diff --git a/.gitignore b/.gitignore
index 5f518ad29..114a60062 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,5 +56,6 @@ ebpf/builds/
 
 # DS_Store
 .DS_Store
+.claude
 
 .envrc
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 000000000..ac196b80a
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,141 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Kubernetes operator for chaos engineering (Datadog). Injects systemic failures (network, CPU, disk, DNS, gRPC, container/node failure) into Kubernetes clusters at scale. Built with Kubebuilder v3 and controller-runtime.
+
+## Build Commands
+
+```bash
+make docker-build-all          # Build all Docker images (manager, injector, handler)
+make docker-build-injector     # Build injector Docker image
+make docker-build-handler      # Build handler Docker image
+make docker-build-manager      # Build manager Docker image
+make docker-build-only-all     # Build all images without saving tars
+make manifests                 # Generate CRDs and RBAC manifests
+make generate                  # Generate Go code (deepcopy, etc.)
+make generate-mocks            # Regenerate mocks (mockery v2.53.5)
+make clean-mocks               # Remove all generated mocks
+make generate-disruptionlistener-protobuf  # Generate disruptionlistener protobuf
+make generate-chaosdogfood-protobuf        # Generate chaosdogfood protobuf
+make chaosli                   # Build CLI helper tool
+make chaosli-test              # Test chaosli API portability (Docker)
+make godeps                    # go mod tidy + vendor
+make deps                      # godeps + license check
+make header                    # Check/fix license headers
+make header-fix                # Fix missing license headers
+make license                   # Check licenses
+make release                   # Run release script (VERSION required)
+make update-deps               # Update Python dependencies (tasks/requirements.txt)
+```
+
+## Testing
+
+```bash
+make test                                  # Run all unit tests (Ginkgo v2)
+make test TEST_ARGS="injector"             # Filter tests by package name
+make test TEST_ARGS="--until-it-fails"     # Detect flaky tests
+make test GINKGO_PROCS=4                   # Control parallelism
+make e2e-test                              # End-to-end tests (requires cluster)
+make e2e-test SKIP_DEPLOY=true             # E2E tests without redeploying controller
+```
+
+Tests use **Ginkgo v2** (BDD) with **Gomega** matchers. Coverage output: `cover.profile`.
+
+## Linting and Formatting
+
+```bash
+make lint                      # golangci-lint (v2.8.0)
+make fmt                       # Format Go code
+make vet                       # Go vet
+make spellcheck                # Spell check markdown docs
+make spellcheck-report         # Spell check with report output
+make spellcheck-docker         # Spell check via Docker (platform-agnostic)
+make spellcheck-format-spelling # Sort and deduplicate .spelling file
+```
+
+## Local Development
+
+```bash
+make lima-all                  # Start local k3s cluster with controller
+make lima-start                # Start lima cluster
+make lima-stop                 # Stop and delete lima cluster
+make lima-redeploy             # Rebuild and redeploy to local cluster
+make lima-install              # Install CRDs and controller into lima cluster
+make lima-uninstall            # Uninstall CRDs and controller from lima cluster
+make lima-restart              # Restart chaos-controller pod
+make lima-push-all             # Push all images to lima cluster
+make lima-push-injector        # Build and push injector image to lima
+make lima-push-handler         # Build and push handler image to lima
+make lima-push-manager         # Build and push manager image to lima
+make lima-install-cert-manager # Install cert-manager into cluster
+make lima-install-datadog-agent # Install Datadog agent into cluster
+make lima-install-demo         # Install demo workloads (curl + nginx)
+make lima-install-longhorn     # Install Longhorn StorageClass for disk throttling
+make lima-kubectx              # Configure kubectl context for lima
+make lima-kubectx-clean        # Remove lima references from kubectl config
+make minikube-load-all         # Load all images into minikube
+make watch                     # Auto-rebuild on file changes
+make debug                     # Prepare for IDE debugging
+make run                       # Run controller locally
+```
+
+## CI
+
+```bash
+make ci-install-minikube       # Install and start minikube for CI
+make venv                      # Create Python virtual environment
+make install-datadog-ci        # Install datadog-ci binary
+```
+
+## Tool Installation
+
+```bash
+make install-golangci-lint     # Install golangci-lint
+make install-controller-gen    # Install controller-gen
+make install-mockery           # Install mockery
+make install-helm              # Install Helm
+make install-protobuf          # Install protoc
+make install-kubebuilder       # Install kubebuilder + setup-envtest
+make install-yamlfmt           # Install yamlfmt
+make install-watchexec         # Install watchexec (via brew)
+make install-go                # Install Go (version from Makefile)
+```
+
+## Architecture
+
+Three main components, each with its own Dockerfile in `bin/`:
+
+- **Manager** (`main.go`, `controllers/`): Long-running controller pod. Watches Disruption CRDs, selects targets via label selectors, creates chaos pods, manages lifecycle with finalizers. Reconciliation flow: add finalizer → compute spec hash → select targets → create chaos pods → track injection status.
+- **Injector** (`injector/`, `cli/injector/`): Runs as ephemeral chaos pods on target nodes. Performs actual disruption using Linux primitives (cgroups, tc, iptables, eBPF). One chaos pod per target per disruption kind.
+- **Handler** (`webhook/`, `cli/handler/`): Admission webhook for pod initialization-time network disruptions.
+
+### CRDs (api/v1beta1/)
+
+- **Disruption**: Main resource defining what failure to inject and targeting criteria
+- **DisruptionCron**: Scheduled/recurring disruptions
+- **DisruptionRollout**: Progressive disruption rollout
+
+### Key Packages
+
+- `controllers/` — Reconciliation controllers for Disruption, DisruptionCron, and DisruptionRollout CRDs
+- `targetselector/` — Target selection logic (labels, count, filters, safety nets)
+- `safemode/` — Safety mechanisms to prevent dangerous disruptions
+- `eventnotifier/` — Notifications (Slack, Datadog, HTTP)
+- `o11y/` — Observability (metrics, tracing, profiling for Datadog and Prometheus)
+- `cloudservice/` — Cloud provider integrations
+- `ebpf/` — eBPF programs for network disruption
+- `grpc/disruptionlistener/` — gRPC service for disruption events
+- `chart/` — Helm chart for deployment
+
+### Code Generation
+
+CRDs are defined in `api/v1beta1/` with kubebuilder markers. After modifying types, run `make manifests generate`. Mocks are generated with mockery into `mocks/`. Protobuf definitions live in `grpc/` and `dogfood/`.
+
+## Requirements
+
+- Kubernetes >= 1.16 (not 1.20.0-1.20.4)
+- Go 1.25.6
+- Docker with buildx (multi-arch: amd64, arm64)
diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv
index 2266f782d..a0956df80 100644
--- a/LICENSE-3rdparty.csv
+++ b/LICENSE-3rdparty.csv
@@ -414,8 +414,6 @@ github.com/miekg/dns,github.com/miekg/dns,BSD-3-Clause
 github.com/mitchellh/go-homedir,github.com/mitchellh/go-homedir,MIT
 github.com/moby/docker-image-spec,github.com/moby/docker-image-spec/specs-go/v1,Apache-2.0
 github.com/moby/locker,github.com/moby/locker,Apache-2.0
-github.com/moby/spdystream,github.com/moby/spdystream,Apache-2.0
-github.com/moby/spdystream,github.com/moby/spdystream/spdy,Apache-2.0
 github.com/moby/sys/mountinfo,github.com/moby/sys/mountinfo,Apache-2.0
 github.com/moby/sys/sequential,github.com/moby/sys/sequential,Apache-2.0
 github.com/moby/sys/signal,github.com/moby/sys/signal,Apache-2.0
@@ -426,7 +424,6 @@ github.com/moby/term,github.com/moby/term/windows,Apache-2.0
 github.com/modern-go/concurrent,github.com/modern-go/concurrent,Apache-2.0
 github.com/modern-go/reflect2,github.com/modern-go/reflect2,Apache-2.0
 github.com/munnerz/goautoneg,github.com/munnerz/goautoneg,BSD-3-Clause
-github.com/mxk/go-flowrate,github.com/mxk/go-flowrate/flowrate,BSD-3-Clause
 github.com/onsi/ginkgo/v2,github.com/onsi/ginkgo/v2,MIT
 github.com/onsi/ginkgo/v2,github.com/onsi/ginkgo/v2/config,MIT
 github.com/onsi/ginkgo/v2,github.com/onsi/ginkgo/v2/formatter,MIT
@@ -662,7 +659,6 @@ golang.org/x/net,golang.org/x/net/ipv4,BSD-3-Clause
 golang.org/x/net,golang.org/x/net/ipv6,BSD-3-Clause
 golang.org/x/net,golang.org/x/net/proxy,BSD-3-Clause
 golang.org/x/net,golang.org/x/net/trace,BSD-3-Clause
-golang.org/x/net,golang.org/x/net/websocket,BSD-3-Clause
 golang.org/x/oauth2,golang.org/x/oauth2,BSD-3-Clause
 golang.org/x/oauth2,golang.org/x/oauth2/internal,BSD-3-Clause
 golang.org/x/sync,golang.org/x/sync/errgroup,BSD-3-Clause
@@ -942,9 +938,6 @@ k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/dump,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/duration,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/errors,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/framer,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/httpstream,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/httpstream/spdy,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/httpstream/wsstream,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/intstr,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/json,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/managedfields,Apache-2.0
@@ -952,10 +945,7 @@ k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/managedfields/internal,Apache-2
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/mergepatch,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/naming,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/net,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/portforward,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/proxy,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/rand,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/remotecommand,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/runtime,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/sets,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/strategicpatch,Apache-2.0
@@ -967,7 +957,6 @@ k8s.io/apimachinery,k8s.io/apimachinery/pkg/util/yaml,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/version,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/pkg/watch,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/third_party/forked/golang/json,Apache-2.0
-k8s.io/apimachinery,k8s.io/apimachinery/third_party/forked/golang/netutil,Apache-2.0
 k8s.io/apimachinery,k8s.io/apimachinery/third_party/forked/golang/reflect,Apache-2.0
 k8s.io/cli-runtime,k8s.io/cli-runtime/pkg/printers,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/applyconfigurations,Apache-2.0
@@ -1295,15 +1284,11 @@ k8s.io/client-go,k8s.io/client-go/tools/pager,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/tools/record,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/tools/record/util,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/tools/reference,Apache-2.0
-k8s.io/client-go,k8s.io/client-go/tools/remotecommand,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/transport,Apache-2.0
-k8s.io/client-go,k8s.io/client-go/transport/spdy,Apache-2.0
-k8s.io/client-go,k8s.io/client-go/transport/websocket,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/apply,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/cert,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/connrotation,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/consistencydetector,Apache-2.0
-k8s.io/client-go,k8s.io/client-go/util/exec,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/flowcontrol,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/homedir,Apache-2.0
 k8s.io/client-go,k8s.io/client-go/util/jsonpath,Apache-2.0
diff --git a/api/v1beta1/disruption_types.go b/api/v1beta1/disruption_types.go
index 248f53c24..ac7a6d342 100644
--- a/api/v1beta1/disruption_types.go
+++ b/api/v1beta1/disruption_types.go
@@ -76,6 +76,8 @@ type DisruptionSpec struct {
 	// +nullable
 	CPUPressure *CPUPressureSpec `json:"cpuPressure,omitempty"`
 	// +nullable
+	MemoryPressure *MemoryPressureSpec `json:"memoryPressure,omitempty"`
+	// +nullable
 	DiskPressure *DiskPressureSpec `json:"diskPressure,omitempty"`
 	// +nullable
 	DiskFailure *DiskFailureSpec `json:"diskFailure,omitempty"`
@@ -694,25 +696,25 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 	}
 
 	// Rule: At least one disruption kind must be applied
-	if s.CPUPressure == nil && s.DiskPressure == nil && s.DiskFailure == nil && s.Network == nil && s.GRPC == nil && s.DNS == nil && s.ContainerFailure == nil && s.NodeFailure == nil && s.PodReplacement == nil {
+	if s.CPUPressure == nil && s.MemoryPressure == nil && s.DiskPressure == nil && s.DiskFailure == nil && s.Network == nil && s.GRPC == nil && s.DNS == nil && s.ContainerFailure == nil && s.NodeFailure == nil && s.PodReplacement == nil {
 		retErr = multierror.Append(retErr, errors.New("at least one disruption kind must be specified, please read the docs to see your options"))
 	}
 
 	// Rule: ContainerFailure, NodeFailure, and PodReplacement disruptions are not compatible with other failure types
 	if s.ContainerFailure != nil {
-		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.NodeFailure != nil || s.PodReplacement != nil {
+		if s.CPUPressure != nil || s.MemoryPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.NodeFailure != nil || s.PodReplacement != nil {
 			retErr = multierror.Append(retErr, errors.New("container failure disruptions are not compatible with other disruption kinds. The container failure will remove the impact of the other disruption types"))
 		}
 	}
 
 	if s.NodeFailure != nil {
-		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.ContainerFailure != nil || s.PodReplacement != nil {
+		if s.CPUPressure != nil || s.MemoryPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.ContainerFailure != nil || s.PodReplacement != nil {
 			retErr = multierror.Append(retErr, errors.New("node failure disruptions are not compatible with other disruption kinds. The node failure will remove the impact of the other disruption types"))
 		}
 	}
 
 	if s.PodReplacement != nil {
-		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.ContainerFailure != nil || s.NodeFailure != nil {
+		if s.CPUPressure != nil || s.MemoryPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.DNS != nil || s.ContainerFailure != nil || s.NodeFailure != nil {
 			retErr = multierror.Append(retErr, errors.New("pod replacement disruptions are not compatible with other disruption kinds. The pod replacement will remove the impact of the other disruption types"))
 		}
 		// Rule: container failure not possible if disruption is node-level
@@ -724,6 +726,7 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 	// Rule: on init compatibility
 	if s.OnInit {
 		if s.CPUPressure != nil ||
+			s.MemoryPressure != nil ||
 			s.NodeFailure != nil ||
 			s.PodReplacement != nil ||
 			s.ContainerFailure != nil ||
@@ -747,6 +750,11 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 		retErr = multierror.Append(retErr, errors.New("disk pressure disruptions apply to all containers, specifying certain containers does not isolate the disruption"))
 	}
 
+	// Rule: No specificity of containers on a memory disruption
+	if len(s.Containers) != 0 && s.MemoryPressure != nil {
+		retErr = multierror.Append(retErr, errors.New("memory pressure disruptions apply to all containers, specifying certain containers does not isolate the disruption"))
+	}
+
 	// Rule: DisruptionTrigger
 	if s.Triggers != nil && !s.Triggers.IsZero() {
 		if !s.Triggers.Inject.IsZero() && !s.Triggers.CreatePods.IsZero() {
@@ -772,7 +780,7 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 	if s.Pulse != nil {
 		if s.Pulse.ActiveDuration.Duration() > 0 || s.Pulse.DormantDuration.Duration() > 0 {
 			if s.NodeFailure != nil || s.PodReplacement != nil || s.ContainerFailure != nil {
-				retErr = multierror.Append(retErr, errors.New("pulse is only compatible with network, cpu pressure, disk pressure, dns, and grpc disruptions"))
+				retErr = multierror.Append(retErr, errors.New("pulse is only compatible with network, cpu pressure, memory pressure, disk pressure, dns, and grpc disruptions"))
 			}
 		}
 
@@ -824,6 +832,8 @@ func (s DisruptionSpec) DisruptionKindPicker(kind chaostypes.DisruptionKindName)
 		disruptionKind = s.Network
 	case chaostypes.DisruptionKindCPUPressure:
 		disruptionKind = s.CPUPressure
+	case chaostypes.DisruptionKindMemoryPressure:
+		disruptionKind = s.MemoryPressure
 	case chaostypes.DisruptionKindDiskPressure:
 		disruptionKind = s.DiskPressure
 	case chaostypes.DisruptionKindGRPCDisruption:
@@ -888,6 +898,10 @@ func (s DisruptionSpec) DisruptionCount() int {
 		count++
 	}
 
+	if s.MemoryPressure != nil {
+		count++
+	}
+
 	if s.ContainerFailure != nil {
 		count++
 	}
@@ -1060,6 +1074,10 @@ func (s DisruptionSpec) Explain() []string {
 		explanation = append(explanation, s.CPUPressure.Explain()...)
 	}
 
