel"
          image = "docker.io/flannel/flannel:v0.25.4"
          command = [
            "/opt/bin/flanneld",
            "--ip-masq",
            "--kube-subnet-mgr",
            "--iface=$(POD_IP)"
          ]
          env {
            name = "POD_NAME"
            value_from {
              field_ref {
                field_path = "metadata.name"
              }
            }
          }
          env {
            name = "POD_NAMESPACE"
            value_from {
              field_ref {
                field_path = "metadata.namespace"
              }
            }
          }
          env {
            name = "POD_IP"
            value_from {
              field_ref {
                field_path = "status.podIP"
              }
            }
          }
          security_context {
            privileged = true
          }
          resources {
            requests = {
              cpu = "100m"
            }
          }
          volume_mount {
            name       = "flannel-config"
            mount_path = "/etc/kube-flannel/"
          }
          volume_mount {
            name       = "run-flannel"
            mount_path = "/run/flannel"
          }
          volume_mount {
            name       = "xtables-lock"
            mount_path = "/run/xtables.lock"
          }
        }
        volume {
          name = "flannel-config"
          config_map {
            name = "flannel-config"
          }
        }
        volume {
          name = "run-flannel"
          host_path {
            path = "/run/flannel"
          }
        }
        # Used by install-cni
        volume {
          name = "cni-bin-dir"
          host_path {
            path = "/opt/cni/bin"
          }
        }
        volume {
          name = "cni-conf-dir"
          host_path {
            path = "/etc/cni/net.d"
            type = "DirectoryOrCreate"
          }
        }
        # Acces iptables concurrently
        volume {
          name = "xtables-lock"
          host_path {
            path = "/run/xtables.lock"
            type = "FileOrCreate"
          }
        }
      }
    }
  }
 }
--- a/addons/flannel/service-account.tf
+++ b/addons/flannel/service-account.tf
@ -1,7 +0,0 @@
 resource "kubernetes_service_account" "flannel" {
  metadata {
    name      = "flannel"
    namespace = "kube-system"
  }
 }
--- a/addons/flannel/variables.tf
+++ b/addons/flannel/variables.tf
@ -1,11 +0,0 @@
 variable "pod_cidr" {
  type        = string
  description = "CIDR IP range to assign Kubernetes pods"
  default     = "10.2.0.0/16"
 }
 variable "daemonset_tolerations" {
  type        = list(string)
  description = "List of additional taint keys kube-system DaemonSets should tolerate (e.g. ['custom-role', 'gpu-role'])"
  default     = []
 }
--- a/addons/flannel/versions.tf
+++ b/addons/flannel/versions.tf
@ -1,8 +0,0 @@
 terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.8"
    }
  }
 }
--- a/addons/nginx-ingress/google-cloud/rbac/cluster-role.yaml
+++ b/addons/nginx-ingress/google-cloud/rbac/cluster-role.yaml
@ -59,11 +59,4 @@ rules:
      - get
      - list
      - watch
-  - apiGroups: 
+
      - discovery.k8s.io
    resources:
      - "endpointslices"
    verbs: 
      - get
      - list
      - watch
--- a/aws/fedora-coreos/kubernetes/README.md
+++ b/aws/fedora-coreos/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot](https://typhoon.psdn.io/fedora-coreos/aws/#spot) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/aws/fedora-coreos/kubernetes/bootstrap.tf
+++ b/aws/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name          = var.cluster_name
  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
@ -13,6 +13,5 @@ module "bootstrap" {
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  daemonset_tolerations = var.daemonset_tolerations
  components            = var.components
 }
--- a/aws/fedora-coreos/kubernetes/butane/controller.yaml
+++ b/aws/fedora-coreos/kubernetes/butane/controller.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: etcd-member.service
@ -12,7 +12,7 @@ systemd:
        Wants=network-online.target
        After=network-online.target
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        Type=exec
        ExecStartPre=/bin/mkdir -p /var/lib/etcd
        ExecStartPre=-/usr/bin/podman rm etcd
@ -57,7 +57,7 @@ systemd:
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -116,7 +116,7 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.30.2
+            quay.io/poseidon/kubelet:v1.26.2
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
@ -163,7 +163,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -177,7 +177,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
          chcon -R -u system_u -t container_file_t /etc/kubernetes/pki
    - path: /opt/bootstrap/apply
      mode: 0544
--- a/aws/fedora-coreos/kubernetes/security.tf
+++ b/aws/fedora-coreos/kubernetes/security.tf
@ -92,30 +92,6 @@ resource "aws_security_group_rule" "controller-cilium-health-self" {
  self      = true
 }
 resource "aws_security_group_rule" "controller-cilium-metrics" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 9962
  to_port                  = 9965
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-cilium-metrics-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 9962
  to_port   = 9965
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "controller-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -403,30 +379,6 @@ resource "aws_security_group_rule" "worker-cilium-health-self" {
  self      = true
 }
