diff --git a/README.md b/README.md
index 019fe033..8f9c136e 100644
--- a/README.md
+++ b/README.md
@@ -6,14 +6,50 @@
 
 tEKS is a set of Terraform / Terragrunt modules designed to get you everything you need to run a production EKS cluster on AWS. It ships with sensible defaults, and add a lot of common addons with their configurations that work out of the box.
 
-:warning: the v5 of this project has been completely revamp and now offer a skeleton to use as a base for your infrastructure projects around EKS. All the modules have been moved outside this repository and get their own versioning. The [old README is accessible here](https://github.com/clusterfrak-dynamics/teks/tree/release-4.X)
+:warning: the v5 and further version of this project have been completely revamp and now offer a skeleton to use as a base for your infrastructure projects around EKS. All the modules have been moved outside this repository and get their own versioning. The [old README is accessible here](https://github.com/clusterfrak-dynamics/teks/tree/release-4.X)
 
-## Modules
+## Main purposes
 
-* [`terraform-aws-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc)
-* [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks)
-* [`terraform-kubernetes-addons`](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons): provides various addons that are often used on Kubernetes and specifically on EKS.
-* [`terraform-kubernetes-namespaces`](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons): allows administrator to manage namespaces and quotas from a centralized configuration with Terraform.
+The main goal of this project is to glue together commonly used tooling with Kubernetes/EKS and to get from an AWS Account to a production cluster with everything you need without any manual configuration.
+
+## What you get
+
+A production cluster all defined in IaaC with Terraform/Terragrunt:
+
+* AWS VPC if needed based on [`terraform-aws-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc)
+* EKS cluster base on [`terraform-aws-eks`](https://github.com/terraform-aws-modules/terraform-aws-eks)
+* Kubernetes addons based on [`terraform-kubernetes-addons`](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons): provides various addons that are often used on Kubernetes and specifically on EKS.
+* Kubernetes namespaces quota management based on [`terraform-kubernetes-namespaces`](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons): allows administrator to manage namespaces and quotas from a centralized configuration with Terraform.
+* AWS ECR registries management based on [`terraform-aws-ecr`](https://github.com/clusterfrak-dynamics/terraform-aws-ecr)
+
+Everything is tied together with Terragrunt and allows you to deploy a multi cluster architecture in a matter of minutes (ok maybe an hour) and different AWS accounts for different environments.
+
+## Curated Features
+
+The main additionals features are the curated addons list, see [here](https://github.com/clusterfrak-dynamics/terraform-kubernetes-addons) and in the customization of the cluster policy
+
+### Enforced security
+
+* Default PSP is removed and sensible defaults are enforced
+* All addons have specific PSP enabled
+* No IAM credentials on instances, everything is enforced with [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) or [KIAM](https://github.com/uswitch/kiam)
+
+### Out of the box monitoring
+
+* Prometheus Operator with defaults dashboards
+* Addons that support metrics are enable along with their `serviceMonitor`
+* Custom grafana dashboard are available by default.
+
+### Helm v3 provider
+
+* All addons support Helm v3 configuration
+* All charts are easily customizable
+
+### Other and not limited to
+
+* priorityClasses for addons
+* use of [`kubectl-provider`], no more local exec and custom manifest are properly handled
+* lot of manual stuff have been automated under the hood
 
 ## Requirements
 
diff --git a/requirements.txt b/requirements.txt
index 95bb61fd..4c944ccc 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,13 +1,13 @@
 # Linux
-https://releases.hashicorp.com/terraform/0.11.14/terraform_0.12.17_linux_amd64.zip
-https://github.com/gruntwork-io/terragrunt/releases/download/v0.21.6/terragrunt_linux_amd64
+https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip
+https://github.com/gruntwork-io/terragrunt/releases/download/v0.22.3/terragrunt_linux_amd64
 https://storage.googleapis.com/kubernetes-release/release/v1.14.8/bin/linux/amd64/kubectl
-https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz
+https://get.helm.sh/helm-v3.1.0-linux-amd64.tar.gz
 https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.4.0/aws-iam-authenticator_0.4.0_linux_amd64
 