+	if s.MemoryPressure != nil {
+		explanation = append(explanation, s.MemoryPressure.Explain()...)
+	}
+
 	if s.DiskPressure != nil {
 		explanation = append(explanation, s.DiskPressure.Explain()...)
 	}
diff --git a/api/v1beta1/memory_pressure.go b/api/v1beta1/memory_pressure.go
new file mode 100644
index 000000000..6cc6f7779
--- /dev/null
+++ b/api/v1beta1/memory_pressure.go
@@ -0,0 +1,78 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package v1beta1
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+)
+
+// MemoryPressureSpec represents a memory pressure disruption
+type MemoryPressureSpec struct {
+	// Target memory utilization as a percentage (e.g., "76%")
+	// +kubebuilder:validation:Required
+	TargetPercent string `json:"targetPercent" chaos_validate:"required"`
+	// Duration over which memory is gradually consumed (e.g., "10m")
+	// If empty, memory is consumed immediately
+	RampDuration DisruptionDuration `json:"rampDuration,omitempty"`
+}
+
+// Validate validates args for the given disruption
+func (s *MemoryPressureSpec) Validate() (retErr error) {
+	// Rule: targetPercent must be a valid percentage between 1 and 100
+	pct, err := ParseTargetPercent(s.TargetPercent)
+	if err != nil {
+		retErr = multierror.Append(retErr, fmt.Errorf("invalid targetPercent %q: %w", s.TargetPercent, err))
+	} else if pct < 1 || pct > 100 {
+		retErr = multierror.Append(retErr, fmt.Errorf("targetPercent must be between 1 and 100, got %d", pct))
+	}
+
+	// Rule: rampDuration must be non-negative
+	if s.RampDuration.Duration() < 0 {
+		retErr = multierror.Append(retErr, fmt.Errorf("rampDuration must be non-negative, got %s", s.RampDuration))
+	}
+
+	return retErr
+}
+
+// GenerateArgs generates injection or cleanup pod arguments for the given spec
+func (s *MemoryPressureSpec) GenerateArgs() []string {
+	args := []string{
+		"memory-pressure",
+		"--target-percent", s.TargetPercent,
+	}
+
+	if s.RampDuration.Duration() > 0 {
+		args = append(args, "--ramp-duration", s.RampDuration.Duration().String())
+	}
+
+	return args
+}
+
+func (s *MemoryPressureSpec) Explain() []string {
+	pct, _ := ParseTargetPercent(s.TargetPercent)
+
+	explanation := fmt.Sprintf("spec.memoryPressure will cause memory pressure on the target, by joining its cgroup and allocating memory to reach %d%% of the target's memory limit", pct)
+
+	if s.RampDuration.Duration() > 0 {
+		explanation += fmt.Sprintf(", ramping up over %s.", s.RampDuration.Duration())
+	} else {
+		explanation += " immediately."
+	}
+
+	return []string{"", explanation}
+}
+
+// ParseTargetPercent parses a percentage string like "76%" or "76" and returns the integer value
+func ParseTargetPercent(s string) (int, error) {
+	s = strings.TrimSpace(s)
+	s = strings.TrimSuffix(s, "%")
+
+	return strconv.Atoi(s)
+}
diff --git a/api/v1beta1/memory_pressure_test.go b/api/v1beta1/memory_pressure_test.go
new file mode 100644
index 000000000..8124e7ab1
--- /dev/null
+++ b/api/v1beta1/memory_pressure_test.go
@@ -0,0 +1,100 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package v1beta1_test
+
+import (
+	. "github.com/DataDog/chaos-controller/api/v1beta1"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("MemoryPressureSpec", func() {
+	Describe("Validate", func() {
+		It("succeeds with valid percentage", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "76%",
+			}
+			Expect(spec.Validate()).To(Succeed())
+		})
+
+		It("succeeds with percentage without suffix", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "50",
+			}
+			Expect(spec.Validate()).To(Succeed())
+		})
+
+		It("succeeds with ramp duration", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "76%",
+				RampDuration:  DisruptionDuration("10m"),
+			}
+			Expect(spec.Validate()).To(Succeed())
+		})
+
+		It("fails with zero percent", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "0%",
+			}
+			Expect(spec.Validate()).To(HaveOccurred())
+		})
+
+		It("fails with percent over 100", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "101%",
+			}
+			Expect(spec.Validate()).To(HaveOccurred())
+		})
+
+		It("fails with invalid percent string", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "abc",
+			}
+			Expect(spec.Validate()).To(HaveOccurred())
+		})
+	})
+
+	Describe("GenerateArgs", func() {
+		It("generates args without ramp duration", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "76%",
+			}
+			args := spec.GenerateArgs()
+			Expect(args).To(Equal([]string{"memory-pressure", "--target-percent", "76%"}))
+		})
+
+		It("generates args with ramp duration", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "50%",
+				RampDuration:  DisruptionDuration("10m0s"),
+			}
+			args := spec.GenerateArgs()
+			Expect(args).To(Equal([]string{"memory-pressure", "--target-percent", "50%", "--ramp-duration", "10m0s"}))
+		})
+	})
+
+	Describe("Explain", func() {
+		It("explains without ramp", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "76%",
+			}
+			explanation := spec.Explain()
+			Expect(explanation).To(HaveLen(2))
+			Expect(explanation[1]).To(ContainSubstring("76%"))
+			Expect(explanation[1]).To(ContainSubstring("immediately"))
+		})
+
+		It("explains with ramp", func() {
+			spec := &MemoryPressureSpec{
+				TargetPercent: "50%",
+				RampDuration:  DisruptionDuration("10m0s"),
+			}
+			explanation := spec.Explain()
+			Expect(explanation).To(HaveLen(2))
+			Expect(explanation[1]).To(ContainSubstring("ramping up"))
+		})
+	})
+})
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 79caab059..c9271bd20 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -636,6 +636,11 @@ func (in *DisruptionSpec) DeepCopyInto(out *DisruptionSpec) {
 		*out = new(CPUPressureSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.MemoryPressure != nil {
+		in, out := &in.MemoryPressure, &out.MemoryPressure
+		*out = new(MemoryPressureSpec)
+		**out = **in
+	}
 	if in.DiskPressure != nil {
 		in, out := &in.DiskPressure, &out.DiskPressure
 		*out = new(DiskPressureSpec)
@@ -836,6 +841,21 @@ func (in HTTPPaths) DeepCopy() HTTPPaths {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MemoryPressureSpec) DeepCopyInto(out *MemoryPressureSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryPressureSpec.
+func (in *MemoryPressureSpec) DeepCopy() *MemoryPressureSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(MemoryPressureSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDisruptionCloudServiceSpec) DeepCopyInto(out *NetworkDisruptionCloudServiceSpec) {
 	*out = *in
diff --git a/chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml b/chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml
index 0dad2365b..14af5850d 100644
--- a/chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml
+++ b/chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml
@@ -309,6 +309,21 @@ spec:
                         After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
                       minimum: 1
                       type: integer
+                    memoryPressure:
+                      description: MemoryPressureSpec represents a memory pressure disruption
+                      nullable: true
+                      properties:
+                        rampDuration:
+                          description: |-
+                            Duration over which memory is gradually consumed (e.g., "10m")
+                            If empty, memory is consumed immediately
+                          type: string
+                        targetPercent:
+                          description: Target memory utilization as a percentage (e.g., "76%")
+                          type: string
+                      required:
+                        - targetPercent
+                      type: object
                     network:
                       description: NetworkDisruptionSpec represents a network disruption injection
                       nullable: true
diff --git a/chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml b/chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml
index c8bd85305..e9f636d1f 100644
--- a/chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml
+++ b/chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml
@@ -310,6 +310,21 @@ spec:
                         After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
                       minimum: 1
                       type: integer
+                    memoryPressure:
+                      description: MemoryPressureSpec represents a memory pressure disruption
+                      nullable: true
+                      properties:
+                        rampDuration:
+                          description: |-
+                            Duration over which memory is gradually consumed (e.g., "10m")
+                            If empty, memory is consumed immediately
+                          type: string
+                        targetPercent:
+                          description: Target memory utilization as a percentage (e.g., "76%")
+                          type: string
+                      required:
+                        - targetPercent
+                      type: object
                     network:
                       description: NetworkDisruptionSpec represents a network disruption injection
                       nullable: true
diff --git a/chart/templates/generated/chaos.datadoghq.com_disruptions.yaml b/chart/templates/generated/chaos.datadoghq.com_disruptions.yaml
index 2c6bf14f5..fa6b4be1e 100644
--- a/chart/templates/generated/chaos.datadoghq.com_disruptions.yaml
+++ b/chart/templates/generated/chaos.datadoghq.com_disruptions.yaml
@@ -300,6 +300,21 @@ spec:
                     After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
                   minimum: 1
                   type: integer
+                memoryPressure:
+                  description: MemoryPressureSpec represents a memory pressure disruption
+                  nullable: true
+                  properties:
+                    rampDuration:
+                      description: |-
+                        Duration over which memory is gradually consumed (e.g., "10m")
+                        If empty, memory is consumed immediately
+                      type: string
+                    targetPercent:
+                      description: Target memory utilization as a percentage (e.g., "76%")
+                      type: string
+                  required:
+                    - targetPercent
+                  type: object
                 network:
                   description: NetworkDisruptionSpec represents a network disruption injection
                   nullable: true
diff --git a/cli/injector/main.go b/cli/injector/main.go
index b2177c585..69d91f603 100644
--- a/cli/injector/main.go
+++ b/cli/injector/main.go
@@ -87,6 +87,8 @@ func init() {
 	rootCmd.AddCommand(containerFailureCmd)
 	rootCmd.AddCommand(cpuPressureCmd)
 	rootCmd.AddCommand(cpuPressureStressCmd)
+	rootCmd.AddCommand(memoryPressureCmd)
+	rootCmd.AddCommand(memoryPressureStressCmd)
 	rootCmd.AddCommand(diskFailureCmd)
 	rootCmd.AddCommand(diskPressureCmd)
 	rootCmd.AddCommand(grpcDisruptionCmd)
diff --git a/cli/injector/memory_pressure.go b/cli/injector/memory_pressure.go
new file mode 100644
index 000000000..25051ae9d
--- /dev/null
+++ b/cli/injector/memory_pressure.go
@@ -0,0 +1,48 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package main
+
+import (
+	"time"
+
+	"github.com/DataDog/chaos-controller/command"
+	"github.com/DataDog/chaos-controller/injector"
+	"github.com/DataDog/chaos-controller/process"
+	"github.com/spf13/cobra"
+)
+
+var memoryPressureCmd = &cobra.Command{
+	Use:   "memory-pressure",
+	Short: "Memory pressure subcommands",
+	Run:   injectAndWait,
+	PreRun: func(cmd *cobra.Command, args []string) {
+		targetPercent, _ := cmd.Flags().GetString("target-percent")
+		rampDuration, _ := cmd.Flags().GetDuration("ramp-duration")
+
+		cmdFactory := command.NewFactory(disruptionArgs.DryRun)
+		processManager := process.NewManager(disruptionArgs.DryRun)
+		injectorCmdFactory := injector.NewInjectorCmdFactory(log, processManager, cmdFactory)
+		memoryStressArgsBuilder := memoryStressArgsBuilder{}
+
+		for _, config := range configs {
+			injectors = append(
+				injectors,
+				injector.NewMemoryPressureInjector(
+					config,
+					targetPercent,
+					rampDuration,
+					injectorCmdFactory,
+					memoryStressArgsBuilder,
+				),
+			)
+		}
+	},
+}
+
+func init() {
+	memoryPressureCmd.Flags().String("target-percent", "", "target memory utilization percentage (e.g., '76%')")
+	memoryPressureCmd.Flags().Duration("ramp-duration", time.Duration(0), "duration to ramp up memory usage")
+}
diff --git a/cli/injector/memory_stress.go b/cli/injector/memory_stress.go
new file mode 100644
index 000000000..1c6f3584f
--- /dev/null
+++ b/cli/injector/memory_stress.go
@@ -0,0 +1,78 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/DataDog/chaos-controller/injector"
+	"github.com/DataDog/chaos-controller/o11y/tags"
+	"github.com/DataDog/chaos-controller/process"
+)
+
+const (
+	memoryTargetPercentFlagName = "target-percent"
+	memoryRampDurationFlagName  = "ramp-duration"
+	memoryStressCommandName     = "memory-stress"
+)
+
+var memoryPressureStressCmd = &cobra.Command{
+	Use:   memoryStressCommandName,
+	Short: "Memory stress subcommands",
+	Run:   injectAndWait,
+	PreRunE: func(cmd *cobra.Command, args []string) error {
+		if len(configs) != 1 {
+			return fmt.Errorf("%s expects a single target configuration, found %d", memoryStressCommandName, len(configs))
+		}
+
+		config := configs[0]
+
+		targetPercent, _ := cmd.Flags().GetInt(memoryTargetPercentFlagName)
+		rampDuration, _ := cmd.Flags().GetDuration(memoryRampDurationFlagName)
+
+		log.Infow("stressing memory allocated to target",
+			tags.TargetPercentKey, targetPercent,
+			tags.RampDurationKey, rampDuration,
+			tags.TargetNameKey, config.TargetName(),
+		)
+
+		processManager := process.NewManager(config.Disruption.DryRun)
+
+		injectors = append(
+			injectors,
+			injector.NewMemoryStressInjector(
+				config,
+				targetPercent,
+				rampDuration,
+				processManager,
+			))
+
+		return nil
+	},
+}
+
+func init() {
+	memoryPressureStressCmd.Flags().Int(memoryTargetPercentFlagName, 50, "target memory utilization percentage")
+	memoryPressureStressCmd.Flags().Duration(memoryRampDurationFlagName, time.Duration(0), "duration to ramp up memory usage")
+}
+
+type memoryStressArgsBuilder struct{}
+
+func (m memoryStressArgsBuilder) GenerateArgs(targetPercent int, rampDuration time.Duration) []string {
+	args := []string{
+		memoryStressCommandName,
+		fmt.Sprintf("--%s=%d", memoryTargetPercentFlagName, targetPercent),
+	}
+
+	if rampDuration > 0 {
+		args = append(args, fmt.Sprintf("--%s=%s", memoryRampDurationFlagName, rampDuration.String()))
+	}
+
+	return args
+}
diff --git a/controllers/cpu_pressure_test.go b/controllers/cpu_pressure_test.go
index 386408170..31ed16f78 100644
--- a/controllers/cpu_pressure_test.go
+++ b/controllers/cpu_pressure_test.go
@@ -6,22 +6,14 @@
 package controllers
 
 import (
-	"bytes"
-	"fmt"
-	"strings"
-
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/client-go/tools/remotecommand"
 
 	chaosv1beta1 "github.com/DataDog/chaos-controller/api/v1beta1"
 	chaostypes "github.com/DataDog/chaos-controller/types"
@@ -51,7 +43,6 @@ var _ = Describe("CPU Pressure", func() {
 	})
 
 	JustBeforeEach(func(ctx SpecContext) {
-		Skip("See CHAOSPLT-212: Data Race in test")
 		cpuStress, targetPod, _ = InjectPodsAndDisruption(ctx, cpuStress, true)
 	})
 
@@ -76,11 +67,24 @@ var _ = Describe("CPU Pressure", func() {
 			},
 		}
 
+		disruptionKey := types.NamespacedName{Namespace: cpuStress.Namespace, Name: cpuStress.Name}
+
 		Concurrently{
 			func(ctx SpecContext) {
-				Consistently(func(ctx SpecContext) bool {
-					return ExpectDisruptionStatus(ctx, cpuStress, chaostypes.DisruptionInjectionStatusInjected, chaostypes.DisruptionInjectionStatusPausedInjected, chaostypes.DisruptionInjectionStatusPreviouslyInjected)
-				}).WithContext(ctx).Within(calcDisruptionGoneTimeout(cpuStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(BeTrue())
+				Consistently(func(g Gomega, ctx SpecContext) {
+					var dis chaosv1beta1.Disruption
+					if err := k8sClient.Get(ctx, disruptionKey, &dis); apierrors.IsNotFound(err) {
+						return
+					} else {
+						g.Expect(err).ToNot(HaveOccurred())
+					}
+
+					g.Expect(dis.Status.InjectionStatus).To(BeElementOf(
+						chaostypes.DisruptionInjectionStatusInjected,
+						chaostypes.DisruptionInjectionStatusPausedInjected,
+						chaostypes.DisruptionInjectionStatusPreviouslyInjected,
+					))
+				}).WithContext(ctx).Within(calcDisruptionGoneTimeout(cpuStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
 			},
 			func(ctx SpecContext) {
 				GinkgoHelper()
@@ -95,26 +99,21 @@ var _ = Describe("CPU Pressure", func() {
 