 resource "aws_security_group_rule" "worker-cilium-metrics" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 9962
  to_port                  = 9965
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-cilium-metrics-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 9962
  to_port   = 9965
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "worker-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
--- a/aws/fedora-coreos/kubernetes/variables.tf
+++ b/aws/fedora-coreos/kubernetes/variables.tf
@ -176,19 +176,3 @@ variable "daemonset_tolerations" {
  description = "List of additional taint keys kube-system DaemonSets should tolerate (e.g. ['custom-role', 'gpu-role'])"
  default     = []
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/aws/fedora-coreos/kubernetes/versions.tf
+++ b/aws/fedora-coreos/kubernetes/versions.tf
@ -3,11 +3,11 @@
 terraform {
  required_version = ">= 0.13.0, < 2.0.0"
  required_providers {
-    aws  = ">= 2.23, <= 6.0"
+    aws  = ">= 2.23, <= 5.0"
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
  }
 }
--- a/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml
+++ b/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: containerd.service
@ -29,7 +29,7 @@ systemd:
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
--- a/aws/fedora-coreos/kubernetes/workers/versions.tf
+++ b/aws/fedora-coreos/kubernetes/workers/versions.tf
@ -3,10 +3,10 @@
 terraform {
  required_version = ">= 0.13.0, < 2.0.0"
  required_providers {
-    aws = ">= 2.23, <= 6.0"
+    aws = ">= 2.23, <= 5.0"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
  }
 }
--- a/aws/fedora-coreos/kubernetes/workers/workers.tf
+++ b/aws/fedora-coreos/kubernetes/workers/workers.tf
@ -78,11 +78,6 @@ resource "aws_launch_template" "worker" {
  # network
  vpc_security_group_ids = var.security_groups
  # metadata
  metadata_options {
    http_tokens = "optional"
  }
  # spot
  dynamic "instance_market_options" {
    for_each = var.spot_price > 0 ? [1] : []
--- a/aws/flatcar-linux/kubernetes/README.md
+++ b/aws/flatcar-linux/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot](https://typhoon.psdn.io/flatcar-linux/aws/#spot) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/aws/flatcar-linux/kubernetes/bootstrap.tf
+++ b/aws/flatcar-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name          = var.cluster_name
  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
@ -13,6 +13,5 @@ module "bootstrap" {
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  daemonset_tolerations = var.daemonset_tolerations
  components            = var.components
 }
--- a/aws/flatcar-linux/kubernetes/butane/controller.yaml
+++ b/aws/flatcar-linux/kubernetes/butane/controller.yaml
@ -11,7 +11,7 @@ systemd:
        Requires=docker.service
        After=docker.service
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        ExecStartPre=/usr/bin/docker run -d \
          --name etcd \
          --network host \
@ -58,7 +58,7 @@ systemd:
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -109,7 +109,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        WorkingDirectory=/opt/bootstrap
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStart=/usr/bin/docker run \
            -v /etc/kubernetes/pki:/etc/kubernetes/pki:ro \
            -v /opt/bootstrap/assets:/assets:ro \
@ -162,7 +162,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -177,7 +177,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
      contents:
--- a/aws/flatcar-linux/kubernetes/security.tf
+++ b/aws/flatcar-linux/kubernetes/security.tf
@ -92,30 +92,6 @@ resource "aws_security_group_rule" "controller-cilium-health-self" {
  self      = true
 }
 resource "aws_security_group_rule" "controller-cilium-metrics" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 9962
  to_port                  = 9965
  source_security_group_id = aws_security_group.worker.id
 }
 resource "aws_security_group_rule" "controller-cilium-metrics-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.controller.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 9962
  to_port   = 9965
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "controller-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
@ -403,30 +379,6 @@ resource "aws_security_group_rule" "worker-cilium-health-self" {
  self      = true
 }
 resource "aws_security_group_rule" "worker-cilium-metrics" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 9962
  to_port                  = 9965
  source_security_group_id = aws_security_group.controller.id
 }
 resource "aws_security_group_rule" "worker-cilium-metrics-self" {
  count = var.networking == "cilium" ? 1 : 0
  security_group_id = aws_security_group.worker.id
  type      = "ingress"
  protocol  = "tcp"
  from_port = 9962
  to_port   = 9965
  self      = true
 }
 # IANA VXLAN default
 resource "aws_security_group_rule" "worker-vxlan" {
  count = var.networking == "flannel" ? 1 : 0
--- a/aws/flatcar-linux/kubernetes/variables.tf
+++ b/aws/flatcar-linux/kubernetes/variables.tf
@ -176,19 +176,3 @@ variable "daemonset_tolerations" {
  description = "List of additional taint keys kube-system DaemonSets should tolerate (e.g. ['custom-role', 'gpu-role'])"
  default     = []
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/aws/flatcar-linux/kubernetes/versions.tf
+++ b/aws/flatcar-linux/kubernetes/versions.tf
@ -3,11 +3,11 @@
 terraform {
  required_version = ">= 0.13.0, < 2.0.0"
  required_providers {
-    aws  = ">= 2.23, <= 6.0"
+    aws  = ">= 2.23, <= 5.0"