 # Darwin
-https://releases.hashicorp.com/terraform/0.11.14/terraform_0.12.17_darwin_amd64.zip
-https://github.com/gruntwork-io/terragrunt/releases/download/v0.21.6/terragrunt_darwin_amd64
+https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_darwin_amd64.zip
+https://github.com/gruntwork-io/terragrunt/releases/download/v0.22.3/terragrunt_linux_amd64
 https://storage.googleapis.com/kubernetes-release/release/v1.14.8/bin/darwin/amd64/kubectl
-https://get.helm.sh/helm-v2.16.1-darwin-amd64.tar.gz
+https://get.helm.sh/helm-v3.1.0-darwin-amd64.tar.gz
 https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.4.0/aws-iam-authenticator_0.4.0_darwin_amd64
diff --git a/terraform/live/demo/eu-west-3/ecr/provider.tf b/terraform/live/demo/eu-west-3/ecr/provider.tf
index 16571418..826930db 100644
--- a/terraform/live/demo/eu-west-3/ecr/provider.tf
+++ b/terraform/live/demo/eu-west-3/ecr/provider.tf
@@ -4,7 +4,7 @@ terraform {
 }
 
 provider "aws" {
-  region = var.aws["region"]
+  region  = var.aws["region"]
   version = "~> 2.41"
 }
 
diff --git a/terraform/live/demo/eu-west-3/ecr/terragrunt.hcl b/terraform/live/demo/eu-west-3/ecr/terragrunt.hcl
index 2f68c3b4..2f0df02e 100644
--- a/terraform/live/demo/eu-west-3/ecr/terragrunt.hcl
+++ b/terraform/live/demo/eu-west-3/ecr/terragrunt.hcl
@@ -3,7 +3,7 @@ include {
 }
 
 terraform {
-  source = "github.com/clusterfrak-dynamics/terraform-aws-ecr.git?ref=v2.0.1"
+  source = "github.com/clusterfrak-dynamics/terraform-aws-ecr.git?ref=v2.1.0"
 }
 
 locals {
diff --git a/terraform/live/demo/eu-west-3/eks-addons/examples/keycloak-values.yaml b/terraform/live/demo/eu-west-3/eks-addons/examples/keycloak-values.yaml
new file mode 100644
index 00000000..5bcdd7dc
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks-addons/examples/keycloak-values.yaml
@@ -0,0 +1,20 @@
+---
+keycloak:
+  username: admin
+  ingress:
+    enabled: true
+    path: /
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    hosts:
+      - keycloak.${local.env}.synthesis-care.com
+  persistence:
+    deployPostgres: false
+    dbVendor: postgres
+    existingSecret: "db-keycloak-${local.env}"
+    existingSecretKey: "DB_PASSWORD"
+    dbName: keycloak
+    dbHost: ${dependency.keycloak.outputs.db_instance_address}
+    dbPort: 5432
+    dbUser: keycloak
diff --git a/terraform/live/demo/eu-west-3/eks-addons/examples/kong-values.yaml b/terraform/live/demo/eu-west-3/eks-addons/examples/kong-values.yaml
new file mode 100644
index 00000000..f0a666a4
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks-addons/examples/kong-values.yaml
@@ -0,0 +1,25 @@
+---
+serviceMonitor:
+  enabled: true
+env:
+  REAL_IP_HEADER: "proxy-protocol"
+  CLIENT_BODY_BUFFER_SIZE: "100M"
+  CUSTOM_PLUGINS: "oidc"
+  PLUGINS: "oidc,cors,prometheus"
+  NGINX_SEND_TIMEOUT: 600
+  NGINX_MAX_EXECUTION_TIME: 600
+  NGINX_REQUEST_TERMINATE_TIMEOUT: 600
+proxy:
+  type: LoadBalancer
+  http:
+    servicePort: 443
+  tls:
+    enabled: false
+    servicePort: 443
+    containerPort: 8000
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
+    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "${dependency.acm.outputs.certificate_arn}"
+    external-dns.alpha.kubernetes.io/hostname: "kong.${local.env}.cfd.io"
+  externalTrafficPolicy: "Cluster"
diff --git a/terraform/live/demo/eu-west-3/eks-addons/providers.tf b/terraform/live/demo/eu-west-3/eks-addons/providers.tf
index bf4e0cb3..830fbe35 100644
--- a/terraform/live/demo/eu-west-3/eks-addons/providers.tf
+++ b/terraform/live/demo/eu-west-3/eks-addons/providers.tf
@@ -4,24 +4,27 @@ terraform {
 }
 
 provider "aws" {
-  region = var.aws["region"]
+  region  = var.aws["region"]
   version = "~> 2.41"
 }
 