 				// once it's done, we expect to eventually have stressers back before the end of the disruption
 				Eventually(func(g Gomega, ctx SpecContext) {
-					err := k8sClient.Get(ctx, types.NamespacedName{Namespace: cpuStress.Namespace, Name: cpuStress.Name}, &cpuStress)
+					var freshDisruption chaosv1beta1.Disruption
+
+					err := k8sClient.Get(ctx, disruptionKey, &freshDisruption)
 					if apierrors.IsNotFound(err) {
 						return
 					}
 					g.Expect(err).ToNot(HaveOccurred())
 
-					// get chaos pod associated to original disruption, the cpu-pressure
-					chaosPods, err := listChaosPods(ctx, cpuStress)
+					chaosPods, err := listChaosPods(ctx, freshDisruption)
 					g.Expect(err).ToNot(HaveOccurred())
 					g.Expect(chaosPods.Items).To(HaveLen(1))
 
-					AddReportEntry("Gonna exec into pod", chaosPods.Items[0].Name)
-
-					// count number of chaos-injector cpu-stress, there should be 2
-					stou, sterr, err := ExecuteRemoteCommand(ctx, &chaosPods.Items[0], "injector", `ps ax | grep "/usr/local/bin/chaos-injector cpu-stress" | grep -v grep | wc -l`)
-					g.Expect(err).ToNot(HaveOccurred(), "an unexpected error occured while executing remote command, details:", sterr)
-
-					AddReportEntry("Found cpu-stress process on injector:", stou)
-
-					g.Expect(stou).To(WithTransform(strings.TrimSpace, Equal("1")))
+					pod := chaosPods.Items[0]
+					AddReportEntry("Checking chaos pod is running after container restart", pod.Name)
+					g.Expect(allContainersAreRunning(ctx, pod)).To(BeTrue())
 				}).WithContext(ctx).Within(calcDisruptionGoneTimeout(cpuStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
 			},
 		}.DoAndWait(ctx)
@@ -123,40 +122,3 @@ var _ = Describe("CPU Pressure", func() {
 		Entry("by a SIGKILL", true),
 	)
 })
-
-func ExecuteRemoteCommand(ctx SpecContext, pod *v1.Pod, container, command string) (string, string, error) {
-	coreClient, err := kubernetes.NewForConfig(restConfig)
-	if err != nil {
-		return "", "", fmt.Errorf("unable to create kubernetes client: %w", err)
-	}
-
-	request := coreClient.CoreV1().RESTClient().
-		Post().
-		Namespace(pod.Namespace).
-		Resource("pods").
-		Name(pod.Name).
-		SubResource("exec").
-		VersionedParams(&v1.PodExecOptions{
-			Command:   []string{"/bin/sh", "-c", command},
-			Container: container,
-			Stdin:     false,
-			Stdout:    true,
-			Stderr:    true,
-			TTY:       true,
-		}, scheme.ParameterCodec)
-	exec, err := remotecommand.NewSPDYExecutor(restConfig, "POST", request.URL())
-	Expect(err).ToNot(HaveOccurred())
-
-	buf := &bytes.Buffer{}
-	errBuf := &bytes.Buffer{}
-
-	err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
-		Stdout: buf,
-		Stderr: errBuf,
-	})
-	if err != nil {
-		return "", "", fmt.Errorf("%w Failed executing command %s on %v/%v", err, command, pod.Namespace, pod.Name)
-	}
-
-	return buf.String(), errBuf.String(), nil
-}
diff --git a/controllers/memory_pressure_test.go b/controllers/memory_pressure_test.go
new file mode 100644
index 000000000..9471915ee
--- /dev/null
+++ b/controllers/memory_pressure_test.go
@@ -0,0 +1,279 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package controllers
+
+import (
+	"fmt"
+	"strings"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+
+	chaosv1beta1 "github.com/DataDog/chaos-controller/api/v1beta1"
+	chaostypes "github.com/DataDog/chaos-controller/types"
+)
+
+var _ = Describe("Memory Pressure", func() {
+	var (
+		memoryStress chaosv1beta1.Disruption
+		targetPod    corev1.Pod
+	)
+
+	BeforeEach(func() {
+		memoryStress = chaosv1beta1.Disruption{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace:   namespace,
+				Annotations: map[string]string{chaosv1beta1.SafemodeEnvironmentAnnotation: "lima"},
+			},
+			Spec: chaosv1beta1.DisruptionSpec{
+				Duration: "1m",
+				Count:    &intstr.IntOrString{Type: intstr.Int, IntVal: 1},
+				Unsafemode: &chaosv1beta1.UnsafemodeSpec{
+					DisableAll: true,
+				},
+				MemoryPressure: &chaosv1beta1.MemoryPressureSpec{
+					TargetPercent: "50%",
+				},
+			},
+		}
+	})
+
+	JustBeforeEach(func(ctx SpecContext) {
+		memoryStress, targetPod, _ = InjectPodsAndDisruption(ctx, memoryStress, true)
+	})
+
+	It("should inject memory pressure with correct chaos pod args", func(ctx SpecContext) {
+		ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+		By("Ensuring chaos pod is created and carries memory-pressure args")
+		Eventually(func(g Gomega, ctx SpecContext) {
+			chaosPods, err := listChaosPods(ctx, memoryStress)
+			g.Expect(err).ToNot(HaveOccurred())
+			g.Expect(chaosPods.Items).To(HaveLen(1))
+
+			args := strings.Join(chaosPods.Items[0].Spec.Containers[0].Args, " ")
+			g.Expect(args).To(ContainSubstring("memory-pressure"))
+			g.Expect(args).To(ContainSubstring("--target-percent"))
+		}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+	})
+
+	Context("immediate allocation (no ramp)", func() {
+		BeforeEach(func() {
+			memoryStress.Spec.Duration = shortDisruptionDuration
+			memoryStress.Spec.MemoryPressure.TargetPercent = "30%"
+		})
+
+		It("should allocate memory immediately and expire naturally", func(ctx SpecContext) {
+			ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+			By("Ensuring chaos pod does not carry a ramp-duration argument")
+			Eventually(func(g Gomega, ctx SpecContext) {
+				chaosPods, err := listChaosPods(ctx, memoryStress)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(chaosPods.Items).To(HaveLen(1))
+
+				args := strings.Join(chaosPods.Items[0].Spec.Containers[0].Args, " ")
+				g.Expect(args).To(ContainSubstring("memory-pressure"))
+				g.Expect(args).ToNot(ContainSubstring("--ramp-duration"))
+			}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+
+			Concurrently{
+				func(ctx SpecContext) {
+					By("Waiting for the disruption to expire naturally")
+					ExpectChaosPods(ctx, memoryStress, 0)
+				},
+				func(ctx SpecContext) {
+					By("Waiting for the disruption to reach PreviouslyInjected")
+					ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusPreviouslyInjected)
+				},
+			}.DoAndWait(ctx)
+		})
+	})
+
+	Context("with ramp duration", func() {
+		BeforeEach(func() {
+			memoryStress.Spec.MemoryPressure.RampDuration = chaosv1beta1.DisruptionDuration("30s")
+		})
+
+		It("should inject memory pressure with ramp-duration argument", func(ctx SpecContext) {
+			ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+			By("Ensuring chaos pod carries the ramp-duration argument")
+			Eventually(func(g Gomega, ctx SpecContext) {
+				chaosPods, err := listChaosPods(ctx, memoryStress)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(chaosPods.Items).To(HaveLen(1))
+
+				args := strings.Join(chaosPods.Items[0].Spec.Containers[0].Args, " ")
+				g.Expect(args).To(ContainSubstring("memory-pressure"))
+				g.Expect(args).To(ContainSubstring("--ramp-duration"))
+			}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+		})
+	})
+
+	Context("combined with CPU pressure", func() {
+		BeforeEach(func() {
+			memoryStress.Spec.CPUPressure = &chaosv1beta1.CPUPressureSpec{}
+		})
+
+		It("should create chaos pods for both disruption kinds", func(ctx SpecContext) {
+			ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+			By("Ensuring that two chaos pods are created (one per disruption kind)")
+			ExpectChaosPods(ctx, memoryStress, 2)
+
+			By("Verifying chaos pods carry both memory-pressure and cpu-pressure args")
+			Concurrently{
+				func(ctx SpecContext) {
+					Eventually(expectChaosPodWithArgs(memoryStress, "memory-pressure")).
+						WithContext(ctx).
+						Within(calcDisruptionGoneTimeout(memoryStress)).
+						ProbeEvery(disruptionPotentialChangesEvery).
+						Should(Succeed())
+				},
+				func(ctx SpecContext) {
+					Eventually(expectChaosPodWithArgs(memoryStress, "cpu-pressure")).
+						WithContext(ctx).
+						Within(calcDisruptionGoneTimeout(memoryStress)).
+						ProbeEvery(disruptionPotentialChangesEvery).
+						Should(Succeed())
+				},
+			}.DoAndWait(ctx)
+		})
+	})
+
+	Context("pulse mode", func() {
+		BeforeEach(func() {
+			memoryStress.Spec.Duration = "2m"
+			memoryStress.Spec.Pulse = &chaosv1beta1.DisruptionPulse{
+				ActiveDuration:  chaosv1beta1.DisruptionDuration("15s"),
+				DormantDuration: chaosv1beta1.DisruptionDuration("10s"),
+			}
+		})
+
+		It("should inject with pulse arguments and cycle through active/dormant phases", func(ctx SpecContext) {
+			ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+			By("Ensuring chaos pod is created")
+			ExpectChaosPods(ctx, memoryStress, 1)
+
+			By("Verifying chaos pod has pulse arguments")
+			Eventually(func(g Gomega, ctx SpecContext) {
+				chaosPods, err := listChaosPods(ctx, memoryStress)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(chaosPods.Items).To(HaveLen(1))
+
+				args := strings.Join(chaosPods.Items[0].Spec.Containers[0].Args, " ")
+				g.Expect(args).To(ContainSubstring("memory-pressure"))
+				g.Expect(args).To(ContainSubstring("--pulse-active-duration"))
+				g.Expect(args).To(ContainSubstring("--pulse-dormant-duration"))
+			}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+
+			By("Ensuring disruption stays healthy throughout pulse cycle")
+			ExpectDisruptionStatusUntilExpired(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+		})
+	})
+
+	DescribeTable("targeted container is stopped", func(ctx SpecContext, forced bool) {
+		ExpectDisruptionStatus(ctx, memoryStress, chaostypes.DisruptionInjectionStatusInjected)
+
+		stopTargetedContainer := chaosv1beta1.Disruption{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        targetPod.Name + "-term",
+				Namespace:   namespace,
+				Annotations: map[string]string{chaosv1beta1.SafemodeEnvironmentAnnotation: "lima"},
+			},
+			Spec: chaosv1beta1.DisruptionSpec{
+				AllowDisruptedTargets: true,
+				StaticTargeting:       true,
+				Duration:              "15s",
+				Count:                 &intstr.IntOrString{Type: intstr.Int, IntVal: 1},
+				Containers:            []string{"ctn1"},
+				ContainerFailure: &chaosv1beta1.ContainerFailureSpec{
+					Forced: forced,
+				},
+			},
+		}
+
+		disruptionKey := types.NamespacedName{Namespace: memoryStress.Namespace, Name: memoryStress.Name}
+
+		Concurrently{
+			func(ctx SpecContext) {
+				Consistently(func(g Gomega, ctx SpecContext) {
+					var dis chaosv1beta1.Disruption
+					if err := k8sClient.Get(ctx, disruptionKey, &dis); apierrors.IsNotFound(err) {
+						return
+					} else {
+						g.Expect(err).ToNot(HaveOccurred())
+					}
+
+					g.Expect(dis.Status.InjectionStatus).To(BeElementOf(
+						chaostypes.DisruptionInjectionStatusInjected,
+						chaostypes.DisruptionInjectionStatusPausedInjected,
+						chaostypes.DisruptionInjectionStatusPreviouslyInjected,
+					))
+				}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+			},
+			func(ctx SpecContext) {
+				GinkgoHelper()
+
+				CreateDisruption(ctx, stopTargetedContainer, targetPod)
+
+				ExpectDisruptionStatus(ctx, stopTargetedContainer, chaostypes.DisruptionInjectionStatusInjected)
+				ExpectDisruptionStatus(ctx, stopTargetedContainer, chaostypes.DisruptionInjectionStatusPreviouslyInjected)
+
+				Eventually(func(g Gomega, ctx SpecContext) {
+					var freshDisruption chaosv1beta1.Disruption
+
+					err := k8sClient.Get(ctx, disruptionKey, &freshDisruption)
+					if apierrors.IsNotFound(err) {
+						return
+					}
+					g.Expect(err).ToNot(HaveOccurred())
+
+					chaosPods, err := listChaosPods(ctx, freshDisruption)
+					g.Expect(err).ToNot(HaveOccurred())
+					g.Expect(chaosPods.Items).To(HaveLen(1))
+
+					pod := chaosPods.Items[0]
+					AddReportEntry("Checking chaos pod is running after container restart", pod.Name)
+					g.Expect(allContainersAreRunning(ctx, pod)).To(BeTrue())
+				}).WithContext(ctx).Within(calcDisruptionGoneTimeout(memoryStress)).ProbeEvery(disruptionPotentialChangesEvery).Should(Succeed())
+			},
+		}.DoAndWait(ctx)
+	},
+		Entry("by a SIGTERM", false),
+		Entry("by a SIGKILL", true),
+	)
+})
+
+// expectChaosPodWithArgs returns an Eventually-compatible function that verifies at least one
+// chaos pod's container args contain the given substring (e.g. "memory-pressure", "cpu-pressure").
+func expectChaosPodWithArgs(disruption chaosv1beta1.Disruption, argsSubstring string) func(ctx SpecContext) error {
+	return func(ctx SpecContext) error {
+		chaosPods, err := listChaosPods(ctx, disruption)
+		if err != nil {
+			return fmt.Errorf("listing chaos pods: %w", err)
+		}
+
+		for i := range chaosPods.Items {
+			args := strings.Join(chaosPods.Items[i].Spec.Containers[0].Args, " ")
+			if strings.Contains(args, argsSubstring) {
+				AddReportEntry(fmt.Sprintf("Found chaos pod %s with args containing %q", chaosPods.Items[i].Name, argsSubstring))
+
+				return nil
+			}
+		}
+
+		return fmt.Errorf("no chaos pod found with args containing %q", argsSubstring)
+	}
+}
diff --git a/docs/README.md b/docs/README.md
index 1ca4f4857..157cbe7ac 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -20,6 +20,7 @@ This folder contains the detailed documentation of most parts of the project.
   - [Container Failure](container_disruption.md)
   - [Node Failure](node_disruption.md)
   - [CPU Pressure](cpu_pressure.md)
+  - [Memory Pressure](memory_disruption.md)
   - [Disk Failure](disk_failure.md)
   - [Disk Pressure](disk_pressure.md)
   - [DNS Disruption](dns_disruption.md)
diff --git a/docs/disruption_catalogue.md b/docs/disruption_catalogue.md
new file mode 100644
index 000000000..547fed4c8
--- /dev/null
+++ b/docs/disruption_catalogue.md
@@ -0,0 +1,1223 @@
+# Chaos Controller — Disruption Catalogue
+
+> Reference documentation for all fault injection capabilities provided by [Datadog Chaos Controller](https://github.com/DataDog/chaos-controller).
+> This catalogue is designed for experiment planning and can be consumed by humans and AI agents alike.
+
+---
+
+## Quick Reference
+
+| Disruption                                | What It Does                                       | Level     | Reversible | Can Combine    |
+| ----------------------------------------- | -------------------------------------------------- | --------- | ---------- | -------------- |
+| [Network](#1-network-disruption)          | Packet loss, delay, corruption, bandwidth limiting | Pod, Node | Yes        | Yes            |
+| [DNS](#2-dns-disruption)                  | Fake DNS responses, NXDOMAIN, drops, SERVFAIL      | Pod       | Yes        | Yes            |
+| [gRPC](#3-grpc-disruption)                | Return gRPC errors or override responses           | Pod       | Yes        | Yes            |
+| [CPU Pressure](#4-cpu-pressure)            | Consume CPU cycles in target cgroup                | Pod, Node | Yes        | Yes            |
+| [Memory Pressure](#5-memory-pressure)      | Gradually consume memory in target cgroup          | Pod, Node | Yes        | Yes            |
+| [Disk Pressure](#6-disk-pressure)          | Throttle read/write I/O throughput                 | Pod, Node | Yes        | Yes            |
+| [Disk Failure](#7-disk-failure)            | Fail file open syscalls via eBPF                   | Pod, Node | Yes*       | Yes            |
+| [Container Failure](#8-container-failure)  | Kill container processes (SIGTERM/SIGKILL)         | Pod       | No         | No (exclusive) |
+| [Node Failure](#9-node-failure)            | Kernel panic or power-off a node                   | Node      | No         | No (exclusive) |
+| [Pod Replacement](#10-pod-replacement)     | Cordon node, delete pod and optionally PVCs        | Pod       | No         | No (exclusive) |
+
+\* Disk Failure injection is removed when the injector process exits.
+
+**Combination rule:** Network, DNS, gRPC, CPU Pressure, Memory Pressure, Disk Pressure, and Disk Failure can all be applied together in a single Disruption resource. Container Failure, Node Failure, and Pod Replacement are mutually exclusive with every other disruption type.
+
+---
+
+## Common Structure
+
+Every disruption is a Kubernetes custom resource of kind `Disruption` (API group `chaos.datadoghq.com/v1beta1`). The common envelope looks like this:
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: <disruption-name>
+  namespace: <target-namespace>
+spec:
+  level: pod          # "pod" or "node"
+  selector:           # label key-value pairs to match targets
+    <label>: <value>
+  count: 1            # integer or percentage (e.g. "50%")
+  duration: 1h        # auto-cleanup after this duration
+  # ... disruption-specific fields below
+```
+
+See [Targeting](#targeting) and [Advanced Features](#advanced-features) for the full set of cross-cutting options.
+
+---
+
+## 1. Network Disruption
+
+Applies Linux traffic control (`tc`) rules inside the target's network namespace to manipulate packets. Supports scoping traffic by host, Kubernetes service, cloud provider IP range, and HTTP method/path.
+
+### Fault Modes
+
+| Field            | Type | Range   | Description                                  |
+| ---------------- | ---- | ------- | -------------------------------------------- |
+| `drop`           | int  | 0–100   | Percentage of packets to drop                |
+| `delay`          | uint | 0–60000 | Latency added to packets (milliseconds)      |
+| `delayJitter`    | uint | 0–100   | Jitter as percentage of delay (default: 10%) |
+| `corrupt`        | int  | 0–100   | Percentage of packets to corrupt             |
+| `duplicate`      | int  | 0–100   | Percentage of packets to duplicate           |
+| `bandwidthLimit` | int  | ≥ 32    | Throughput cap in bytes/sec                  |
+
+At least one fault mode is required. Multiple can be combined in a single disruption.
+
+### Traffic Scoping
+
+Traffic scoping fields are all optional and combinable. When omitted, the disruption applies to all traffic.
+
+#### Hosts
+
+Target by IP address, CIDR block, or hostname.
+
+| Field         | Type   | Description                                             |
+| ------------- | ------ | ------------------------------------------------------- |
+| `host`        | string | IP, CIDR, or hostname                                   |
+| `port`        | int    | Port number (0–65535)                                   |
+| `protocol`    | string | `tcp`, `udp`, or omit for both                          |
+| `flow`        | string | `egress` (default), `ingress`                           |
+| `connState`   | string | `new`, `est`, or omit for all                           |
+| `dnsResolver` | string | `pod`, `node`, `pod-fallback-node`, `node-fallback-pod` |
+| `percentage`  | int    | 1–100, percentage of resolved IPs to disrupt            |
+
+#### Allowed Hosts
+
+Exclude specific hosts from disruption. Same fields as `hosts`.
+
+#### Kubernetes Services
+
+Target ClusterIP services in the same cluster.
+
+| Field        | Type   | Description                                       |
+| ------------ | ------ | ------------------------------------------------- |
+| `name`       | string | Service name (required)                           |
+| `namespace`  | string | Service namespace (required)                      |
+| `ports`      | list   | Optional port filter (by `name` and/or `port`)    |
+| `percentage` | int    | 1–100, percentage of service endpoints to disrupt |
+
+#### Cloud Provider Services
+
+Target IP ranges of cloud provider services.
+
+```yaml
+cloud:
+  aws:
+    - service: "<service-name>"     # e.g. "S3", "DYNAMODB"
+  gcp:
+    - service: "<service-name>"     # e.g. "Google"
+  datadog:
+    - service: "<service-name>"     # e.g. "synthetics"
+```
+
+Each entry supports optional `protocol`, `flow`, and `connState` fields.
+
+#### HTTP Filters
+
+Filter by HTTP method and/or request path (uses eBPF).
+
+| Field     | Type | Constraints                                                                  |
+| --------- | ---- | ---------------------------------------------------------------------------- |
+| `methods` | list | Up to 9 values: GET, POST, PUT, DELETE, PATCH, HEAD, CONNECT, OPTIONS, TRACE |
+| `paths`   | list | Up to 20 paths, each ≤ 90 chars, must start with `/`                         |
+
+### Constraints and Limitations
+
+- Maximum 2048 tc filters per disruption. Complex host/service/cloud configurations can exhaust this limit.
+- SSH (port 22), node IP, default gateway, cloud metadata (169.254.169.254), and ARP are automatically excluded. Disable with `disableDefaultAllowedHosts: true`.
+- Ingress flow only works for TCP and requires at least a port or host.
+- `bandwidthLimit` must be ≥ 32 bytes/sec when set.
+- All packets experience a small additional latency due to `prio` qdisc processing even if no delay is configured.
+- DNS resolution for hostname-based hosts is repeated on an interval, which can add latency to filter setup.
+- Percentage-based host selection uses consistent hashing (stable across pod restarts but not configurable).
+- Network interfaces must have a tx queue length > 0 (the injector temporarily sets it to 1000 if needed).
+- HTTP filtering requires eBPF and adds an extra layer to the tc tree, increasing processing overhead.
+- When using `services`, only ClusterIP-type services are supported. Services from other clusters cannot be resolved.
+
+### Examples
+
+**Drop 100% of outgoing packets:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-drop
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    drop: 100
+```
+
+**Add 1 second latency with 5% jitter:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-delay
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    delay: 1000
+    delayJitter: 5
+```
+
+**Limit bandwidth to 1 KB/s:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-bandwidth-limitation
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    bandwidthLimit: 1024
+```
+
+**Corrupt 100% of outgoing packets:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-corrupt
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    corrupt: 100
+```
+
+**Drop all ingress traffic on port 80:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-ingress
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-nginx
+  count: 1
+  network:
+    drop: 100
+    hosts:
+      - port: 80
+        flow: ingress
+```
+
+**Drop packets to a Kubernetes service:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-filter-service
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    drop: 100
+    services:
+      - name: demo
+        namespace: chaos-demo
+        ports:
+          - name: regular-port
+            port: 8080
+          - port: 8081
+```
+
+**Drop packets to cloud provider services (AWS S3, GCP, Datadog):**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-cloud
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 100%
+  network:
+    drop: 100
+    cloud:
+      aws:
+        - service: "S3"
+          protocol: tcp
+          flow: ingress
+          connState: new
+      gcp:
+        - service: "Google"
+      datadog:
+        - service: "synthetics"
+```
+
+**Drop only HTTP GET requests to `/`:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-http-filter
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  network:
+    drop: 100
+    http:
+      methods:
+        - GET
+      paths:
+        - /
+```
+
+**Disrupt 50% of resolved IPs for a hostname:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: network-dns-resolver-control
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 100%
+  network:
+    drop: 100
+    hosts:
+      - host: www.example.com
+        port: 443
+        protocol: tcp
+        percentage: 50
+```
+
+---
+
+## 2. DNS Disruption
+
+Redirects DNS traffic via iptables to a custom DNS responder that serves fake records, errors, or drops queries. Non-disrupted hostnames are forwarded transparently to upstream DNS.
+
+### Configuration
+
+| Field      | Type   | Default    | Description                      |
+| ---------- | ------ | ---------- | -------------------------------- |
+| `port`     | int    | 53         | DNS port to intercept (1–65535)  |
+| `protocol` | string | `both`     | `udp`, `tcp`, or `both`          |
+| `records`  | list   | (required) | At least one DNS record override |
+
+#### Record Configuration
+
+| Field          | Type   | Description                                        |
+| -------------- | ------ | -------------------------------------------------- |
+| `hostname`     | string | Domain to intercept (subdomain matching supported) |
+| `record.type`  | string | `A`, `AAAA`, `CNAME`, `MX`, `TXT`, or `SRV`        |
+| `record.value` | string | See value formats below                            |
+| `record.ttl`   | uint32 | TTL in seconds (default: 0)                        |
+
+#### Value Formats by Record Type
+
+| Type     | Value Format                                            | Example                                       |
+| -------- | ------------------------------------------------------- | --------------------------------------------- |
+| A / AAAA | Comma-separated IPs (round-robin)                       | `"192.168.1.10,192.168.1.11"`                 |
+| A / AAAA | Failure mode keyword                                    | `NXDOMAIN`, `DROP`, `SERVFAIL`, `RANDOM`      |
+| CNAME    | Target hostname                                         | `"www.google.com"`                            |
+| MX       | `"priority hostname"` pairs, comma-separated            | `"10 mail1.example.com,20 mail2.example.com"` |
+| TXT      | Arbitrary text                                          | `"verification-token-12345"`                  |
+| SRV      | `"priority weight port target"` tuples, comma-separated | `"10 60 8080 server1.example.com"`            |
+
+#### Failure Modes
+
+| Keyword    | Effect                                   | Typical Use Case                         |
+| ---------- | ---------------------------------------- | ---------------------------------------- |
+| `NXDOMAIN` | Immediate "domain not found"             | Test missing-dependency handling         |
+| `SERVFAIL` | DNS server failure response              | Test DNS infrastructure failures         |
+| `DROP`     | Silent query drop (causes timeout)       | Test timeout/retry behavior              |
+| `RANDOM`   | Returns random IPs (RFC 5737 TEST-NET-1) | Test connection to unreachable addresses |
+
+### Constraints and Limitations
+
+- Pod-level only (not compatible with `level: node`).
+- No duplicate `hostname` + `type` combinations in the same disruption.
+- At least one record is required.
+- The DNS responder is global per injector pod — it cannot filter DNS queries by process. All DNS traffic from the pod is intercepted.
+- Uses non-standard ports (5353/5354) internally to avoid conflicts with existing DNS services.
+- The `RedirectTo` iptables rule must be set before `Intercept` internally; this is handled automatically but means partial injection states are possible during setup.
+- Subdomain matching means disrupting `example.com` also matches `api.example.com`. This can cause wider impact than intended.
+- The custom DNS responder must be able to reach upstream DNS servers to forward non-disrupted queries. Network disruptions applied simultaneously may interfere.
+
+### Examples
+
+**Return SERVFAIL and random IPs for different hosts:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: dns-failure-modes
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  duration: 15m
+  dns:
+    protocol: both
+    records:
+      - hostname: www.example.com
+        record:
+          type: A
+          value: SERVFAIL
+      - hostname: demo.chaos-demo.svc.cluster.local
+        record:
+          type: A
+          value: RANDOM
+          ttl: 300
+```
+
+**Redirect a hostname to specific IPs (round-robin):**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: dns-mixed-records
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  duration: 15m
+  dns:
+    port: 53
+    protocol: both
+    records:
+      - hostname: www.example.com
+        record:
+          type: A
+          value: "192.168.1.10,192.168.1.11,192.168.1.12"
+          ttl: 60
+```
+
+---
+
+## 3. gRPC Disruption
+
+Sends disruption configuration over gRPC to a chaos interceptor running inside the target application. The interceptor then returns specified error codes or overrides responses for matching endpoints.
+
+**Prerequisite:** The target application must integrate the chaos interceptor library and register it with its gRPC server. See [gRPC disruption instructions](grpc_disruption/instructions.md).
+
+### Configuration
+
+| Field       | Type | Description                          |
+| ----------- | ---- | ------------------------------------ |
+| `port`      | int  | gRPC server port (1–65535, required) |
+| `endpoints` | list | Endpoint alterations (required)      |
+
+#### Endpoint Alteration
+
+| Field          | Type   | Description                                                    |
+| -------------- | ------ | -------------------------------------------------------------- |
+| `endpoint`     | string | gRPC endpoint path, e.g. `/package.Service/Method` (required)  |
+| `error`        | string | gRPC error code to return (mutually exclusive with `override`) |
+| `override`     | string | Response payload to return (mutually exclusive with `error`)   |
+| `queryPercent` | int    | 0–100, percentage of queries to affect                         |
+
+#### Available gRPC Error Codes
+
+`OK`, `CANCELED`, `UNKNOWN`, `INVALID_ARGUMENT`, `DEADLINE_EXCEEDED`, `NOT_FOUND`, `ALREADY_EXISTS`, `PERMISSION_DENIED`, `RESOURCE_EXHAUSTED`, `FAILED_PRECONDITION`, `ABORTED`, `OUT_OF_RANGE`, `UNIMPLEMENTED`, `INTERNAL`, `UNAVAILABLE`, `DATA_LOSS`, `UNAUTHENTICATED`