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.11"
    }
  }
 }
--- a/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml
+++ b/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml
@ -30,7 +30,7 @@ systemd:
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
--- a/aws/flatcar-linux/kubernetes/workers/versions.tf
+++ b/aws/flatcar-linux/kubernetes/workers/versions.tf
@ -3,10 +3,10 @@
 terraform {
  required_version = ">= 0.13.0, < 2.0.0"
  required_providers {
-    aws = ">= 2.23, <= 6.0"
+    aws = ">= 2.23, <= 5.0"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.11"
    }
  }
 }
--- a/aws/flatcar-linux/kubernetes/workers/workers.tf
+++ b/aws/flatcar-linux/kubernetes/workers/workers.tf
@ -78,11 +78,6 @@ resource "aws_launch_template" "worker" {
  # network
  vpc_security_group_ids = var.security_groups
  # metadata
  metadata_options {
    http_tokens = "optional"
  }
  # spot
  dynamic "instance_market_options" {
    for_each = var.spot_price > 0 ? [1] : []
--- a/azure/fedora-coreos/kubernetes/README.md
+++ b/azure/fedora-coreos/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [spot priority](https://typhoon.psdn.io/fedora-coreos/azure/#low-priority) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/azure/fedora-coreos/kubernetes/bootstrap.tf
+++ b/azure/fedora-coreos/kubernetes/bootstrap.tf
@ -1,12 +1,13 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
  etcd_servers = formatlist("%s.%s", azurerm_dns_a_record.etcds.*.name, var.dns_zone)
  networking = var.networking
  # only effective with Calico networking
  # we should be able to use 1450 MTU, but in practice, 1410 was needed
  network_encapsulation = "vxlan"
@ -18,6 +19,5 @@ module "bootstrap" {
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  daemonset_tolerations = var.daemonset_tolerations
  components            = var.components
 }
--- a/azure/fedora-coreos/kubernetes/butane/controller.yaml
+++ b/azure/fedora-coreos/kubernetes/butane/controller.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: etcd-member.service
@ -12,7 +12,7 @@ systemd:
        Wants=network-online.target
        After=network-online.target
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        Type=exec
        ExecStartPre=/bin/mkdir -p /var/lib/etcd
        ExecStartPre=-/usr/bin/podman rm etcd
@ -54,7 +54,7 @@ systemd:
        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -111,7 +111,7 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.30.2
+            quay.io/poseidon/kubelet:v1.26.2
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
@ -158,7 +158,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -172,7 +172,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
          chcon -R -u system_u -t container_file_t /etc/kubernetes/pki
    - path: /opt/bootstrap/apply
      mode: 0544
--- a/azure/fedora-coreos/kubernetes/controllers.tf
+++ b/azure/fedora-coreos/kubernetes/controllers.tf
@ -1,11 +1,3 @@
 locals {
  # Typhoon ssh_authorized_key supports RSA or a newer formats (e.g. ed25519).
  # However, Azure requires an older RSA key to pass validations. To use a
  # newer key format, pass a dummy RSA key as the azure_authorized_key and
  # delete the associated private key so it's never used.
  azure_authorized_key = var.azure_authorized_key == "" ? var.ssh_authorized_key : var.azure_authorized_key
 }
 # Discrete DNS records for each controller's private IPv4 for etcd usage
 resource "azurerm_dns_a_record" "etcds" {
  count               = var.controller_count
@ -63,7 +55,7 @@ resource "azurerm_linux_virtual_machine" "controllers" {
  admin_username = "core"
  admin_ssh_key {
    username   = "core"
-    public_key = local.azure_authorized_key
+    public_key = var.ssh_authorized_key
  }
  lifecycle {
--- a/azure/fedora-coreos/kubernetes/outputs.tf
+++ b/azure/fedora-coreos/kubernetes/outputs.tf
@ -39,21 +39,10 @@ output "kubeconfig" {
 # Outputs for custom firewalling
 output "controller_security_group_name" {
  description = "Network Security Group for controller nodes"
  value       = azurerm_network_security_group.controller.name
 }
 output "worker_security_group_name" {
  description = "Network Security Group for worker nodes"
  value = azurerm_network_security_group.worker.name
 }
 output "controller_address_prefixes" {
  description = "Controller network subnet CIDR addresses (for source/destination)"
  value       = azurerm_subnet.controller.address_prefixes
 }
 output "worker_address_prefixes" {
  description = "Worker network subnet CIDR addresses (for source/destination)"
  value       = azurerm_subnet.worker.address_prefixes
--- a/azure/fedora-coreos/kubernetes/security.tf
+++ b/azure/fedora-coreos/kubernetes/security.tf
@ -121,28 +121,12 @@ resource "azurerm_network_security_rule" "controller-cilium-health" {
  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.controller.name
  priority                     = "2018"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
 }
 resource "azurerm_network_security_rule" "controller-cilium-metrics" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                         = "allow-cilium-metrics"
  network_security_group_name  = azurerm_network_security_group.controller.name
  priority                     = "2019"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
-  destination_port_range       = "9962-9965"
+  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
 }
@ -319,28 +303,12 @@ resource "azurerm_network_security_rule" "worker-cilium-health" {
  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.worker.name