+provider "kubectl" {
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+  load_config_file       = false
+}
+
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.cluster.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
   token                  = data.aws_eks_cluster_auth.cluster.token
   load_config_file       = false
-  version                = "~> 1.9"
+  version                = "1.10"
 }
 
 provider "helm" {
-  install_tiller                  = true
-  service_account                 = "tiller"
-  tiller_image                    = "gcr.io/kubernetes-helm/tiller:v2.16.1"
-  automount_service_account_token = true
-
+  version = "~> 1.0"
   kubernetes {
     host                   = data.aws_eks_cluster.cluster.endpoint
     cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
@@ -37,9 +40,9 @@ data "aws_caller_identity" "current" {
 }
 
 data "aws_eks_cluster" "cluster" {
-  name = var.eks["cluster_name"]
+  name = var.cluster-name
 }
 
 data "aws_eks_cluster_auth" "cluster" {
-  name = var.eks["cluster_name"]
+  name = var.cluster-name
 }
diff --git a/terraform/live/demo/eu-west-3/eks-addons/terragrunt.hcl b/terraform/live/demo/eu-west-3/eks-addons/terragrunt.hcl
index f8ff059a..10a3076e 100644
--- a/terraform/live/demo/eu-west-3/eks-addons/terragrunt.hcl
+++ b/terraform/live/demo/eu-west-3/eks-addons/terragrunt.hcl
@@ -3,7 +3,12 @@ include {
 }
 
 terraform {
-  source = "github.com/clusterfrak-dynamics/terraform-kubernetes-addons.git?ref=v4.0.1"
+  source = "github.com/clusterfrak-dynamics/terraform-kubernetes-addons.git?ref=v5.0.0"
+
+  before_hook "init" {
+    commands = ["init"]
+    execute  = ["bash", "-c", "wget -O terraform-provider-kubectl https://github.com/gavinbunney/terraform-provider-kubectl/releases/download/v1.2.1/terraform-provider-kubectl-linux-amd64 && chmod +x terraform-provider-kubectl"]
+  }
 }
 
 locals {
@@ -15,7 +20,19 @@ dependency "eks" {
   config_path = "../eks"
 
   mock_outputs = {
-    cluster_id = "cluster-name"
+    cluster_id              = "cluster-name"
+    cluster_oidc_issuer_url = "https://oidc.eks.eu-west-3.amazonaws.com/id/0000000000000000"
+  }
+}
+
+dependency "vpc" {
+  config_path = "../vpc"
+
+  mock_outputs = {
+    private_subnets_cidr_blocks = [
+      "10.0.0.0/16",
+      "192.168.0.0/24"
+    ]
   }
 }
 
@@ -28,275 +45,116 @@ inputs = {
   }
 
   eks = {
-    "cluster_name" = dependency.eks.outputs.cluster_id
+    "cluster_oidc_issuer_url" = dependency.eks.outputs.cluster_oidc_issuer_url
   }
 
   nginx_ingress = {
-    version                = "0.26.1"
-    chart_version          = "1.24.5"
-    enabled                = true
+    version                = "0.29.0"
+    chart_version          = "1.31.0"
+    enabled                = false
     default_network_policy = true
     ingress_cidr           = "0.0.0.0/0"
-    namespace              = "ingress-nginx"
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    use_nlb                = false
+    use_l7                 = false
+  }
 