+
+### Constraints and Limitations
+
+- Exactly one of `error` or `override` per alteration.
+- Sum of `queryPercent` for the same endpoint must not exceed 100%.
+- Each alteration must have at least 1% chance of occurring.
+- Pod-level only.
+- **Requires application changes:** The target gRPC server must integrate the `DisruptionListener` chaos interceptor library. Without it, injection returns `codes.Unimplemented` and silently fails.
+- Uses an insecure gRPC connection to the target (no TLS).
+- 5-second connection timeout — targets that are slow to respond may fail injection.
+- No streaming support. Only unary gRPC calls can be disrupted.
+- The `override` field currently only supports returning `emptypb.Empty` (`"{}"`).
+- Not re-injectable: cannot be reapplied to the same target without a full cleanup cycle.
+
+### Example
+
+**Return errors and overrides on gRPC endpoints:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: grpc
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: chaos-dogfood-server
+  count: 100%
+  grpc:
+    port: 50050
+    endpoints:
+      - endpoint: /chaosdogfood.ChaosDogfood/getCatalog
+        error: NOT_FOUND
+        queryPercent: 25
+      - endpoint: /chaosdogfood.ChaosDogfood/getCatalog
+        error: ALREADY_EXISTS
+        queryPercent: 50
+      - endpoint: /chaosdogfood.ChaosDogfood/getCatalog
+        override: "{}"
+      - endpoint: /chaosdogfood.ChaosDogfood/order
+        override: "{}"
+        queryPercent: 50
+```
+
+---
+
+## 4. CPU Pressure
+
+Joins the target container's cgroup and burns CPU using pinned goroutines (one per core). Each goroutine runs a tight busy-loop with an on/off duty cycle proportional to the requested pressure.
+
+### Configuration
+
+| Field   | Type          | Default | Description                                                               |
+| ------- | ------------- | ------- | ------------------------------------------------------------------------- |
+| `count` | int or string | `100%`  | Number of cores (integer) or percentage of allocated cores (e.g. `"50%"`) |
+
+When `count` is an integer, the injector stresses all allocated cores at `(count / allocated_cores) * 100%` intensity. When it is a percentage, that percentage is used directly.
+
+### Constraints and Limitations
+
+- Not compatible with `onInit` mode.
+- The injector process joins the target's cgroup and sets highest priority (nice -20), which means it competes with the target application for CPU. This consumes the injector pod's own CPU quota as well.
+- Cannot inject if stress goroutines are already running on the target (prevents double-injection; requires cleanup first).
+- Goroutines are pinned to specific CPU cores via `sched_setaffinity`. If the target's cpuset changes during injection, the stress distribution may become uneven.
+- Maximum CPU limit is 8192 cores.
+- At node level, the pressure affects all workloads on the node, not just the selected target.
+
+### Examples
+
+**Stress 100% of all allocated cores:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: cpu-pressure
+  namespace: chaos-demo
+spec:
+  duration: 5m
+  selector:
+    service: demo-curl
+  count: 1
+  cpuPressure: {}
+```
+
+**Stress 1 core's worth of CPU:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: cpu-pressure-count
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  cpuPressure:
+    count: 1
+```
+
+**Node-level CPU pressure:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: cpu-level-node
+  namespace: chaos-demo
+spec:
+  level: node
+  selector:
+    node.kubernetes.io/instance-type: k3s
+  count: 1
+  cpuPressure: {}
+```
+
+---
+
+## 5. Memory Pressure
+
+Joins the target container's cgroup and gradually allocates anonymous memory pages using `mmap(MAP_ANONYMOUS|MAP_POPULATE)` until the target memory utilization percentage is reached. This simulates gradual memory buildup that can trigger auto-shrink, auto-scaling, and resource reclamation logic — unlike Container Failure which only simulates an OOM kill.
+
+### Configuration
+
+| Field           | Type   | Default | Description                                                                    |
+| --------------- | ------ | ------- | ------------------------------------------------------------------------------ |
+| `targetPercent` | string | —       | Target memory utilization as a percentage of cgroup limit (e.g. `"76%"`, required) |
+| `rampDuration`  | string | `0`     | Duration over which memory is gradually consumed (e.g. `"10m"`)                |
+
+When `rampDuration` is omitted or `0`, memory is consumed immediately in a single allocation. When set, memory is allocated in incremental steps over the ramp period (1-second intervals).
+
+### How It Works
+
+1. The injector spawns a child process (`memory-stress`) inside the target's cgroup.
+2. The child reads the cgroup memory limit (`memory.limit_in_bytes` on v1, `memory.max` on v2) and current usage.
+3. It calculates the target bytes: `(limit * targetPercent / 100) - currentUsage`.
+4. Memory is allocated using `mmap` with `MAP_POPULATE` to ensure physical pages are committed immediately (no lazy allocation).
+5. On cleanup, all allocations are released via `munmap`.
+
+### Constraints and Limitations
+
+- Not compatible with `onInit` mode, Container Failure, Node Failure, or Pod Replacement.
+- Cannot target specific containers (applies to the pod's memory cgroup). Specifying `containers` is not allowed.
+- `targetPercent` must be between 1 and 100.
+- Requires the target cgroup to have a memory limit set. If the limit is `max` (unlimited), injection will fail.
+- The allocated memory appears as RSS of the injector process. If the target container has memory requests/limits, the injected memory counts against those limits and may trigger an OOM kill by the kernel.
+- If current memory usage already exceeds the target percentage, no additional memory is allocated.
+- Memory allocation uses `MAP_POPULATE` which forces immediate page fault resolution. On systems with memory pressure, this may cause the kernel OOM killer to activate sooner than expected.
+- At node level, the pressure affects the node's memory, impacting all workloads.
+
+### Examples
+
+**Consume 76% of memory with a 10-minute ramp:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-gradual
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 30m
+  memoryPressure:
+    targetPercent: "76%"
+    rampDuration: 10m
+```
+
+**Immediately consume 50% of memory:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-immediate
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  memoryPressure:
+    targetPercent: "50%"
+```
+
+**Combine with CPU pressure:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: resource-pressure
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 15m
+  cpuPressure:
+    count: "50%"
+  memoryPressure:
+    targetPercent: "60%"
+    rampDuration: 5m
+```
+
+---
+
+## 6. Disk Pressure
+
+Throttles I/O throughput on the block device backing a given path using cgroup blkio (v1) or io (v2) controllers.
+
+### Configuration
+
+| Field                         | Type   | Description                                 |
+| ----------------------------- | ------ | ------------------------------------------- |
+| `path`                        | string | Mount point inside the container (required) |
+| `throttling.readBytesPerSec`  | int    | Read throughput limit in bytes/sec          |
+| `throttling.writeBytesPerSec` | int    | Write throughput limit in bytes/sec         |
+
+At least one of `readBytesPerSec` or `writeBytesPerSec` is required.
+
+### Constraints and Limitations
+
+- Affects the entire block device backing the path, not just the specified path. Other mount points on the same device are also throttled.
+- Cannot target specific containers (applies to all containers in the pod).
+- Not compatible with `onInit` mode.
+- **Cgroups v1 limitation:** Primarily affects direct I/O (O_DIRECT flag). Buffered I/O goes through the page cache and may not be throttled as expected. Cgroups v2 (`io.max`) provides more reliable throttling.
+- The minor device number is always set to 0, meaning the entire disk is targeted regardless of partitioning.
+- Path must exist and be mounted in the container's filesystem.
+
+### Examples
+
+**Throttle reads to 1 KB/s:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: disk-pressure-read
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  diskPressure:
+    path: /mnt/data
+    throttling:
+      readBytesPerSec: 1024
+```
+
+**Throttle writes to 1 KB/s:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: disk-pressure-write
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  diskPressure:
+    path: /mnt/data
+    throttling:
+      writeBytesPerSec: 1024
+```
+
+---
+
+## 7. Disk Failure
+
+Uses eBPF to intercept `openat` syscalls and return error codes, simulating file system failures.
+
+### Configuration
+
+| Field             | Type            | Default    | Description                                 |
+| ----------------- | --------------- | ---------- | ------------------------------------------- |
+| `paths`           | list of strings | (required) | File paths to fail (max 62 chars each)      |
+| `probability`     | string          | `"100%"`   | Probability of failure per syscall (1–100%) |
+| `openat.exitCode` | string          | `ENOENT`   | errno to return                             |
+
+#### Available Exit Codes
+
+`EACCES`, `EDQUOT`, `EEXIST`, `EFAULT`, `EFBIG`, `EINTR`, `EISDIR`, `ELOOP`, `EMFILE`, `ENAMETOOLONG`, `ENFILE`, `ENODEV`, `ENOENT`, `ENOMEM`, `ENOSPC`, `ENOTDIR`, `ENXIO`, `EOVERFLOW`, `EPERM`, `EROFS`, `ETXTBSY`, `EWOULDBLOCK`
+
+### Constraints and Limitations
+
+- Requires kernel with `CONFIG_BPF_KPROBE_OVERRIDE` enabled.
+- Path strings limited to 62 characters (eBPF map value size limitation).
+- Root path `/` is blocked by safemode unless `unsafeMode.allowRootDiskFailure: true`.
+- Not compatible with `onInit` mode.
+- Only intercepts the `openat` syscall. Other file-related syscalls (`open`, `openat2`, `read`, `write`, `stat`) are **not** intercepted. Applications using these syscalls directly will not experience failures.
+- No explicit cleanup mechanism — the eBPF program is removed when the injector process exits. If the injector crashes, the probe may persist until the kernel cleans it up.
+- Probability is evaluated per individual syscall invocation, so the actual failure rate may differ from the configured percentage depending on application access patterns.
+- Can affect system stability if applied broadly with high probability, as system processes may also trigger the intercepted paths.
+
+### Example
+
+**Fail file opens on two paths with ENOENT:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: disk-failure
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 1
+  diskFailure:
+    paths:
+      - /mnt/data/disk-read
+      - /mnt/data/disk-write
+    openat:
+      exitCode: ENOENT
+    probability: 100%
+```
+
+---
+
+## 8. Container Failure
+
+Sends a termination signal to container processes.
+
+### Configuration
+
+| Field    | Type | Default | Description                                                |
+| -------- | ---- | ------- | ---------------------------------------------------------- |
+| `forced` | bool | `false` | `false` = SIGTERM (graceful), `true` = SIGKILL (immediate) |
+
+### Constraints and Limitations
+
+- Pod-level only.
+- **Exclusive:** cannot be combined with any other disruption type.
+- Containers are continuously restarted for the disruption duration (per pod restart policy). If the restart policy is `Never`, the container stays dead.
+- SIGKILL (`forced: true`) bypasses all application cleanup handlers, graceful shutdown hooks, and signal traps. Data corruption is possible if the application has in-flight writes.
+- SIGTERM (`forced: false`) may be ignored by applications that do not handle it, resulting in no visible effect.
+- Not re-injectable: once the container is killed, the disruption cannot be reapplied to the same target without recreation.
+
+### Example
+
+**Gracefully terminate a specific container:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: container-failure-graceful
+  namespace: chaos-demo
+spec:
+  selector:
+    service: demo-curl
+  containers:
+    - curl
+  count: 1
+  containerFailure:
+    forced: false
+```
+
+---
+
+## 9. Node Failure
+
+Triggers a kernel panic or power-off by writing to `/proc/sysrq-trigger`. This is **irreversible** — the node becomes unavailable.
+
+### Configuration
+
+| Field      | Type | Default | Description                                          |
+| ---------- | ---- | ------- | ---------------------------------------------------- |
+| `shutdown` | bool | `false` | `false` = kernel panic, `true` = immediate power-off |
+
+### Constraints and Limitations
+
+- Requires `level: node` or targets nodes via pods.
+- **Exclusive:** cannot be combined with any other disruption type.
+- Affects ALL pods on the node — there is no way to scope the impact.
+- 31-second delay before trigger to allow log collection. This is not configurable.
+- **Irreversible and destructive.** The node becomes completely unavailable. Recovery depends on the cloud provider or infrastructure (auto-scaling groups, node auto-repair, etc.).
+- Kernel panic (`shutdown: false`) causes an immediate crash — no graceful shutdown of any workload.
+- Power-off (`shutdown: true`) may not work on all hardware or virtualization platforms. The node stays down and is not automatically restarted.
+- Requires sysrq to be enabled in the kernel (`/proc/sys/kernel/sysrq`). The injector enables it automatically, but security policies may block this.
+- Not re-injectable: the target is destroyed by the disruption.
+
+### Examples
+
+**Kernel panic on a node:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: node-failure
+  namespace: chaos-demo
+spec:
+  level: node
+  selector:
+    node.kubernetes.io/instance-type: k3s
+  count: 1
+  nodeFailure:
+    shutdown: false
+```
+
+**Power-off a node (no automatic restart):**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: node-failure-shutdown
+  namespace: chaos-demo
+spec:
+  level: node
+  selector:
+    node.kubernetes.io/instance-type: k3s
+  count: 1
+  nodeFailure:
+    shutdown: true
+```
+
+---
+
+## 10. Pod Replacement
+
+Simulates complete pod rescheduling: cordons the node, optionally deletes PVCs, deletes the pod, then uncordons.
+
+### Configuration
+
+| Field                | Type | Default | Description                             |
+| -------------------- | ---- | ------- | --------------------------------------- |
+| `deleteStorage`      | bool | `true`  | Delete PVCs associated with the pod     |
+| `forceDelete`        | bool | `false` | Force deletion with grace period 0      |
+| `gracePeriodSeconds` | int  | —       | Custom deletion grace period in seconds |
+
+### Constraints and Limitations
+
+- Pod-level only.
+- **Exclusive:** cannot be combined with any other disruption type.
+- **PVC deletion is permanent and cannot be undone.** All data on the deleted volumes is lost. Use `deleteStorage: false` if data must be preserved.
+- Pod recreation depends on the owning controller (Deployment, StatefulSet, etc.). Standalone pods without a controller will not be recreated.
+- Node cordoning prevents all new pod scheduling on the node during the disruption, which can affect unrelated workloads that need to reschedule.
+- The node is only uncordoned if it was cordoned by this specific injection. If the node was already cordoned, the injector will not uncordon it on cleanup.
+- Force deletion (`forceDelete: true`) sets grace period to 0, which can leave resources in inconsistent state (e.g., mounted volumes not properly detached).
+- Not re-injectable: the target pod is destroyed by the disruption.
+- Requires cluster-level permissions (pods, nodes, PVCs) which may not be available in all RBAC configurations.
+
+### Example
+
+**Replace a pod, delete its storage:**
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: pod-replacement
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-storage
+  count: 1
+  maxRuns: 1
+  podReplacement:
+    deleteStorage: true
+    forceDelete: false
+    gracePeriodSeconds: 30
+```
+
+---
+
+## Targeting
+
+All disruption types share these targeting options.
+
+### Label Selectors
+
+Simple key-value label matching:
+
+```yaml
+spec:
+  selector:
+    service: demo-curl
+    team: backend
+```
+
+### Advanced Selectors
+
+Label selectors with operators (`Exists`, `DoesNotExist`, `In`, `NotIn`):
+
+```yaml
+spec:
+  advancedSelector:
+    - key: app
+      operator: Exists
+    - key: env
+      operator: In
+      values:
+        - production
+        - staging
+```
+
+### Annotation Filters
+
+```yaml
+spec:
+  filter:
+    annotations:
+      aws-zone: us-east-1b
+```
+
+### Container Targeting
+
+Target specific containers within a pod (default: all containers):
+
+```yaml
+spec:
+  containers:
+    - my-app
+    - sidecar
+```
+
+### Count
+
+Fixed number or percentage of matching targets (percentage is rounded up, min 1%):
+
+```yaml
+spec:
+  count: 3       # exactly 3 targets
+  # or
+  count: 50%     # half of matching targets
+```
+
+### Level
+
+- `pod` — Targets pods. Disruption affects only the targeted pod.
+- `node` — Targets nodes. Selectors match node labels. Disruption affects everything on the node.
+
+```yaml
+spec:
+  level: node
+  selector:
+    node.kubernetes.io/instance-type: k3s
+```
+
+### Static Targeting
+
+Lock targets at creation time. No dynamic re-targeting as pods come and go:
+
+```yaml
+spec:
+  staticTargeting: true
+```
+
+### Allow Disrupted Targets
+
+Permit targeting pods that are already under a different active disruption:
+
+```yaml
+spec:
+  allowDisruptedTargets: true
+```
+
+---
+
+## Advanced Features
+
+### Duration
+
+Auto-cleanup after a time period (default: 1 hour, configurable in controller):
+
+```yaml
+spec:
+  duration: 30m    # supports: 45s, 15m30s, 4h
+```
+
+### Triggers (Delayed Injection)
+
+Delay chaos pod creation and/or injection start:
+
+```yaml
+spec:
+  triggers:
+    createPods:
+      offset: 1m                              # delay from disruption creation
+      # notBefore: "2024-01-15T10:00:00Z"     # or an absolute time (RFC 3339)
+    inject:
+      offset: 2m                              # delay from pod creation
+```
+
+Duration countdown starts after injection begins, not after disruption creation.
+
+### Pulse Mode
+
+Alternate between active and dormant states. Available for Network, DNS, gRPC, CPU Pressure, Memory Pressure, Disk Pressure. Not available for Container Failure, Node Failure, Pod Replacement.
+
+```yaml
+spec:
+  duration: 10m
+  pulse:
+    initialDelay: 1m       # optional, sleep before first active period
+    activeDuration: 60s    # must be > 500ms
+    dormantDuration: 20s   # must be > 500ms
+  network:
+    drop: 100
+```
+
+### Dry-Run Mode
+
+Create chaos pods and select targets but do not actually inject any disruption. Useful for validating targeting before a real experiment:
+
+```yaml
+spec:
+  dryRun: true
+  nodeFailure:
+    shutdown: false
+```
+
+### On-Init Mode
+
+Apply disruption during pod initialization (before the main container starts). Only works with Network and DNS disruptions at pod level. Requires the handler to be enabled and pods to carry the label `chaos.datadoghq.com/disrupt-on-init: "true"`:
+
+```yaml
+spec:
+  onInit: true
+  network:
+    drop: 100
+```
+
+### Max Runs
+
+Limit the number of times a disruption executes (useful for Pod Replacement):
+
+```yaml
+spec:
+  maxRuns: 1
+```
+
+---
+
+## Safety Mechanisms
+
+Safety nets are **enabled by default** and prevent accidental large-blast-radius experiments.
+
+### Default Protections
+
+| Safety Net          | What It Prevents                                    | Override Field                         |
+| ------------------- | --------------------------------------------------- | -------------------------------------- |
+| Namespace threshold | Disrupting > 80% of pods in a namespace             | `unsafeMode.disableCountTooLarge`      |
+| Cluster threshold   | Disrupting > 66% of nodes in the cluster            | `unsafeMode.disableCountTooLarge`      |
+| No host/port filter | Network disruption without a host or port specified | `unsafeMode.disableNeitherHostNorPort` |
+| Root disk failure   | Disk failure on path `/`                            | `unsafeMode.allowRootDiskFailure`      |
+| Controller node     | Node-level disruption on the controller's own node  | (always protected)                     |
+
+### Disabling Safety Nets
+
+```yaml
+spec:
+  unsafeMode:
+    disableAll: true            # disable everything
+    # or selectively:
+    disableCountTooLarge: true
+    disableNeitherHostNorPort: true
+    allowRootDiskFailure: true
+    config:
+      countTooLarge:
+        namespaceThreshold: 95  # raise namespace threshold to 95%
+        clusterThreshold: 90    # raise cluster threshold to 90%
+```
+
+### Environment Annotation
+
+Prevent accidental cross-environment disruptions by requiring a matching environment annotation:
+
+```yaml
+metadata:
+  annotations:
+    chaos.datadoghq.com/environment: "staging"
+```
+
+The annotation value must match the chaos controller's configured environment.
+
+---
+
+## Scheduling with DisruptionCron
+
+Run disruptions on a recurring schedule using cron syntax.
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: DisruptionCron
+metadata:
+  name: network-drop
+  namespace: chaos-demo
+spec:
+  schedule: "*/2 * * * *"         # every 2 minutes
+  paused: false                    # set to true to pause without deleting
+  delayedStartTolerance: 200s     # optional tolerance for schedule drift
+  targetResource:
+    kind: deployment               # "deployment" or "statefulset"
+    name: demo-curl
+  disruptionTemplate:
+    level: pod
+    count: 1
+    duration: 10s
+    network:
+      drop: 100
+```
+
+The `disruptionTemplate` accepts the same fields as a regular `Disruption.spec`.
+
+---
+
+## Progressive Rollout with DisruptionRollout
+
+Gradually apply disruptions to targets of a deployment.
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: DisruptionRollout
+metadata:
+  name: network-drop
+  namespace: chaos-demo
+spec:
+  targetResource:
+    kind: deployment
+    name: demo-curl
+  disruptionTemplate:
+    level: pod
+    count: 1
+    duration: 10s
+    network:
+      drop: 100
+```
+
+---
+
+## Reporting
+
+Attach reporting configuration to receive Slack notifications about disruption lifecycle events:
+
+```yaml
+spec:
+  reporting:
+    slackChannel: team-slack-channel      # channel name or Slack channel ID
+    purpose: |
+      *full network drop*: _aims to validate retry capabilities of demo-curl_.
+      Contact #team-test for more information.
+    minNotificationType: Info             # Info, Success, Warning, Error
+```
+
+Supported notification backends (configured at the controller level): Slack, Datadog Events, HTTP webhooks, console logging.
diff --git a/docs/memory_disruption.md b/docs/memory_disruption.md
new file mode 100644
index 000000000..1ad277c99
--- /dev/null
+++ b/docs/memory_disruption.md
@@ -0,0 +1,278 @@
+# Memory pressure
+
+The `memoryPressure` field generates memory load on the targeted pod by gradually allocating anonymous memory pages until a target utilization percentage is reached.
+
+> :warning: **Warning:** At node level, memory pressure affects the entire node. When the kernel runs out of available memory, the OOM killer will terminate processes to reclaim pages — this can violently kill any workload on the node, not just the targeted one. This may be the desired outcome (e.g. testing OOM resilience), but be aware that it can cause collateral damage to co-located pods. At pod level, the allocated memory counts against the container's cgroup limit, so the OOM killer scope is narrower but still destructive for the targeted container.
+
+## Usage
+
+### Spec fields
+
+| Field           | Type   | Default | Description                                                                        |
+| --------------- | ------ | ------- | ---------------------------------------------------------------------------------- |
+| `targetPercent` | string | —       | Target memory utilization percentage of the cgroup limit (e.g. `"76%"`, required)  |
+| `rampDuration`  | string | `0`     | Duration over which memory is gradually consumed (e.g. `"10m"`, Go duration format) |
+
+#### targetPercent
+
+A string representing the target memory utilization as a percentage of the container's cgroup memory limit. Can be specified with or without a `%` suffix (e.g. `"76%"` or `"76"`). Must be between 1 and 100.
+
+The injector calculates the actual bytes to allocate as: `(limit * targetPercent / 100) - currentUsage`. If current usage already exceeds the target, no additional memory is allocated.
+
+#### rampDuration
+
+A Go duration string (e.g. `"10m"`, `"30s"`, `"1h5m"`) specifying how long the ramp-up period should last. If omitted or `0`, all memory is allocated immediately in a single step.
+
+### Examples
+
+#### Gradual memory pressure (realistic memory leak)
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-gradual
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 30m
+  memoryPressure:
+    targetPercent: "76%"
+    rampDuration: 10m
+```
+
+#### Immediate memory pressure (sudden allocation spike)
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-immediate
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 15m
+  memoryPressure:
+    targetPercent: "50%"
+```
+
+#### Combined with CPU pressure (resource exhaustion)
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: resource-exhaustion
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 15m
+  cpuPressure:
+    count: "50%"
+  memoryPressure:
+    targetPercent: "60%"
+    rampDuration: 5m
+```
+
+#### Pulsing memory pressure
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-pulse
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-app
+  count: 1
+  duration: 30m
+  pulse:
+    activeDuration: 2m
+    dormantDuration: 1m
+  memoryPressure:
+    targetPercent: "80%"
+    rampDuration: 30s
+```
+
+#### Node-level memory pressure
+
+```yaml
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure-node
+  namespace: chaos-demo
+spec:
+  level: node
+  selector:
+    node.kubernetes.io/instance-type: k3s
+  count: 1
+  duration: 10m
+  memoryPressure:
+    targetPercent: "70%"
+    rampDuration: 5m
+```
+
+### Compatibility
+
+| Feature             | Compatible |
+| ------------------- | ---------- |
+| `level: pod`        | Yes        |
+| `level: node`       | Yes        |
+| `containers` scoping | No — applies to all containers |
+| `onInit`            | No         |
+| `pulse`             | Yes        |
+| `dryRun`            | Yes        |
+| Container Failure   | No (exclusive) |
+| Node Failure        | No (exclusive) |
+| Pod Replacement     | No (exclusive) |
+| Network             | Yes        |
+| DNS                 | Yes        |
+| gRPC                | Yes        |
+| CPU Pressure        | Yes        |
+| Disk Pressure       | Yes        |
+| Disk Failure        | Yes        |
+
+## How it works
+
+Containers achieve resource limitation (cpu, disk, memory) through cgroups. The memory cgroup controller tracks and limits memory usage of processes within a cgroup. Docker and containerd containers get their own memory cgroup with limits derived from Kubernetes resource requests and limits.
+
+> :open_book: More information on how memory cgroups work: [cgroup v1](https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt) | [cgroup v2](https://docs.kernel.org/admin-guide/cgroup-v2.html#memory-interface-files)
+
+The `/sys/fs/cgroup` directory of the host must be mounted in the injector pod at the `/mnt/cgroup` path for it to work.
+
+### Injection process
+
+When the injector pod starts:
+
+- It creates a dedicated process for each container in the targeted pod (same architecture as CPU pressure):
+  - The standard injector process (`/usr/local/bin/chaos-injector memory-pressure`) acts as an orchestrator
+  - It spawns one child process (`/usr/local/bin/chaos-injector memory-stress`) per container
+  - When a container restarts, the orchestrator can re-create the stress process
+- Each `memory-stress` child process is responsible for stressing memory of a SPECIFIC container:
+  1. It joins the target container's cgroup (`cgroup.procs`) so allocated memory counts against the container's memory limit
+  2. It reads the memory limit from the cgroup:
+     - cgroup v1: `memory.limit_in_bytes`
+     - cgroup v2: `memory.max`
+  3. It reads the current memory usage:
+     - cgroup v1: `memory.usage_in_bytes`
+     - cgroup v2: `memory.current`
+  4. It calculates the target allocation: `(limit * targetPercent / 100) - currentUsage`
+  5. If `rampDuration` is set, it divides the allocation into incremental steps (1-second intervals) spread over the ramp period
+  6. It allocates memory using `mmap(MAP_ANONYMOUS | MAP_PRIVATE | MAP_POPULATE)`:
+     - `MAP_ANONYMOUS`: allocates memory not backed by any file
+     - `MAP_PRIVATE`: pages are not shared with other processes
+     - `MAP_POPULATE`: forces the kernel to allocate physical pages immediately (no lazy allocation), ensuring the RSS increase is deterministic