  priority                     = "2013"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
 }
 resource "azurerm_network_security_rule" "worker-cilium-metrics" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                         = "allow-cilium-metrics"
  network_security_group_name  = azurerm_network_security_group.worker.name
  priority                     = "2014"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
-  destination_port_range       = "9962-9965"
+  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
 }
--- a/azure/fedora-coreos/kubernetes/variables.tf
+++ b/azure/fedora-coreos/kubernetes/variables.tf
@ -82,12 +82,6 @@ variable "ssh_authorized_key" {
  description = "SSH public key for user 'core'"
 }
 variable "azure_authorized_key" {
  type        = string
  description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)"
  default     = ""
 }
 variable "networking" {
  type        = string
  description = "Choice of networking provider (flannel, calico, or cilium)"
@ -146,19 +140,3 @@ variable "daemonset_tolerations" {
  description = "List of additional taint keys kube-system DaemonSets should tolerate (e.g. ['custom-role', 'gpu-role'])"
  default     = []
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/azure/fedora-coreos/kubernetes/versions.tf
+++ b/azure/fedora-coreos/kubernetes/versions.tf
@ -7,7 +7,7 @@ terraform {
    null    = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
  }
 }
--- a/azure/fedora-coreos/kubernetes/workers.tf
+++ b/azure/fedora-coreos/kubernetes/workers.tf
@ -17,7 +17,6 @@ module "workers" {
  # configuration
  kubeconfig            = module.bootstrap.kubeconfig-kubelet
  ssh_authorized_key    = var.ssh_authorized_key
  azure_authorized_key  = var.azure_authorized_key
  service_cidr          = var.service_cidr
  cluster_domain_suffix = var.cluster_domain_suffix
  snippets              = var.worker_snippets
--- a/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml
+++ b/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: containerd.service
@ -26,7 +26,7 @@ systemd:
        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
--- a/azure/fedora-coreos/kubernetes/workers/variables.tf
+++ b/azure/fedora-coreos/kubernetes/workers/variables.tf
@ -73,12 +73,6 @@ variable "ssh_authorized_key" {
  description = "SSH public key for user 'core'"
 }
 variable "azure_authorized_key" {
  type        = string
  description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)"
  default     = ""
 }
 variable "service_cidr" {
  type        = string
  description = <<EOD
--- a/azure/fedora-coreos/kubernetes/workers/versions.tf
+++ b/azure/fedora-coreos/kubernetes/workers/versions.tf
@ -6,7 +6,7 @@ terraform {
    azurerm = ">= 2.8, < 4.0"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
  }
 }
--- a/azure/fedora-coreos/kubernetes/workers/workers.tf
+++ b/azure/fedora-coreos/kubernetes/workers/workers.tf
@ -1,7 +1,3 @@
 locals {
  azure_authorized_key = var.azure_authorized_key == "" ? var.ssh_authorized_key : var.azure_authorized_key
 }
 # Workers scale set
 resource "azurerm_linux_virtual_machine_scale_set" "workers" {
  resource_group_name = var.resource_group_name
@ -26,7 +22,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "workers" {
  admin_username = "core"
  admin_ssh_key {
    username   = "core"
-    public_key = var.azure_authorized_key
+    public_key = var.ssh_authorized_key
  }
  # network
--- a/azure/flatcar-linux/kubernetes/README.md
+++ b/azure/flatcar-linux/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/), [low-priority](https://typhoon.psdn.io/flatcar-linux/azure/#low-priority) workers, and [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/azure/flatcar-linux/kubernetes/bootstrap.tf
+++ b/azure/flatcar-linux/kubernetes/bootstrap.tf
@ -1,12 +1,13 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
  etcd_servers = formatlist("%s.%s", azurerm_dns_a_record.etcds.*.name, var.dns_zone)
  networking = var.networking
  # only effective with Calico networking
  # we should be able to use 1450 MTU, but in practice, 1410 was needed
  network_encapsulation = "vxlan"
@ -18,6 +19,5 @@ module "bootstrap" {
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  daemonset_tolerations = var.daemonset_tolerations
  components            = var.components
 }
--- a/azure/flatcar-linux/kubernetes/butane/controller.yaml
+++ b/azure/flatcar-linux/kubernetes/butane/controller.yaml
@ -11,7 +11,7 @@ systemd:
        Requires=docker.service
        After=docker.service
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        ExecStartPre=/usr/bin/docker run -d \
          --name etcd \
          --network host \
@ -56,7 +56,7 @@ systemd:
        After=docker.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -105,7 +105,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        WorkingDirectory=/opt/bootstrap
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStart=/usr/bin/docker run \
            -v /etc/kubernetes/pki:/etc/kubernetes/pki:ro \
            -v /opt/bootstrap/assets:/assets:ro \
@ -158,7 +158,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -173,7 +173,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
      contents:
--- a/azure/flatcar-linux/kubernetes/controllers.tf
+++ b/azure/flatcar-linux/kubernetes/controllers.tf
@ -20,12 +20,6 @@ locals {
  channel      = split("-", var.os_image)[1]
  offer_suffix = var.arch == "arm64" ? "corevm" : "free"
  urn          = var.arch == "arm64" ? local.channel : "${local.channel}-gen2"