-    use_nlb = false
-    use_l7 = false
+  istio_operator = {
+    enabled = true
   }
 
   cluster_autoscaler = {
-    create_iam_resources_kiam = true
-
-    iam_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "autoscaling:DescribeAutoScalingGroups",
-        "autoscaling:DescribeAutoScalingInstances",
-        "autoscaling:DescribeLaunchConfigurations",
-        "autoscaling:DescribeTags",
-        "autoscaling:SetDesiredCapacity",
-        "autoscaling:TerminateInstanceInAutoScalingGroup"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-POLICY
-
-    version                = "v1.14.6"
-    chart_version          = "6.1.0"
-    enabled                = true
-    default_network_policy = true
-    namespace              = "cluster-autoscaler"
-    cluster_name           = dependency.eks.outputs.cluster_id
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
-extraArgs:
-  balance-similar-node-groups: true
-EXTRA_VALUES
+    create_iam_resources_kiam = false
+    create_iam_resources_irsa = true
+    iam_policy_override       = ""
+    version                   = "v1.14.7"
+    chart_version             = "6.4.0"
+    enabled                   = true
+    default_network_policy    = true
+    cluster_name              = dependency.eks.outputs.cluster_id
   }
 
   external_dns = {
     create_iam_resources_kiam = false
-
-    iam_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "route53:ChangeResourceRecordSets"
-      ],
-      "Resource": [
-        "arn:aws:route53:::hostedzone/*"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "route53:ListHostedZones",
-        "route53:ListResourceRecordSets"
-      ],
-      "Resource": [
-        "*"
-      ]
-    }
-  ]
-}
-POLICY
-
-    version                = "0.5.17-debian-9-r25"
-    chart_version          = "2.10.1"
-    enabled                = false
-    default_network_policy = false
-    namespace              = "external-dns"
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    create_iam_resources_irsa = true
+    iam_policy_override       = ""
+    version                   = "0.6.0-debian-10-r0"
+    chart_version             = "2.18.0"
+    enabled                   = true
+    default_network_policy    = true
   }
 
   cert_manager = {
-    create_iam_resources_kiam = false
-
-    iam_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "route53:GetChange",
-      "Resource": "arn:aws:route53:::change/*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "route53:ChangeResourceRecordSets",
-      "Resource": "arn:aws:route53:::hostedzone/*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "route53:ListHostedZonesByName",
-      "Resource": "*"
-    }
-  ]
-}
-POLICY
-
-    version                        = "v0.9.1"
-    chart_version                  = "v0.9.1"
-    enabled                        = false
-    default_network_policy         = false
-    namespace                      = "cert-manager"
-    timeout                        = 3600
-    force_update                   = false
-    recreate_pods                  = false
-    wait                           = true
-    acme_email                     = "example@email.com"
-    enable_default_cluster_issuers = false
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    create_iam_resources_kiam      = false
+    create_iam_resources_irsa      = true
+    iam_policy_override            = ""
+    version                        = "v0.13.1"
+    chart_version                  = "v0.13.1"
+    enabled                        = true
+    default_network_policy         = true
+    acme_email                     = "kevin@particule.io"
+    enable_default_cluster_issuers = true
+    allowed_cidrs                  = dependency.vpc.outputs.private_subnets_cidr_blocks
   }
 
   kiam = {
-    version = "v3.4"
-    chart_version = "4.2.0"
-    enabled = true
-    default_network_policy = true
-    namespace = "kiam"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
-    server_use_host_network = "true"
-    create_iam_user = true
-    create_iam_resources = true
-    iam_user = ""
-
-    assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "sts:AssumeRole"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-POLICY
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    create_iam_user             = true
+    create_iam_resources        = true
+    assume_role_policy_override = ""
+    version                     = "v3.5"
+    chart_version               = "5.7.0"
+    enabled                     = false
+    default_network_policy      = false
+    iam_user                    = ""
   }
 
   metrics_server = {
-    version = "v0.3.6"
-    chart_version = "2.8.8"
-    enabled = true
+    version                = "v0.3.6"
+    chart_version          = "2.9.0"
+    enabled                = true
     default_network_policy = true
-    namespace = "metrics-server"
-    control_plane_private_cidr = "10.0.0.0/22"
-    control_plane_public_cidr = "10.0.101.0/22"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    allowed_cidrs          = dependency.vpc.outputs.private_subnets_cidr_blocks
   }
 
   flux = {
-    create_iam_resources_kiam = true
-    version                   = "1.16.0"
-    chart_version             = "0.15.0"
+    create_iam_resources_kiam = false
+    create_iam_resources_irsa = true
+    version                   = "1.18.0"
+    chart_version             = "1.2.0"
     enabled                   = false
-    default_network_policy    = false
-    namespace                 = "flux"
-    allowed_namespaces        = ""
-    timeout                   = 3600
-    force_update              = false
-    recreate_pods             = false
-    wait                      = true
+    default_network_policy    = true
 