+  7. On cleanup, all allocations are released via `munmap()`
+
+### Why mmap instead of malloc?
+
+Using `mmap` with `MAP_POPULATE` provides several advantages over `malloc` or Go's built-in memory allocator:
+
+- **Deterministic RSS**: `MAP_POPULATE` forces immediate physical page allocation, so the memory usage increase is visible immediately in cgroup accounting
+- **No GC interference**: Go's garbage collector cannot reclaim `mmap`-allocated pages since they are outside the Go heap
+- **Clean deallocation**: `munmap` immediately releases pages back to the kernel, unlike `free()` which may retain pages in the process's free list
+- **No fragmentation**: each allocation is a contiguous virtual memory region
+
+### Ramp duration
+
+When `rampDuration` is specified, memory is consumed gradually rather than all at once. This is important because:
+
+- It simulates realistic memory leak scenarios where memory usage increases over time
+- It gives auto-scaling and resource reclamation systems time to detect and react
+- It allows operators to observe the progression and abort if needed
+
+The ramp divides the total allocation into equal-sized chunks allocated at 1-second intervals. For example, with `targetPercent: "80%"` and `rampDuration: 10m`, the injector allocates 1/600th of the target amount every second over 10 minutes.
+
+## Manually confirming memory pressure
+
+In a memory disruption, the injector process is moved to the target memory cgroup but the injector container keeps its own PID namespace. Tools running inside the target container won't see the injector process, but the memory usage increase will be visible in cgroup accounting.
+
+### Checking from the target container
+
+```sh
+# Check cgroup memory usage (v1)
+cat /sys/fs/cgroup/memory/memory.usage_in_bytes
+
+# Check cgroup memory usage (v2)
+cat /sys/fs/cgroup/memory.current
+```
+
+### Checking from the node
+
+```sh
+# Find the target container's cgroup path
+crictl inspect <container-id> | grep cgroupsPath
+
+# Check memory usage (v1)
+cat /sys/fs/cgroup/memory/<cgroup-path>/memory.usage_in_bytes
+
+# Check memory limit (v1)
+cat /sys/fs/cgroup/memory/<cgroup-path>/memory.limit_in_bytes
+
+# Check memory usage (v2)
+cat /sys/fs/cgroup/<cgroup-path>/memory.current
+
+# Check memory limit (v2)
+cat /sys/fs/cgroup/<cgroup-path>/memory.max
+```
+
+### Checking via Kubernetes metrics
+
+```sh
+kubectl top pod <pod-name> -n <namespace>
+```
+
+The memory usage reported should increase according to the configured `targetPercent` and `rampDuration`.
+
+## Manual cleanup instructions
+
+:information_source: All those commands must be executed on the infected host (except for `kubectl`).
+
+Under normal circumstances, killing the injector process is sufficient to release all allocated memory — `munmap` is called during cleanup and, even if the process is killed abruptly, the kernel automatically reclaims all `mmap`-allocated pages when the process exits.
+
+- Identify the injector process PIDs
+
+```sh
+# ps ax | grep chaos-injector | grep memory
+1113879 ?        Ssl    0:00 /usr/local/bin/chaos-injector memory-pressure --target-percent 76 --ramp-duration 10m ...
+1113902 ?        Sl     0:00 /usr/local/bin/chaos-injector memory-stress --target-percent=76 --ramp-duration=10m0s ...
+```
+
+- Kill the orchestrator process (it will also stop the child stress process)
+
+```sh
+# kill 1113879
+```
+
+_You can SIGKILL the injector process if it is stuck but a standard kill is recommended._
+
+- Ensure the injector processes are gone
+
+```sh
+# ps ax | grep chaos-injector | grep memory
+1119071 pts/0    S+     0:00 grep chaos-injector
+```
+
+- Verify that memory usage has returned to normal
+
+```sh
+# Check cgroup memory usage has decreased (v1)
+cat /sys/fs/cgroup/memory/<cgroup-path>/memory.usage_in_bytes
+
+# Check cgroup memory usage has decreased (v2)
+cat /sys/fs/cgroup/<cgroup-path>/memory.current
+```
+
+Since the injector uses `mmap` for allocation, all memory is automatically returned to the kernel when the process exits. There is no persistent state to clean up (unlike disk pressure which modifies cgroup throttle files).
diff --git a/examples/complete.yaml b/examples/complete.yaml
index fbd58f51c..b51c3295d 100644
--- a/examples/complete.yaml
+++ b/examples/complete.yaml
@@ -103,6 +103,9 @@ spec:
     delayJitter: 5 # add X % (1-100) of delay as jitter to delay (+- X% ms to original delay), defaults to 10%
     bandwidthLimit: 10000 # bandwidth limit in bytes
   cpuPressure: {} # cpu load generator
+  memoryPressure: # memory load generator
+    targetPercent: "50%" # percentage of available memory to consume (e.g. "50%")
+    rampDuration: 10m # optional, duration over which to gradually reach targetPercent
   diskPressure: # disk pressure
     path: /mnt/data # mount point (in the pod) to apply throttle on
     throttling:
diff --git a/examples/memory_pressure.yaml b/examples/memory_pressure.yaml
new file mode 100644
index 000000000..b8ddc2099
--- /dev/null
+++ b/examples/memory_pressure.yaml
@@ -0,0 +1,19 @@
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2026 Datadog, Inc.
+
+apiVersion: chaos.datadoghq.com/v1beta1
+kind: Disruption
+metadata:
+  name: memory-pressure
+  namespace: chaos-demo
+spec:
+  level: pod
+  selector:
+    service: demo-curl
+  count: 100%
+  duration: 5m
+  memoryPressure:
+    targetPercent: "50%"
+    #rampDuration: 10m
diff --git a/go.mod b/go.mod
index b2fbbe065..3654a81b3 100644
--- a/go.mod
+++ b/go.mod
@@ -137,7 +137,6 @@ require (
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
@@ -149,7 +148,6 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
diff --git a/go.sum b/go.sum
index 12f5c0848..8eede54fa 100644
--- a/go.sum
+++ b/go.sum
@@ -61,8 +61,6 @@ github.com/aquasecurity/libbpfgo v0.5.1-libbpf-1.2 h1:Y7QB6jUsMyr0Bd+rAj67X2/ezN
 github.com/aquasecurity/libbpfgo v0.5.1-libbpf-1.2/go.mod h1:0rEApF1YBHGuZ4C8OYI9q5oDBVpgqtRqYATePl9mCDk=
 github.com/aquasecurity/libbpfgo/helpers v0.4.5 h1:eCoLclL3yqv4N9jqGL3T/ckrLPms2r13C4V2xtU75yc=
 github.com/aquasecurity/libbpfgo/helpers v0.4.5/go.mod h1:j/TQLmsZpOIdF3CnJODzYngG4yu1YoDCoRMELxkQSSA=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -310,8 +308,6 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
-github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
 github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
@@ -336,8 +332,6 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/onsi/ginkgo/v2 v2.27.4 h1:fcEcQW/A++6aZAZQNUmNjvA9PSOzefMJBerHJ4t8v8Y=
 github.com/onsi/ginkgo/v2 v2.27.4/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q=
diff --git a/injector/memory_alloc_linux.go b/injector/memory_alloc_linux.go
new file mode 100644
index 000000000..18c35b587
--- /dev/null
+++ b/injector/memory_alloc_linux.go
@@ -0,0 +1,21 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+//go:build linux
+
+package injector
+
+import "syscall"
+
+// mmapAnonymous allocates anonymous memory pages using mmap with MAP_POPULATE
+// to ensure physical pages are allocated immediately
+func mmapAnonymous(size int) ([]byte, error) {
+	return syscall.Mmap(-1, 0, size, syscall.PROT_READ|syscall.PROT_WRITE, syscall.MAP_ANONYMOUS|syscall.MAP_PRIVATE|syscall.MAP_POPULATE)
+}
+
+// munmapMemory releases memory previously allocated with mmapAnonymous
+func munmapMemory(data []byte) error {
+	return syscall.Munmap(data)
+}
diff --git a/injector/memory_alloc_other.go b/injector/memory_alloc_other.go
new file mode 100644
index 000000000..3f05d0fd0
--- /dev/null
+++ b/injector/memory_alloc_other.go
@@ -0,0 +1,21 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+//go:build !linux
+
+package injector
+
+import "fmt"
+
+// mmapAnonymous is a stub for non-Linux platforms
+// Memory pressure injection only works on Linux
+func mmapAnonymous(size int) ([]byte, error) {
+	return nil, fmt.Errorf("memory pressure injection is only supported on Linux")
+}
+
+// munmapMemory is a stub for non-Linux platforms
+func munmapMemory(_ []byte) error {
+	return nil
+}
diff --git a/injector/memory_pressure.go b/injector/memory_pressure.go
new file mode 100644
index 000000000..1ec434d92
--- /dev/null
+++ b/injector/memory_pressure.go
@@ -0,0 +1,111 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package injector
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/DataDog/chaos-controller/api/v1beta1"
+	"github.com/DataDog/chaos-controller/command"
+	"github.com/DataDog/chaos-controller/o11y/tags"
+	"github.com/DataDog/chaos-controller/types"
+)
+
+type MemoryStressArgsBuilder interface {
+	GenerateArgs(targetPercent int, rampDuration time.Duration) []string
+}
+
+type memoryPressureInjector struct {
+	config                  Config
+	spec                    *v1beta1.MemoryPressureSpec
+	injectorCmdFactory      InjectorCmdFactory
+	backgroundCmd           command.BackgroundCmd
+	cancel                  context.CancelFunc
+	memoryStressArgsBuilder MemoryStressArgsBuilder
+}
+
+// NewMemoryPressureInjector creates a memory pressure injector with the given config
+func NewMemoryPressureInjector(config Config, targetPercent string, rampDuration time.Duration, injectorCmdFactory InjectorCmdFactory, argsBuilder MemoryStressArgsBuilder) Injector {
+	return &memoryPressureInjector{
+		config: config,
+		spec: &v1beta1.MemoryPressureSpec{
+			TargetPercent: targetPercent,
+			RampDuration:  v1beta1.DisruptionDuration(rampDuration.String()),
+		},
+		injectorCmdFactory:      injectorCmdFactory,
+		memoryStressArgsBuilder: argsBuilder,
+	}
+}
+
+func (i *memoryPressureInjector) TargetName() string {
+	return i.config.TargetName()
+}
+
+func (i *memoryPressureInjector) GetDisruptionKind() types.DisruptionKindName {
+	return types.DisruptionKindMemoryPressure
+}
+
+func (i *memoryPressureInjector) Inject() error {
+	i.config.Log.Infow("creating process to stress target memory", tags.TargetPercentKey, i.spec.TargetPercent, tags.RampDurationKey, i.spec.RampDuration)
+
+	pct, err := v1beta1.ParseTargetPercent(i.spec.TargetPercent)
+	if err != nil {
+		return fmt.Errorf("unable to parse target percent %q: %w", i.spec.TargetPercent, err)
+	}
+
+	// clamp to valid range
+	if pct < 0 {
+		pct = 0
+	} else if pct > 100 {
+		pct = 100
+	}
+
+	rampDuration := i.spec.RampDuration.Duration()
+
+	var cmdErr error
+	if i.backgroundCmd, i.cancel, cmdErr = i.injectorCmdFactory.NewInjectorBackgroundCmd(
+		i.config.DisruptionDeadline,
+		i.config.Disruption,
+		i.config.TargetName(),
+		i.memoryStressArgsBuilder.GenerateArgs(pct, rampDuration),
+	); cmdErr != nil {
+		return fmt.Errorf("unable to create new process definition for injector: %w", cmdErr)
+	}
+
+	if err := i.backgroundCmd.Start(); err != nil {
+		defer i.cancel()
+
+		return fmt.Errorf("unable to start process for injector: %w", err)
+	}
+
+	i.backgroundCmd.KeepAlive()
+
+	i.config.Log.Infow("memory stress process started successfully", tags.TargetPercentKey, pct, tags.RampDurationKey, rampDuration)
+
+	return nil
+}
+
+func (i *memoryPressureInjector) UpdateConfig(config Config) {
+	i.config = config
+}
+
+func (i *memoryPressureInjector) Clean() error {
+	if i.backgroundCmd == nil {
+		return nil
+	}
+
+	defer i.cancel()
+
+	if err := i.backgroundCmd.Stop(); err != nil && !errors.Is(err, os.ErrProcessDone) {
+		return fmt.Errorf("unable to stop background process: %w", err)
+	}
+
+	return nil
+}
diff --git a/injector/memory_pressure_test.go b/injector/memory_pressure_test.go
new file mode 100644
index 000000000..17f6deedf
--- /dev/null
+++ b/injector/memory_pressure_test.go
@@ -0,0 +1,102 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package injector_test
+
+import (
+	"errors"
+	"time"
+
+	"github.com/DataDog/chaos-controller/cgroup"
+	"github.com/DataDog/chaos-controller/command"
+	"github.com/DataDog/chaos-controller/container"
+	. "github.com/DataDog/chaos-controller/injector"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/stretchr/testify/mock"
+)
+
+var _ = Describe("Memory pressure", func() {
+	var (
+		config     Config
+		cgroups    *cgroup.ManagerMock
+		ctr        *container.ContainerMock
+		factory    *InjectorCmdFactoryMock
+		args       *MemoryStressArgsBuilderMock
+		background *command.BackgroundCmdMock
+	)
+
+	const containerName = "my-container-name"
+
+	BeforeEach(func() {
+		cgroups = cgroup.NewManagerMock(GinkgoT())
+		ctr = container.NewContainerMock(GinkgoT())
+		args = NewMemoryStressArgsBuilderMock(GinkgoT())
+		background = command.NewBackgroundCmdMock(GinkgoT())
+		factory = NewInjectorCmdFactoryMock(GinkgoT())
+
+		config = Config{
+			Log:             log,
+			Cgroup:          cgroups,
+			TargetContainer: ctr,
+		}
+	})
+
+	When("Inject is called", func() {
+		It("succeeds with valid percentage", func() {
+			inj := NewMemoryPressureInjector(config, "76%", time.Duration(0), factory, args)
+
+			seenArgs := []string{"76"}
+
+			ctr.EXPECT().Name().Return(containerName).Once()
+			args.EXPECT().GenerateArgs(76, time.Duration(0)).Return(seenArgs).Once()
+
+			background.EXPECT().Start().Return(nil).Once()
+			background.EXPECT().KeepAlive().Once()
+
+			factory.EXPECT().NewInjectorBackgroundCmd(config.DisruptionDeadline, config.Disruption, containerName, seenArgs).Return(background, nothingToCancel, nil).Once()
+
+			Expect(inj.Inject()).To(Succeed())
+		})
+
+		It("fails with invalid percentage", func() {
+			inj := NewMemoryPressureInjector(config, "abc", time.Duration(0), factory, args)
+
+			Expect(inj.Inject()).Should(MatchError(ContainSubstring("unable to parse target percent")))
+		})
+
+		It("fails with background manager error", func() {
+			inj := NewMemoryPressureInjector(config, "50%", time.Duration(0), factory, args)
+
+			ctr.EXPECT().Name().Return("").Once()
+			args.EXPECT().GenerateArgs(50, time.Duration(0)).Return(nil).Once()
+			factory.EXPECT().NewInjectorBackgroundCmd(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, nil, errors.New("background manager error")).Once()
+
+			Expect(inj.Inject()).Should(MatchError("unable to create new process definition for injector: background manager error"))
+		})
+	})
+
+	When("Clean is called", func() {
+		It("succeeds if no background process", func() {
+			inj := NewMemoryPressureInjector(config, "", time.Duration(0), factory, args)
+			Expect(inj.Clean()).To(Succeed())
+		})
+
+		It("succeeds and calls stop after proper inject", func() {
+			background.EXPECT().Start().Return(nil).Once()
+			background.EXPECT().KeepAlive().Once()
+			background.EXPECT().Stop().Return(nil).Once()
+
+			inj := NewMemoryPressureInjector(config, "50%", time.Duration(0), factory, args)
+
+			ctr.EXPECT().Name().Return("").Once()
+			args.EXPECT().GenerateArgs(50, time.Duration(0)).Return(nil).Once()
+			factory.EXPECT().NewInjectorBackgroundCmd(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(background, nothingToCancel, nil)
+
+			Expect(inj.Inject()).To(Succeed())
+			Expect(inj.Clean()).To(Succeed())
+		})
+	})
+})
diff --git a/injector/memory_stress.go b/injector/memory_stress.go
new file mode 100644
index 000000000..70f179c96
--- /dev/null
+++ b/injector/memory_stress.go
@@ -0,0 +1,265 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package injector
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/DataDog/chaos-controller/o11y/tags"
+	"github.com/DataDog/chaos-controller/process"
+	"github.com/DataDog/chaos-controller/types"
+)
+
+type memoryStressInjector struct {
+	config        *Config
+	process       process.Manager
+	targetPercent int
+	rampDuration  time.Duration
+	allocations   [][]byte
+	exitCh        chan struct{}
+	exitCompleted chan struct{}
+}
+
+// NewMemoryStressInjector creates a memory stress injector with the given config
+func NewMemoryStressInjector(config Config, targetPercent int, rampDuration time.Duration, process process.Manager) Injector {
+	return &memoryStressInjector{
+		config:        &config,
+		targetPercent: targetPercent,
+		rampDuration:  rampDuration,
+		process:       process,
+	}
+}
+
+func (m *memoryStressInjector) TargetName() string {
+	return m.config.TargetName()
+}
+
+func (*memoryStressInjector) GetDisruptionKind() types.DisruptionKindName {
+	return types.DisruptionKindMemoryStress
+}
+
+func (m *memoryStressInjector) UpdateConfig(config Config) {
+	m.config = &config
+}
+
+func (m *memoryStressInjector) Inject() error {
+	if len(m.allocations) > 0 {
+		return fmt.Errorf("injector contains %d existing allocations, all allocations should be cleaned before re-injecting", len(m.allocations))
+	}
+
+	stressPID := m.process.ProcessID()
+
+	m.config.Log.Infow("joining target cgroup for memory stress", tags.PidKey, stressPID)
+
+	if err := m.config.Cgroup.Join(stressPID); err != nil {
+		return fmt.Errorf("unable to join cgroup for process '%d': %w", stressPID, err)
+	}
+
+	// read memory limit from cgroup
+	memoryLimit, err := m.readMemoryLimit()
+	if err != nil {
+		return fmt.Errorf("unable to read memory limit: %w", err)
+	}
+
+	// read current memory usage from cgroup
+	currentUsage, err := m.readMemoryUsage()
+	if err != nil {
+		return fmt.Errorf("unable to read memory usage: %w", err)
+	}
+
+	targetBytes := (memoryLimit * int64(m.targetPercent) / 100) - currentUsage
+	if targetBytes <= 0 {
+		m.config.Log.Infow("current memory usage already exceeds target, nothing to allocate",
+			tags.MemoryLimitKey, memoryLimit, tags.CurrentUsageKey, currentUsage, tags.TargetPercentKey, m.targetPercent)
+
+		return nil
+	}
+
+	m.config.Log.Infow("starting memory stress",
+		tags.MemoryLimitKey, memoryLimit, tags.CurrentUsageKey, currentUsage,
+		tags.TargetBytesKey, targetBytes, tags.TargetPercentKey, m.targetPercent, tags.RampDurationKey, m.rampDuration)
+
+	m.exitCh = make(chan struct{}, 1)
+	m.exitCompleted = make(chan struct{}, 1)
+
+	stressReady := make(chan struct{}, 1)
+
+	go m.stress(targetBytes, stressReady)
+
+	<-stressReady
+
+	return nil
+}
+
+func (m *memoryStressInjector) stress(targetBytes int64, ready chan<- struct{}) {
+	defer func() {
+		m.exitCompleted <- struct{}{}
+	}()
+
+	if m.config.Disruption.DryRun {
+		m.config.Log.Debug("memory stress dry run mode activated, skipping allocation, just waiting...")
+
+		ready <- struct{}{}
+
+		<-m.exitCh
+
+		return
+	}
+
+	// determine allocation strategy
+	var steps int
+
+	var stepDelay time.Duration
+
+	if m.rampDuration > 0 {
+		// allocate in 1-second intervals over the ramp duration
+		steps = int(m.rampDuration.Seconds())
+		if steps < 1 {
+			steps = 1
+		}
+
+		stepDelay = m.rampDuration / time.Duration(steps)
+	} else {
+		steps = 1
+		stepDelay = 0
+	}
+
+	chunkSize := int(targetBytes / int64(steps))
+	if chunkSize <= 0 {
+		chunkSize = int(targetBytes)
+		steps = 1
+	}
+
+	m.config.Log.Infow("memory allocation plan", tags.StepsKey, steps, tags.ChunkSizeKey, chunkSize, tags.StepDelayKey, stepDelay)
+
+	ready <- struct{}{}
+
+	for i := 0; i < steps; i++ {
+		select {
+		case <-m.exitCh:
+			m.config.Log.Infow("exit signal received during ramp, stopping allocation", tags.CompletedStepsKey, i, tags.TotalStepsKey, steps)
+			return
+		default:
+		}
+
+		// for the last step, allocate the remainder
+		allocSize := chunkSize
+		if i == steps-1 {
+			allocSize = int(targetBytes) - (chunkSize * i)
+		}
+
+		if allocSize <= 0 {
+			break
+		}
+
+		data, err := mmapAnonymous(allocSize)
+		if err != nil {
+			m.config.Log.Warnw("mmap allocation failed, stopping ramp", tags.ErrorKey, err, tags.StepKey, i, tags.AllocSizeKey, allocSize)
+			break
+		}
+
+		m.allocations = append(m.allocations, data)
+
+		if stepDelay > 0 && i < steps-1 {
+			select {
+			case <-m.exitCh:
+				m.config.Log.Infow("exit signal received during ramp delay", tags.CompletedStepsKey, i+1, tags.TotalStepsKey, steps)
+				return
+			case <-time.After(stepDelay):
+			}
+		}
+	}
+
+	m.config.Log.Infow("memory allocation complete, waiting for exit signal", tags.AllocationsKey, len(m.allocations))
+
+	<-m.exitCh
+}
+
+func (m *memoryStressInjector) Clean() error {
+	m.config.Log.Info("cleaning memory stress")
+
+	if m.exitCh != nil {
+		m.exitCh <- struct{}{}
+
+		<-m.exitCompleted
+
+		close(m.exitCh)
+		m.exitCh = nil
+
+		close(m.exitCompleted)
+		m.exitCompleted = nil
+	}
+
+	m.config.Log.Infow("releasing memory allocations", tags.AllocationsKey, len(m.allocations))
+
+	for _, alloc := range m.allocations {
+		if err := munmapMemory(alloc); err != nil {
+			m.config.Log.Warnw("failed to munmap allocation", tags.ErrorKey, err)
+		}
+	}
+
+	m.allocations = nil
+
+	m.config.Log.Info("memory stress cleaned")
+
+	return nil
+}
+
+func (m *memoryStressInjector) readMemoryLimit() (int64, error) {
+	if m.config.Cgroup.IsCgroupV2() {
+		content, err := m.config.Cgroup.Read("", "memory.max")
+		if err != nil {
+			return 0, fmt.Errorf("unable to read memory.max: %w", err)
+		}
+
+		if strings.TrimSpace(content) == "max" {
+			// no limit set, use total system memory as fallback
+			return 0, fmt.Errorf("memory limit is 'max' (unlimited), cannot determine target bytes")
+		}
+
+		return strconv.ParseInt(strings.TrimSpace(content), 10, 64)
+	}
+
+	content, err := m.config.Cgroup.Read("memory", "memory.limit_in_bytes")
+	if err != nil {
+		return 0, fmt.Errorf("unable to read memory.limit_in_bytes: %w", err)
+	}
+
+	limit, err := strconv.ParseInt(strings.TrimSpace(content), 10, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	// cgroupv1 reports PAGE_ALIGN(math.MaxInt64) = 9223372036854771712 when no memory limit is set.
+	// Use a 4 PiB threshold to detect this sentinel: no real workload has that much RAM.
+	const cgroupV1UnlimitedThreshold = int64(4 * 1024 * 1024 * 1024 * 1024 * 1024) // 4 PiB
+	if limit >= cgroupV1UnlimitedThreshold {
+		return 0, fmt.Errorf("memory limit is unlimited (memory.limit_in_bytes=%d), cannot determine target bytes", limit)
+	}
+
+	return limit, nil
+}
+
+func (m *memoryStressInjector) readMemoryUsage() (int64, error) {
+	if m.config.Cgroup.IsCgroupV2() {
+		content, err := m.config.Cgroup.Read("", "memory.current")
+		if err != nil {
+			return 0, fmt.Errorf("unable to read memory.current: %w", err)
+		}
+
+		return strconv.ParseInt(strings.TrimSpace(content), 10, 64)
+	}
+
+	content, err := m.config.Cgroup.Read("memory", "memory.usage_in_bytes")
+	if err != nil {
+		return 0, fmt.Errorf("unable to read memory.usage_in_bytes: %w", err)
+	}
+
+	return strconv.ParseInt(strings.TrimSpace(content), 10, 64)
+}
diff --git a/injector/memory_stress_args_builder_mock.go b/injector/memory_stress_args_builder_mock.go
new file mode 100644
index 000000000..3adbfc440
--- /dev/null
+++ b/injector/memory_stress_args_builder_mock.go
@@ -0,0 +1,90 @@
+// Code generated by mockery. DO NOT EDIT.
+
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package injector
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MemoryStressArgsBuilderMock is an autogenerated mock type for the MemoryStressArgsBuilder type
+type MemoryStressArgsBuilderMock struct {
+	mock.Mock
+}
+
+type MemoryStressArgsBuilderMock_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MemoryStressArgsBuilderMock) EXPECT() *MemoryStressArgsBuilderMock_Expecter {
+	return &MemoryStressArgsBuilderMock_Expecter{mock: &_m.Mock}
+}
+
+// GenerateArgs provides a mock function with given fields: targetPercent, rampDuration
+func (_m *MemoryStressArgsBuilderMock) GenerateArgs(targetPercent int, rampDuration time.Duration) []string {
+	ret := _m.Called(targetPercent, rampDuration)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GenerateArgs")
+	}
+
+	var r0 []string
+	if rf, ok := ret.Get(0).(func(int, time.Duration) []string); ok {
+		r0 = rf(targetPercent, rampDuration)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+
+	return r0
+}
+
+// MemoryStressArgsBuilderMock_GenerateArgs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GenerateArgs'
+type MemoryStressArgsBuilderMock_GenerateArgs_Call struct {
+	*mock.Call
+}
+
+// GenerateArgs is a helper method to define mock.On call
+//   - targetPercent int
+//   - rampDuration time.Duration
+func (_e *MemoryStressArgsBuilderMock_Expecter) GenerateArgs(targetPercent interface{}, rampDuration interface{}) *MemoryStressArgsBuilderMock_GenerateArgs_Call {
+	return &MemoryStressArgsBuilderMock_GenerateArgs_Call{Call: _e.mock.On("GenerateArgs", targetPercent, rampDuration)}
+}
+
+func (_c *MemoryStressArgsBuilderMock_GenerateArgs_Call) Run(run func(targetPercent int, rampDuration time.Duration)) *MemoryStressArgsBuilderMock_GenerateArgs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(int), args[1].(time.Duration))
+	})
+	return _c
+}
+
+func (_c *MemoryStressArgsBuilderMock_GenerateArgs_Call) Return(_a0 []string) *MemoryStressArgsBuilderMock_GenerateArgs_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MemoryStressArgsBuilderMock_GenerateArgs_Call) RunAndReturn(run func(int, time.Duration) []string) *MemoryStressArgsBuilderMock_GenerateArgs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMemoryStressArgsBuilderMock creates a new instance of MemoryStressArgsBuilderMock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMemoryStressArgsBuilderMock(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MemoryStressArgsBuilderMock {
+	mock := &MemoryStressArgsBuilderMock{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
diff --git a/injector/memory_stress_test.go b/injector/memory_stress_test.go
new file mode 100644
index 000000000..57f32b342
--- /dev/null
+++ b/injector/memory_stress_test.go
@@ -0,0 +1,135 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package injector_test
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/DataDog/chaos-controller/cgroup"
+	. "github.com/DataDog/chaos-controller/injector"
+	"github.com/DataDog/chaos-controller/process"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Memory stress", func() {
+	var (
+		config  Config
+		inj     Injector
+		cgroups *cgroup.ManagerMock
+		manager *process.ManagerMock
+	)
+
+	const processID = 42
+
+	BeforeEach(func() {
+		cgroups = cgroup.NewManagerMock(GinkgoT())
+		manager = process.NewManagerMock(GinkgoT())
+
+		config = Config{
+			Log:    log,
+			Cgroup: cgroups,
+		}
+	})
+
+	JustBeforeEach(func() {
+		inj = NewMemoryStressInjector(config, 80, time.Duration(0), manager)
+	})
+
+	Describe("Inject", func() {
+		Context("when cgroup Join fails", func() {
+			BeforeEach(func() {
+				cgroups.EXPECT().Join(processID).Return(fmt.Errorf("join error")).Once()
+				manager.EXPECT().ProcessID().Return(processID).Once()
+			})
+
+			It("returns an error", func() {
+				Expect(inj.Inject()).To(MatchError("unable to join cgroup for process '42': join error"))
+			})
+		})
+
+		Describe("cgroupv2", func() {
+			BeforeEach(func() {
+				cgroups.EXPECT().Join(processID).Return(nil).Once()
+				manager.EXPECT().ProcessID().Return(processID).Once()
+				cgroups.EXPECT().IsCgroupV2().Return(true)
+			})
+
+			Context("when memory.max read fails", func() {
+				BeforeEach(func() {
+					cgroups.EXPECT().Read("", "memory.max").Return("", fmt.Errorf("read error")).Once()
+				})
+
+				It("returns an error", func() {
+					Expect(inj.Inject()).To(MatchError(ContainSubstring("unable to read memory limit")))
+				})
+			})
+
+			Context("when memory.max is 'max' (unlimited)", func() {
+				BeforeEach(func() {
+					cgroups.EXPECT().Read("", "memory.max").Return("max", nil).Once()
+				})
+
+				It("returns an error containing 'unlimited'", func() {
+					Expect(inj.Inject()).To(MatchError(ContainSubstring("unlimited")))
+				})
+			})
+		})
+
+		Describe("cgroupv1", func() {
+			BeforeEach(func() {
+				cgroups.EXPECT().Join(processID).Return(nil).Once()
+				manager.EXPECT().ProcessID().Return(processID).Once()
+				cgroups.EXPECT().IsCgroupV2().Return(false)
+			})
+
+			Context("when memory.limit_in_bytes read fails", func() {
+				BeforeEach(func() {
+					cgroups.EXPECT().Read("memory", "memory.limit_in_bytes").Return("", fmt.Errorf("read error")).Once()
+				})
+
+				It("returns an error", func() {
+					Expect(inj.Inject()).To(MatchError(ContainSubstring("unable to read memory limit")))
+				})
+			})
+
+			Context("when memory.limit_in_bytes is the unlimited sentinel (9223372036854771712)", func() {
+				BeforeEach(func() {
+					cgroups.EXPECT().Read("memory", "memory.limit_in_bytes").Return("9223372036854771712", nil).Once()
+				})
+
+				It("returns an error containing 'unlimited'", func() {
+					Expect(inj.Inject()).To(MatchError(ContainSubstring("unlimited")))
+				})
+			})
+
+			Context("when memory.limit_in_bytes is set to a real limit", func() {
+				const memLimit = "536870912" // 512 MiB
+				const memUsage = "104857600" // 100 MiB
+
+				BeforeEach(func() {
+					cgroups.EXPECT().Read("memory", "memory.limit_in_bytes").Return(memLimit, nil).Once()
+					cgroups.EXPECT().IsCgroupV2().Return(false).Maybe()
+					cgroups.EXPECT().Read("memory", "memory.usage_in_bytes").Return(memUsage, nil).Once()
+				})
+
+				It("succeeds and starts allocating memory", func() {
+					Expect(inj.Inject()).To(Succeed())
+
+					// clean up background goroutine
+					Expect(inj.Clean()).To(Succeed())
+				})
+			})
+		})
+	})
+
+	Describe("Clean", func() {
+		It("succeeds when no injection has occurred", func() {
+			Expect(inj.Clean()).To(Succeed())
+		})
+	})
+})
diff --git a/o11y/tags/tags.go b/o11y/tags/tags.go
index f57caef77..d3437733c 100644
--- a/o11y/tags/tags.go
+++ b/o11y/tags/tags.go
@@ -62,6 +62,8 @@ const (
 	TargetDisruptedByKindsKey = "target_disrupted_by_kinds"
 	TargetLevelKey            = "target_level"
 	TargetsKey                = "targets"
+	TargetBytesKey            = "target_bytes"
+	TargetPercentKey          = "target_percent"
 