  # Typhoon ssh_authorized_key supports RSA or a newer formats (e.g. ed25519).
  # However, Azure requires an older RSA key to pass validations. To use a
  # newer key format, pass a dummy RSA key as the azure_authorized_key and
  # delete the associated private key so it's never used.
  azure_authorized_key = var.azure_authorized_key == "" ? var.ssh_authorized_key : var.azure_authorized_key
 }
 # Controller availability set to spread controllers
@ -50,9 +44,6 @@ resource "azurerm_linux_virtual_machine" "controllers" {
  size        = var.controller_type
  custom_data = base64encode(data.ct_config.controllers.*.rendered[count.index])
  boot_diagnostics {
    # defaults to a managed storage account
  }
  # storage
  os_disk {
@ -81,14 +72,14 @@ resource "azurerm_linux_virtual_machine" "controllers" {
  # network
  network_interface_ids = [
-    azurerm_network_interface.controllers[count.index].id
+    azurerm_network_interface.controllers.*.id[count.index]
  ]
  # Azure requires setting admin_ssh_key, though Ignition custom_data handles it too
  admin_username = "core"
  admin_ssh_key {
    username   = "core"
-    public_key = local.azure_authorized_key
+    public_key = var.ssh_authorized_key
  }
  lifecycle {
--- a/azure/flatcar-linux/kubernetes/outputs.tf
+++ b/azure/flatcar-linux/kubernetes/outputs.tf
@ -39,21 +39,10 @@ output "kubeconfig" {
 # Outputs for custom firewalling
 output "controller_security_group_name" {
  description = "Network Security Group for controller nodes"
  value       = azurerm_network_security_group.controller.name
 }
 output "worker_security_group_name" {
  description = "Network Security Group for worker nodes"
  value = azurerm_network_security_group.worker.name
 }
 output "controller_address_prefixes" {
  description = "Controller network subnet CIDR addresses (for source/destination)"
  value       = azurerm_subnet.controller.address_prefixes
 }
 output "worker_address_prefixes" {
  description = "Worker network subnet CIDR addresses (for source/destination)"
  value       = azurerm_subnet.worker.address_prefixes
--- a/azure/flatcar-linux/kubernetes/security.tf
+++ b/azure/flatcar-linux/kubernetes/security.tf
@ -121,28 +121,12 @@ resource "azurerm_network_security_rule" "controller-cilium-health" {
  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.controller.name
  priority                     = "2018"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
 }
 resource "azurerm_network_security_rule" "controller-cilium-metrics" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                         = "allow-cilium-metrics"
  network_security_group_name  = azurerm_network_security_group.controller.name
  priority                     = "2019"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
-  destination_port_range       = "9962-9965"
+  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.controller.address_prefixes
 }
@ -319,28 +303,12 @@ resource "azurerm_network_security_rule" "worker-cilium-health" {
  name                         = "allow-cilium-health"
  network_security_group_name  = azurerm_network_security_group.worker.name
  priority                     = "2013"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
 }
 resource "azurerm_network_security_rule" "worker-cilium-metrics" {
  resource_group_name = azurerm_resource_group.cluster.name
  count               = var.networking == "cilium" ? 1 : 0
  name                         = "allow-cilium-metrics"
  network_security_group_name  = azurerm_network_security_group.worker.name
  priority                     = "2014"
  access                       = "Allow"
  direction                    = "Inbound"
  protocol                     = "Tcp"
  source_port_range            = "*"
-  destination_port_range       = "9962-9965"
+  destination_port_range       = "4240"
  source_address_prefixes      = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes)
  destination_address_prefixes = azurerm_subnet.worker.address_prefixes
 }
--- a/azure/flatcar-linux/kubernetes/variables.tf
+++ b/azure/flatcar-linux/kubernetes/variables.tf
@ -88,12 +88,6 @@ variable "ssh_authorized_key" {
  description = "SSH public key for user 'core'"
 }
 variable "azure_authorized_key" {
  type        = string
  description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)"
  default     = ""
 }
 variable "networking" {
  type        = string
  description = "Choice of networking provider (flannel, calico, or cilium)"
@ -163,19 +157,3 @@ variable "cluster_domain_suffix" {
  description = "Queries for domains with the suffix will be answered by coredns. Default is cluster.local (e.g. foo.default.svc.cluster.local) "
  default     = "cluster.local"
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/azure/flatcar-linux/kubernetes/versions.tf
+++ b/azure/flatcar-linux/kubernetes/versions.tf
@ -7,7 +7,7 @@ terraform {
    null    = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.11"
    }
  }
 }
--- a/azure/flatcar-linux/kubernetes/workers.tf
+++ b/azure/flatcar-linux/kubernetes/workers.tf
@ -17,7 +17,6 @@ module "workers" {
  # configuration
  kubeconfig            = module.bootstrap.kubeconfig-kubelet
  ssh_authorized_key    = var.ssh_authorized_key
  azure_authorized_key  = var.azure_authorized_key
  service_cidr          = var.service_cidr
  cluster_domain_suffix = var.cluster_domain_suffix
  snippets              = var.worker_snippets
--- a/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml
+++ b/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml
@ -28,7 +28,7 @@ systemd:
        After=docker.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
--- a/azure/flatcar-linux/kubernetes/workers/variables.tf
+++ b/azure/flatcar-linux/kubernetes/workers/variables.tf
@ -79,12 +79,6 @@ variable "ssh_authorized_key" {
  description = "SSH public key for user 'core'"
 }
 variable "azure_authorized_key" {
  type        = string
  description = "Optionally, pass a dummy RSA key to satisfy Azure validations (then use an ed25519 key set above)"
  default     = ""
 }
 variable "service_cidr" {
  type        = string
  description = <<EOD
--- a/azure/flatcar-linux/kubernetes/workers/versions.tf
+++ b/azure/flatcar-linux/kubernetes/workers/versions.tf
@ -6,7 +6,7 @@ terraform {
    azurerm = ">= 2.8, < 4.0"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.11"
    }
  }
 }
--- a/azure/flatcar-linux/kubernetes/workers/workers.tf
+++ b/azure/flatcar-linux/kubernetes/workers/workers.tf
@ -3,8 +3,6 @@ locals {
  channel      = split("-", var.os_image)[1]
  offer_suffix = var.arch == "arm64" ? "corevm" : "free"
  urn          = var.arch == "arm64" ? local.channel : "${local.channel}-gen2"
  azure_authorized_key = var.azure_authorized_key == "" ? var.ssh_authorized_key : var.azure_authorized_key
 }
 # Workers scale set
@ -19,9 +17,6 @@ resource "azurerm_linux_virtual_machine_scale_set" "workers" {
  computer_name_prefix   = "${var.name}-worker"
  single_placement_group = false
  custom_data            = base64encode(data.ct_config.worker.rendered)
  boot_diagnostics {
    # defaults to a managed storage account
  }
  # storage
  os_disk {
@ -50,7 +45,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "workers" {
  admin_username = "core"
  admin_ssh_key {
    username   = "core"