     extra_values = <<EXTRA_VALUES
 git:
   url: "ssh://git@gitlab.com/myrepo/gitops-${local.env}.git"
-  pollInterval: "1m"
-helmOperator:
-  create: false
-  tillerNamespace: "flux"
-  allowNamespace: "flux"
+  pollInterval: "2m"
 rbac:
   create: false
-syncGarbageCollection:
-  enabled: true
-  dry: false
-prometheus:
-  enabled: false
 registry:
-  pollInterval: "1m"
+  automationInterval: "2m"
 EXTRA_VALUES
   }
 
-  virtual_kubelet = {
-    create_iam_resources_kiam = false
-    create_cloudwatch_log_group = false
-    cloudwatch_log_group = "eks-virtual-kubelet"
-    version = "0.7.4"
-    enabled = false
-    default_network_policy = false
-    namespace = "virtual-kubelet"
-    cpu = "20"
-    memory = "40Gi"
-    pods = "20"
-    operatingsystem = "Linux"
-    platformversion = "LATEST"
-    assignpublicipv4address = false
-    fargate_cluster_name = "sample"
-  }
-
   prometheus_operator = {
-    chart_version = "8.3.0"
-    enabled = true
+    chart_version          = "8.7.0"
+    enabled                = true
     default_network_policy = true
-    namespace = "monitoring"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
+    allowed_cidrs          = dependency.vpc.outputs.private_subnets_cidr_blocks
 
     extra_values = <<EXTRA_VALUES
 grafana:
   deploymentStrategy:
     type: Recreate
   ingress:
-    enabled: false
+    enabled: true
     annotations:
       kubernetes.io/ingress.class: nginx
+      cert-manager.io/cluster-issuer: "letsencrypt"
     hosts:
-      - grafana.${local.env}.cfd.io
+      - grafana.clusterfrak-dynamics.io
+    tls:
+      - secretName: grafana-clusterfrak-dynamics-io
+        hosts:
+          - grafana.clusterfrak-dynamics.io
   persistence:
     enabled: true
     storageClassName: gp2
@@ -304,8 +162,15 @@ grafana:
       - ReadWriteOnce
     size: 10Gi
 prometheus:
+  prometheusSpec:
     replicas: 1
     retention: 180d
+    ruleSelectorNilUsesHelmValues: false
+    ruleNamespaceSelector:
+      any: true
+    serviceMonitorSelectorNilUsesHelmValues: false
+    serviceMonitorNamespaceSelector:
+      any: true
     storageSpec:
       volumeClaimTemplate:
         spec:
@@ -318,186 +183,74 @@ EXTRA_VALUES
   }
 
   fluentd_cloudwatch = {
-    create_iam_resources_kiam = true
-    iam_policy                = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": [
-                "logs:DescribeLogGroups",
-                "logs:DescribeLogStreams",
-                "logs:CreateLogGroup",
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": "*",
-            "Effect": "Allow"
-        }
-    ]
-}
-POLICY
-    chart_version = "0.11.1"
-    version = "v1.7.4-debian-cloudwatch-1.0"
-    enabled = true
-    default_network_policy = true
-    namespace = "fluentd-cloudwatch"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
+    create_iam_resources_kiam        = false
+    create_iam_resources_irsa        = true
+    default_network_policy           = true
+    iam_policy_override              = ""
+    chart_version                    = "0.12.1"
+    version                          = "v1.7.4-debian-cloudwatch-1.0"
+    enabled                          = true
     containers_log_retention_in_days = 180
-
-    extra_values = <<VALUES
-VALUES
   }
 
   npd = {
-    chart_version          = "1.6.1"
+    chart_version          = "1.6.3"
     version                = "v0.8.0"
     enabled                = true
     default_network_policy = true
-    namespace              = "node-problem-detector"
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
   }
 