 	// Target selection
 	EstimatedEligibleTargetsCountKey = "estimated_eligible_targets_count"
@@ -189,6 +191,19 @@ const (
 	SysrqTriggerPathKey = "sysrq_trigger_path"
 	ThreadIDKey         = "thread_id"
 
+	// Memory pressure
+	AllocationsKey    = "allocations"
+	AllocSizeKey      = "alloc_size"
+	ChunkSizeKey      = "chunk_size"
+	CompletedStepsKey = "completed_steps"
+	CurrentUsageKey   = "current_usage"
+	MemoryLimitKey    = "memory_limit"
+	RampDurationKey   = "ramp_duration"
+	StepDelayKey      = "step_delay"
+	StepKey           = "step"
+	StepsKey          = "steps"
+	TotalStepsKey     = "total_steps"
+
 	// Network and connectivity
 	AddressKey             = "address"
 	BandwidthLimitKey      = "bandwidth_limit"
diff --git a/safemode/safemode.go b/safemode/safemode.go
index c79a9ecd7..90787d2c2 100644
--- a/safemode/safemode.go
+++ b/safemode/safemode.go
@@ -58,6 +58,12 @@ func AddAllSafemodeObjects(disruption v1beta1.Disruption, k8sClient client.Clien
 		safemodeList = append(safemodeList, &safemodeCPU)
 	}
 