-    public_key = local.azure_authorized_key
+    public_key = var.ssh_authorized_key
  }
  # network
@ -74,9 +69,6 @@ resource "azurerm_linux_virtual_machine_scale_set" "workers" {
  # eviction policy may only be set when priority is Spot
  priority        = var.priority
  eviction_policy = var.priority == "Spot" ? "Delete" : null
  termination_notification {
    enabled = true
  }
 }
 # Scale up or down to maintain desired number, tolerating deallocations.
--- a/bare-metal/fedora-coreos/kubernetes/README.md
+++ b/bare-metal/fedora-coreos/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
+++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name                    = var.cluster_name
  api_servers                     = [var.k8s_domain_name]
@ -13,7 +13,6 @@ module "bootstrap" {
  cluster_domain_suffix           = var.cluster_domain_suffix
  enable_reporting                = var.enable_reporting
  enable_aggregation              = var.enable_aggregation
  components                      = var.components
 }
--- a/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: etcd-member.service
@ -12,7 +12,7 @@ systemd:
        Wants=network-online.target
        After=network-online.target
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        Type=exec
        ExecStartPre=/bin/mkdir -p /var/lib/etcd
        ExecStartPre=-/usr/bin/podman rm etcd
@ -53,7 +53,7 @@ systemd:
        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -113,7 +113,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        WorkingDirectory=/opt/bootstrap
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=-/usr/bin/podman rm bootstrap
        ExecStart=/usr/bin/podman run --name bootstrap \
            --network host \
@ -168,7 +168,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -182,7 +182,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
          chcon -R -u system_u -t container_file_t /etc/kubernetes/pki
    - path: /opt/bootstrap/apply
      mode: 0544
--- a/bare-metal/fedora-coreos/kubernetes/variables.tf
+++ b/bare-metal/fedora-coreos/kubernetes/variables.tf
@ -159,18 +159,3 @@ variable "cluster_domain_suffix" {
  default     = "cluster.local"
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/bare-metal/fedora-coreos/kubernetes/versions.tf
+++ b/bare-metal/fedora-coreos/kubernetes/versions.tf
@ -6,7 +6,7 @@ terraform {
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
    matchbox = {
      source  = "poseidon/matchbox"
--- a/bare-metal/fedora-coreos/kubernetes/worker/butane/worker.yaml
+++ b/bare-metal/fedora-coreos/kubernetes/worker/butane/worker.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: containerd.service
@ -25,7 +25,7 @@ systemd:
        Description=Kubelet (System Container)
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
--- a/bare-metal/fedora-coreos/kubernetes/worker/versions.tf
+++ b/bare-metal/fedora-coreos/kubernetes/worker/versions.tf
@ -6,7 +6,7 @@ terraform {
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
    matchbox = {
      source  = "poseidon/matchbox"
--- a/bare-metal/flatcar-linux/kubernetes/README.md
+++ b/bare-metal/flatcar-linux/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [Cilium](https://github.com/cilium/cilium) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf
+++ b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf
@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name                    = var.cluster_name
  api_servers                     = [var.k8s_domain_name]
@ -13,6 +13,5 @@ module "bootstrap" {
  cluster_domain_suffix           = var.cluster_domain_suffix
  enable_reporting                = var.enable_reporting
  enable_aggregation              = var.enable_aggregation
  components                      = var.components
 }
--- a/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml
+++ b/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml
@ -11,7 +11,7 @@ systemd:
        Requires=docker.service
        After=docker.service
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        ExecStartPre=/usr/bin/docker run -d \
          --name etcd \
          --network host \
@ -64,7 +64,7 @@ systemd:
        After=docker.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -114,7 +114,7 @@ systemd:
        Type=oneshot
        RemainAfterExit=true
        WorkingDirectory=/opt/bootstrap
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStart=/usr/bin/docker run \
            -v /etc/kubernetes/pki:/etc/kubernetes/pki:ro \
            -v /opt/bootstrap/assets:/assets:ro \
@ -169,7 +169,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -184,7 +184,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
    - path: /opt/bootstrap/apply
      mode: 0544
      contents:
--- a/bare-metal/flatcar-linux/kubernetes/butane/install.yaml
+++ b/bare-metal/flatcar-linux/kubernetes/butane/install.yaml
@ -35,7 +35,6 @@ storage:
            -d ${install_disk} \
            -C ${os_channel} \
            -V ${os_version} \
            ${oem_flag} \
            ${baseurl_flag} \
            -i ignition.json
          udevadm settle
--- a/bare-metal/flatcar-linux/kubernetes/outputs.tf
+++ b/bare-metal/flatcar-linux/kubernetes/outputs.tf
@ -3,13 +3,6 @@ output "kubeconfig-admin" {
  sensitive = true
 }
 # Outputs for workers
 output "kubeconfig" {
  value     = module.bootstrap.kubeconfig-kubelet