   sealed_secrets = {
-    chart_version = "1.6.0"
-    version = "v0.9.5"
-    enabled = false
-    default_network_policy = false
-    namespace = "sealed-secrets"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
-  }
-
-  istio = {
-    chart_version_init     = "1.2.2"
-    chart_version          = "1.2.2"
-    enabled_init           = false
-    enabled                = false
-    default_network_policy = false
-    namespace              = "istio-system"
-    timeout_init           = 3600
-    force_update_init      = false
-    recreate_pods_init     = false
-    wait_init              = true
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values_init = <<EXTRA_VALUES
-EXTRA_VALUES
-    extra_values = <<EXTRA_VALUES
-gateways:
-  istio-ingressgateway:
-    sds:
-      enabled: true
-    serviceAnnotations:
-      service.beta.kubernetes.io/aws-load-balancer-type: nlb
-global:
-  k8sIngress:
-    enabled: true
-    enabledHttps: true
-    gatewayName: ingressgateway
-EXTRA_VALUES
+    chart_version          = "1.7.6"
+    version                = "v0.9.7"
+    enabled                = true
+    default_network_policy = true
   }
 
   cni_metrics_helper = {
     create_iam_resources_kiam = false
-    enabled                   = false
-    version                   = "v1.5.0"
-    iam_policy                = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "cloudwatch:PutMetricData",
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Effect": "Allow",
-      "Resource": "*",
-      "Action": "ec2:DescribeTags"
-    }
-  ]
-}
-POLICY
+    create_iam_resources_irsa = true
+    enabled                   = true
+    version                   = "v1.5.5"
+    iam_policy_override       = ""
   }
 
   kong = {
-    version = "1.3"
-    chart_version = "0.17.0"
-    enabled = false
-    default_network_policy = true
-    ingress_cidr = "0.0.0.0/0"
-    namespace = "kong"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
-  }
-
-  rancher = {
-    chart_version          = "2.2.8"
-    version                = "v2.2.8"
+    version                = "1.4"
+    chart_version          = "1.2.0"
     enabled                = false
-    channel                = "stable"
-    default_network_policy = false
-    namespace              = "rancher"
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    default_network_policy = true
+    ingress_cidr           = "0.0.0.0/0"
   }
 
   keycloak = {
-    chart_version = "5.1.7"
-    version = "6.0.1"
-    enabled = false
-    default_network_policy = false
-    namespace = "keycloak"
-    timeout = 3600
-    force_update = false
-    recreate_pods = false
-    wait = false
-
-    extra_values = <<EXTRA_VALUES
-EXTRA_VALUES
+    chart_version          = "7.0.0"
+    version                = "8.0.1"
+    enabled                = false
+    default_network_policy = true
   }
 
   karma = {
-    chart_version          = "1.1.18"
-    version                = "v0.44"
+    chart_version          = "1.4.1"
+    version                = "v0.55"
     enabled                = false
-    default_network_policy = false
-    namespace              = "monitoring"
-    create_ns              = false
-    timeout                = 3600
-    force_update           = false
-    recreate_pods          = false
-    wait                   = true
-
-    extra_values = <<EXTRA_VALUES
+    default_network_policy = true
+    extra_values           = <<EXTRA_VALUES
+ingress:
+  enabled: false
+  path: /
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  hosts:
+    - karma.clusterfrak-dynamics.io
+env:
+  - name: ALERTMANAGER_URI
+    value: "http://prometheus-operator-alertmanager.monitoring.svc.cluster.local:9093"
+  - name: ALERTMANAGER_PROXY
+    value: "true"
+  - name: FILTERS_DEFAULT
+    value: "@state=active severity!=info severity!=none"
 EXTRA_VALUES
   }
 }
diff --git a/terraform/live/demo/eu-west-3/eks-namespaces/providers.tf b/terraform/live/demo/eu-west-3/eks-namespaces/providers.tf
index bf4e0cb3..520c867d 100644
--- a/terraform/live/demo/eu-west-3/eks-namespaces/providers.tf
+++ b/terraform/live/demo/eu-west-3/eks-namespaces/providers.tf
@@ -4,7 +4,7 @@ terraform {
 }
 
 provider "aws" {
-  region = var.aws["region"]
+  region  = var.aws["region"]
   version = "~> 2.41"
 }
 