+	if disruption.Spec.MemoryPressure != nil {
+		safemodeMemory := Memory{}
+		safemodeMemory.Init(disruption, k8sClient)
+		safemodeList = append(safemodeList, &safemodeMemory)
+	}
+
 	if disruption.Spec.GRPC != nil {
 		safemodeGRPC := GRPC{}
 		safemodeGRPC.Init(disruption, k8sClient)
diff --git a/safemode/safemode_memory.go b/safemode/safemode_memory.go
new file mode 100644
index 000000000..6f53a50d6
--- /dev/null
+++ b/safemode/safemode_memory.go
@@ -0,0 +1,22 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026 Datadog, Inc.
+
+package safemode
+
+import (
+	"github.com/DataDog/chaos-controller/api/v1beta1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type Memory struct {
+	dis    v1beta1.Disruption
+	client client.Client
+}
+
+// Init Refer to safemode.Safemode interface for documentation
+func (sm *Memory) Init(disruption v1beta1.Disruption, client client.Client) {
+	sm.dis = disruption
+	sm.client = client
+}
diff --git a/types/types.go b/types/types.go
index cc6ab45b3..06d1be103 100644
--- a/types/types.go
+++ b/types/types.go
@@ -81,6 +81,10 @@ const (
 	DisruptionKindGRPCDisruption = "grpc-disruption"
 	// DisruptionKindPodReplacement is a pod replacement disruption
 	DisruptionKindPodReplacement = "pod-replacement"
+	// DisruptionKindMemoryPressure is a memory pressure disruption
+	DisruptionKindMemoryPressure = "memory-pressure"
+	// DisruptionKindMemoryStress is a memory pressure sub-disruption that stress a single container
+	DisruptionKindMemoryStress = "memory-pressure-stress"
 	// DisruptionKindDNSDisruption is a DNS disruption
 	DisruptionKindDNSDisruption = "dns-disruption"
 