  sensitive = true
 }
 # Outputs for debug
 output "assets_dist" {
--- a/bare-metal/flatcar-linux/kubernetes/profiles.tf
+++ b/bare-metal/flatcar-linux/kubernetes/profiles.tf
@ -55,7 +55,6 @@ data "ct_config" "install" {
    mac                = concat(var.controllers.*.mac, var.workers.*.mac)[count.index]
    install_disk       = var.install_disk
    ssh_authorized_key = var.ssh_authorized_key
    oem_flag           = var.oem_type != "" ? "-o ${var.oem_type}" : ""
    # only cached profile adds -b baseurl
    baseurl_flag = var.cached_install ? "-b ${var.matchbox_http_endpoint}/assets/flatcar" : ""
  })
--- a/bare-metal/flatcar-linux/kubernetes/variables.tf
+++ b/bare-metal/flatcar-linux/kubernetes/variables.tf
@ -73,6 +73,20 @@ variable "worker_node_taints" {
  default     = {}
 }
 variable "worker_bind_devices" {
  type        = map(list(object({
    source = string
    target = string
  })))
  description = <<EOD
  List of devices to bind on kubelet container for direct storage usage
  [
    { source = "/dev/sdb", target = "/dev/sdb" },
    { source = "/dev/sdc", target = "/dev/sdc" }
  ]
  EOD
 }
 # configuration
 variable "k8s_domain_name" {
@ -156,17 +170,6 @@ variable "enable_aggregation" {
  default     = true
 }
 variable "oem_type" {
  type        = string
  description = <<EOD
 An OEM type to install with flatcar-install. Find available types by looking for Flatcar image files
 ending in `image.bin.bz2`. The OEM identifier is contained in the filename.
 E.g., `flatcar_production_vmware_raw_image.bin.bz2` leads to `vmware_raw`.
 See: https://www.flatcar.org/docs/latest/installing/bare-metal/installing-to-disk/#choose-a-channel
 EOD
  default     = ""
 }
 # unofficial, undocumented, unsupported
 variable "cluster_domain_suffix" {
@ -175,18 +178,3 @@ variable "cluster_domain_suffix" {
  default     = "cluster.local"
 }
 variable "components" {
  description = "Configure pre-installed cluster components"
  # Component configs are passed through to terraform-render-bootstrap,
  # which handles type enforcement and defines defaults
  # https://github.com/poseidon/terraform-render-bootstrap/blob/main/variables.tf#L95
  type = object({
    enable     = optional(bool)
    coredns    = optional(map(any))
    kube_proxy = optional(map(any))
    flannel    = optional(map(any))
    calico     = optional(map(any))
    cilium     = optional(map(any))
  })
  default = null
 }
--- a/bare-metal/flatcar-linux/kubernetes/versions.tf
+++ b/bare-metal/flatcar-linux/kubernetes/versions.tf
@ -6,7 +6,7 @@ terraform {
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
    matchbox = {
      source  = "poseidon/matchbox"
--- a/bare-metal/flatcar-linux/kubernetes/worker/butane/install.yaml
+++ b/bare-metal/flatcar-linux/kubernetes/worker/butane/install.yaml
@ -35,7 +35,6 @@ storage:
            -d ${install_disk} \
            -C ${os_channel} \
            -V ${os_version} \
            ${oem_flag} \
            ${baseurl_flag} \
            -i ignition.json
          udevadm settle
--- a/bare-metal/flatcar-linux/kubernetes/worker/butane/worker.yaml
+++ b/bare-metal/flatcar-linux/kubernetes/worker/butane/worker.yaml
@ -36,7 +36,7 @@ systemd:
        After=docker.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
@ -77,6 +77,9 @@ systemd:
          --register-with-taints=${taint} \
          %{~ endfor ~}
          --node-labels=node.kubernetes.io/node
          %{~ for device in node_devices ~}
          --device=${device.source}:${device.target}
          %{~ endfor ~}
        ExecStart=docker logs -f kubelet
        ExecStop=docker stop kubelet
        ExecStopPost=docker rm kubelet
--- a/bare-metal/flatcar-linux/kubernetes/worker/matchbox.tf
+++ b/bare-metal/flatcar-linux/kubernetes/worker/matchbox.tf
@ -36,7 +36,7 @@ resource "matchbox_profile" "install" {
  name   = format("%s-install-%s", var.cluster_name, var.name)
  kernel = local.kernel
  initrd = local.initrd
-  args   = local.args
+  args   = concat(local.args, var.kernel_args)
  raw_ignition = data.ct_config.install.rendered
 }
@ -50,7 +50,6 @@ data "ct_config" "install" {
    mac                = var.mac
    install_disk       = var.install_disk
    ssh_authorized_key = var.ssh_authorized_key
    oem_flag           = var.oem_type != "" ? "-o ${var.oem_type}" : ""
    # only cached profile adds -b baseurl
    baseurl_flag = var.cached_install ? "-b ${var.matchbox_http_endpoint}/assets/flatcar" : ""
  })
@ -82,6 +81,7 @@ data "ct_config" "worker" {
    cluster_domain_suffix  = var.cluster_domain_suffix
    node_labels            = join(",", var.node_labels)
    node_taints            = join(",", var.node_taints)
    node_devices           = var.node_devices
  })
  strict   = true
  snippets = var.snippets
--- a/bare-metal/flatcar-linux/kubernetes/worker/variables.tf
+++ b/bare-metal/flatcar-linux/kubernetes/worker/variables.tf
@ -72,6 +72,15 @@ variable "node_taints" {
  default     = []
 }
 variable "node_devices" {
  type        = list(object({
    source = string
    target = string
  }))
  description = "List of devices object to bind with --device option"
  default     = []
 }
 # optional
 variable "download_protocol" {
@ -98,12 +107,6 @@ variable "kernel_args" {
  default     = []
 }
 variable "oem_type" {
  type        = string
  default     = ""
  description = "An OEM type to install with flatcar-install."