diff --git a/terraform/live/demo/eu-west-3/eks/manifests.tf b/terraform/live/demo/eu-west-3/eks/manifests.tf
index 8385c3fb..058d9cd0 100644
--- a/terraform/live/demo/eu-west-3/eks/manifests.tf
+++ b/terraform/live/demo/eu-west-3/eks/manifests.tf
@@ -1,8 +1,18 @@
+variable "psp_privileged_ns" {
+  default = []
+  type    = list
+}
+
 data "kubectl_path_documents" "manifests" {
-  pattern = "./manifests/*.yaml"
+  pattern      = "./manifests/*.yaml"
+  vars         = {
+    namespaces = join(",", var.psp_privileged_ns)
+  }
 }
 
 resource "kubectl_manifest" "manifests" {
-  count     = length(data.kubectl_path_documents.manifests.documents)
-  yaml_body = element(data.kubectl_path_documents.manifests.documents, count.index)
+  count            = length(data.kubectl_path_documents.manifests.documents)
+  yaml_body        = element(data.kubectl_path_documents.manifests.documents, count.index)
+  wait_for_rollout = false
+  force_new        = false
 }
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrole.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrole.yaml
new file mode 100644
index 00000000..569cfc53
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrole.yaml
@@ -0,0 +1,14 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: default-psp
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames: ['default']
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames: ['default']
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrolebinding.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrolebinding.yaml
new file mode 100644
index 00000000..c7273b9b
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-default-clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: default-psp
+roleRef:
+  kind: ClusterRole
+  name: default-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:authenticated
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-default.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-default.yaml
new file mode 100644
index 00000000..97ed8fd2
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-default.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: default
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  runAsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 999
+      max: 65535
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 999
+      max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 999
+      max: 65535
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrole.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrole.yaml
new file mode 100644
index 00000000..26caab9d
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrole.yaml
@@ -0,0 +1,14 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: privileged-psp
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames: ['privileged']
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames: ['privileged']
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrolebinding.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrolebinding.yaml
new file mode 100644
index 00000000..8a4d82d6
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+%{ if namespaces != "" }
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: privileged-psp
+roleRef:
+  kind: ClusterRole
+  name: privileged-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+%{ for namespace in split(",", namespaces) ~}
+- kind: Group
+  name: system:serviceaccounts:${namespace}
+  apiGroup: rbac.authorization.k8s.io
+%{ endfor ~}
+%{ endif }
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-node-rolebinding.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-node-rolebinding.yaml
new file mode 100644
index 00000000..6a6db563
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged-node-rolebinding.yaml
@@ -0,0 +1,20 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: privileged-psp-nodes
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: privileged-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:nodes
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: kubelet # Legacy node ID
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:serviceaccounts:kube-system
diff --git a/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged.yaml b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged.yaml
new file mode 100644
index 00000000..1e7591b7
--- /dev/null
+++ b/terraform/live/demo/eu-west-3/eks/manifests/psp-privileged.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities: ['*']
+  volumes: ['*']
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
diff --git a/terraform/live/demo/eu-west-3/eks/providers.tf b/terraform/live/demo/eu-west-3/eks/providers.tf
index cae16a32..40e76b4a 100644
--- a/terraform/live/demo/eu-west-3/eks/providers.tf
+++ b/terraform/live/demo/eu-west-3/eks/providers.tf
@@ -20,7 +20,7 @@ provider "kubernetes" {
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
   token                  = data.aws_eks_cluster_auth.cluster.token
   load_config_file       = false
-  version                = "~> 1.10"
+  version                = "1.10"
 }
 
 data "aws_region" "current" {}
diff --git a/terraform/live/demo/eu-west-3/eks/terragrunt.hcl b/terraform/live/demo/eu-west-3/eks/terragrunt.hcl
index a9a053f8..89d0bed6 100644
--- a/terraform/live/demo/eu-west-3/eks/terragrunt.hcl
+++ b/terraform/live/demo/eu-west-3/eks/terragrunt.hcl
@@ -14,6 +14,24 @@ terraform {
     commands = ["apply"]
     execute  = ["bash", "-c", "terraform output kubeconfig 2>/dev/null > ${get_terragrunt_dir()}/kubeconfig"]
   }
+
+  after_hook "kube-system-label" {
+    commands = ["apply"]
+    execute  = ["bash", "-c", "kubectl --kubeconfig kubeconfig label ns kube-system name=kube-system --overwrite"]
+  }
+
+  after_hook "remove-default-psp" {
+    commands = ["apply"]
+    execute  = ["bash", "-c", "kubectl --kubeconfig kubeconfig delete psp eks.privileged || true"]
+  }
+  after_hook "remove-default-psp-clusterrolebindind" {
+    commands = ["apply"]
+    execute  = ["bash", "-c", "kubectl --kubeconfig kubeconfig delete clusterrolebinding eks:podsecuritypolicy:authenticated || true"]
+  }
+  after_hook "remove-default-psp-clusterrole" {
+    commands = ["apply"]
+    execute  = ["bash", "-c", "kubectl --kubeconfig kubeconfig delete clusterrole eks:podsecuritypolicy:privileged || true"]
+  }
 }
 
 locals {
@@ -44,10 +62,12 @@ inputs = {
     "region" = local.aws_region
   }
 
+  psp_privileged_ns = [
+    "cluster-autoscaler", #waiting for https://github.com/helm/charts/pull/20891
+    "istio-system" #istio does not support psp by default
+  ]
+
   tags = merge(
-    {
-      "kubernetes.io/cluster/${local.cluster_name}" = "shared"
-    },
     local.custom_tags
   )
 
@@ -85,9 +105,9 @@ inputs = {
     {
       name                 = "default-${local.aws_region}b"
       instance_type        = "t3.medium"
-      asg_min_size         = 1
+      asg_min_size         = 0
       asg_max_size         = 3
-      asg_desired_capacity = 1
+      asg_desired_capacity = 0
       subnets              = [dependency.vpc.outputs.private_subnets[1]]
       autoscaling_enabled  = true
       root_volume_size     = 50
@@ -102,9 +122,9 @@ inputs = {
     {
       name                 = "default-${local.aws_region}c"
       instance_type        = "t3.medium"
-      asg_min_size         = 1
+      asg_min_size         = 0
       asg_max_size         = 3
-      asg_desired_capacity = 1
+      asg_desired_capacity = 0
       subnets              = [dependency.vpc.outputs.private_subnets[2]]
       autoscaling_enabled  = true
       root_volume_size     = 50
@@ -117,6 +137,4 @@ inputs = {
       ]
     },
   ]
-
 }
-
diff --git a/terraform/live/demo/eu-west-3/kiam-roles/terragrunt.hcl b/terraform/live/demo/eu-west-3/kiam-roles/terragrunt.hcl
deleted file mode 100644
index d206bec3..00000000
--- a/terraform/live/demo/eu-west-3/kiam-roles/terragrunt.hcl
+++ /dev/null
@@ -1,77 +0,0 @@
-include {
-  path = "${find_in_parent_folders()}"
-}
-
-terraform {
-  source = "github.com/clusterfrak-dynamics/terraform-aws-iam-roles?ref=v1.0.1"
-}
-
-locals {
-  aws_region  = yamldecode(file("${get_terragrunt_dir()}/${find_in_parent_folders("common_values.yaml")}"))["aws_region"]
-  env         = yamldecode(file("${get_terragrunt_dir()}/${find_in_parent_folders("common_tags.yaml")}"))["Env"]
-  custom_tags = yamldecode(file("${get_terragrunt_dir()}/${find_in_parent_folders("common_tags.yaml")}"))
-  prefix      = yamldecode(file("${get_terragrunt_dir()}/${find_in_parent_folders("common_values.yaml")}"))["prefix"]
-}
-
-dependency "eks-addons" {
-  config_path = "../eks-addons"
-
-  mock_outputs = {
-    kiam-server-role-arn = ["arn:aws:iam::000000000000:role/mock-role"]
-  }
-}
-
-inputs = {
-
-  env = local.env
-
-  aws = {
-    "region" = local.aws_region
-  }
-
-  iam_roles = [
-    {
-      name   = "${local.prefix}-s3-access-${local.env}"
-      policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AllowFullAccesstoS3",
-            "Effect": "Allow",
-            "Action": [
-                "s3:*"
-            ],
-            "Resource": [
-              "arn:aws:s3:::examplebucket",
-              "arn:aws:s3:::examplebucket/*"
-            ]
-        }
-    ]
-}
-POLICY
-      assume_role_policy = <<ASSUME_ROLE_POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    },
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "${dependency.eks-addons.outputs.kiam-server-role-arn[0]}"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-ASSUME_ROLE_POLICY
-    }
-  ]
-}