 }
 # unofficial, undocumented, unsupported
 variable "service_cidr" {
--- a/bare-metal/flatcar-linux/kubernetes/worker/versions.tf
+++ b/bare-metal/flatcar-linux/kubernetes/worker/versions.tf
@ -6,7 +6,7 @@ terraform {
    null = ">= 2.1"
    ct = {
      source  = "poseidon/ct"
-      version = "~> 0.13"
+      version = "~> 0.9"
    }
    matchbox = {
      source  = "poseidon/matchbox"
--- a/bare-metal/flatcar-linux/kubernetes/workers.tf
+++ b/bare-metal/flatcar-linux/kubernetes/workers.tf
@ -22,12 +22,12 @@ module "workers" {
  node_labels           = lookup(var.worker_node_labels, var.workers[count.index].name, [])
  node_taints           = lookup(var.worker_node_taints, var.workers[count.index].name, [])
  snippets              = lookup(var.snippets, var.workers[count.index].name, [])
  node_devices          = lookup(var.worker_bind_devices, var.workers[count.index].name, [])
  # optional
  download_protocol = var.download_protocol
  cached_install    = var.cached_install
  install_disk      = var.install_disk
  kernel_args       = var.kernel_args
  oem_type          = var.oem_type
 }
--- a/digital-ocean/fedora-coreos/kubernetes/README.md
+++ b/digital-ocean/fedora-coreos/kubernetes/README.md
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
 ## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
-* Kubernetes v1.30.2 (upstream)
+* Kubernetes v1.26.2 (upstream)
 * Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
 * On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/), SELinux enforcing
 * Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/#hosts) customization
--- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
@ -1,12 +1,13 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=886f501bf7b624fc12acac83449b81d0dc8b8849"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=607a05692bb213cb2e50e15d854f68b1e11c0492"
  cluster_name = var.cluster_name
  api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
  etcd_servers = digitalocean_record.etcds.*.fqdn
  networking = var.networking
  # only effective with Calico networking
  network_encapsulation = "vxlan"
  network_mtu           = "1450"
@ -16,6 +17,5 @@ module "bootstrap" {
  cluster_domain_suffix = var.cluster_domain_suffix
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  components            = var.components
 }
--- a/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml
+++ b/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: etcd-member.service
@ -12,7 +12,7 @@ systemd:
        Wants=network-online.target
        After=network-online.target
        [Service]
-        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+        Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.5.7
        Type=exec
        ExecStartPre=/bin/mkdir -p /var/lib/etcd
        ExecStartPre=-/usr/bin/podman rm etcd
@ -55,7 +55,7 @@ systemd:
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
@ -123,7 +123,7 @@ systemd:
            --volume /opt/bootstrap/assets:/assets:ro,Z \
            --volume /opt/bootstrap/apply:/apply:ro,Z \
            --entrypoint=/apply \
-            quay.io/poseidon/kubelet:v1.30.2
+            quay.io/poseidon/kubelet:v1.26.2
        ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done
        ExecStartPost=-/usr/bin/podman stop bootstrap
 storage:
@ -165,7 +165,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          mkdir -p -- auth tls/{etcd,k8s} static-manifests manifests/{coredns,kube-proxy,network}
+          mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
          awk '/#####/ {filename=$2; next} {print > filename}' assets
          mkdir -p /etc/ssl/etcd/etcd
          mkdir -p /etc/kubernetes/pki
@ -179,7 +179,8 @@ storage:
          mv static-manifests/* /etc/kubernetes/manifests/
          mkdir -p /opt/bootstrap/assets
          mv manifests /opt/bootstrap/assets/manifests
-          rm -rf assets auth static-manifests tls manifests
+          mv manifests-networking/* /opt/bootstrap/assets/manifests/
          rm -rf assets auth static-manifests tls manifests-networking
          chcon -R -u system_u -t container_file_t /etc/kubernetes/pki
    - path: /opt/bootstrap/apply
      mode: 0544
--- a/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml
+++ b/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml
@ -1,6 +1,6 @@
 ---
 variant: fcos
-version: 1.5.0
+version: 1.4.0
 systemd:
  units:
    - name: containerd.service
@ -28,7 +28,7 @@ systemd:
        After=afterburn.service
        Wants=rpc-statd.service
        [Service]
-        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.30.2
+        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.26.2
        EnvironmentFile=/run/metadata/afterburn
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
--- a/digital-ocean/fedora-coreos/kubernetes/network.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/network.tf
@ -32,13 +32,6 @@ resource "digitalocean_firewall" "rules" {
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # Cilium metrics
  inbound_rule {
    protocol    = "tcp"
    port_range  = "9962-9965"
    source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name]
  }
  # IANA vxlan (flannel, calico)
  inbound_rule {
    protocol    = "udp"
--- a/Show More
+++ b/Show More