@@ -155,6 +159,7 @@ var DisruptionKindNames = []DisruptionKindName{
 	DisruptionKindNodeFailure,
 	DisruptionKindContainerFailure,
 	DisruptionKindCPUPressure,
+	DisruptionKindMemoryPressure,
 	DisruptionKindDiskPressure,
 	DisruptionKindDiskFailure,
 	DisruptionKindGRPCDisruption,
diff --git a/vendor/github.com/moby/spdystream/CONTRIBUTING.md b/vendor/github.com/moby/spdystream/CONTRIBUTING.md
deleted file mode 100644
index d4eddcc53..000000000
--- a/vendor/github.com/moby/spdystream/CONTRIBUTING.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Contributing to SpdyStream
-
-Want to hack on spdystream? Awesome! Here are instructions to get you
-started.
-
-SpdyStream is a part of the [Docker](https://docker.io) project, and follows
-the same rules and principles. If you're already familiar with the way
-Docker does things, you'll feel right at home.
-
-Otherwise, go read
-[Docker's contributions guidelines](https://github.com/dotcloud/docker/blob/master/CONTRIBUTING.md).
-
-Happy hacking!
diff --git a/vendor/github.com/moby/spdystream/LICENSE b/vendor/github.com/moby/spdystream/LICENSE
deleted file mode 100644
index d64569567..000000000
--- a/vendor/github.com/moby/spdystream/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/moby/spdystream/MAINTAINERS b/vendor/github.com/moby/spdystream/MAINTAINERS
deleted file mode 100644
index 26e5ec828..000000000
--- a/vendor/github.com/moby/spdystream/MAINTAINERS
+++ /dev/null
@@ -1,40 +0,0 @@
-# Spdystream maintainers file
-#
-# This file describes who runs the moby/spdystream project and how.
-# This is a living document - if you see something out of date or missing, speak up!
-#
-# It is structured to be consumable by both humans and programs.
-# To extract its contents programmatically, use any TOML-compliant parser.
-#
-# This file is compiled into the MAINTAINERS file in docker/opensource.
-#
-[Org]
-	[Org."Core maintainers"]
-		people = [
-			"adisky",
-			"dims",
-			"dmcgowan",
-		]
-
-[people]
-
-# A reference list of all people associated with the project.
-# All other sections should refer to people by their canonical key
-# in the people section.
-
-	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
-
-	[people.adisky]
-	Name = "Aditi Sharma"
-	Email = "adi.sky17@gmail.com"
-	GitHub = "adisky"
-
-	[people.dims]
-	Name = "Davanum Srinivas"
-	Email = "davanum@gmail.com"
-	GitHub = "dims"
-
-	[people.dmcgowan]
-	Name = "Derek McGowan"
-	Email = "derek@mcg.dev"
-	GitHub = "dmcgowan"
diff --git a/vendor/github.com/moby/spdystream/NOTICE b/vendor/github.com/moby/spdystream/NOTICE
deleted file mode 100644
index b9b11c9ab..000000000
--- a/vendor/github.com/moby/spdystream/NOTICE
+++ /dev/null
@@ -1,5 +0,0 @@
-SpdyStream
-Copyright 2014-2021 Docker Inc.
-
-This product includes software developed at
-Docker Inc. (https://www.docker.com/).
diff --git a/vendor/github.com/moby/spdystream/README.md b/vendor/github.com/moby/spdystream/README.md
deleted file mode 100644
index b84e98343..000000000
--- a/vendor/github.com/moby/spdystream/README.md
+++ /dev/null
@@ -1,77 +0,0 @@
-# SpdyStream
-
-A multiplexed stream library using spdy
-
-## Usage
-
-Client example (connecting to mirroring server without auth)
-
-```go
-package main
-
-import (
-	"fmt"
-	"github.com/moby/spdystream"
-	"net"
-	"net/http"
-)
-
-func main() {
-	conn, err := net.Dial("tcp", "localhost:8080")
-	if err != nil {
-		panic(err)
-	}
-	spdyConn, err := spdystream.NewConnection(conn, false)
-	if err != nil {
-		panic(err)
-	}
-	go spdyConn.Serve(spdystream.NoOpStreamHandler)
-	stream, err := spdyConn.CreateStream(http.Header{}, nil, false)
-	if err != nil {
-		panic(err)
-	}
-
-	stream.Wait()
-
-	fmt.Fprint(stream, "Writing to stream")
-
-	buf := make([]byte, 25)
-	stream.Read(buf)
-	fmt.Println(string(buf))
-
-	stream.Close()
-}
-```
-
-Server example (mirroring server without auth)
-
-```go
-package main
-
-import (
-	"github.com/moby/spdystream"
-	"net"
-)
-
-func main() {
-	listener, err := net.Listen("tcp", "localhost:8080")
-	if err != nil {
-		panic(err)
-	}
-	for {
-		conn, err := listener.Accept()
-		if err != nil {
-			panic(err)
-		}
-		spdyConn, err := spdystream.NewConnection(conn, true)
-		if err != nil {
-			panic(err)
-		}
-		go spdyConn.Serve(spdystream.MirrorStreamHandler)
-	}
-}
-```
-
-## Copyright and license
-
-Copyright 2013-2021 Docker, inc. Released under the [Apache 2.0 license](LICENSE).
diff --git a/vendor/github.com/moby/spdystream/connection.go b/vendor/github.com/moby/spdystream/connection.go
deleted file mode 100644
index 1394d0ad4..000000000
--- a/vendor/github.com/moby/spdystream/connection.go
+++ /dev/null
@@ -1,991 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package spdystream
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/moby/spdystream/spdy"
-)
-
-var (
-	ErrInvalidStreamId   = errors.New("Invalid stream id")
-	ErrTimeout           = errors.New("Timeout occurred")
-	ErrReset             = errors.New("Stream reset")
-	ErrWriteClosedStream = errors.New("Write on closed stream")
-)
-
-const (
-	FRAME_WORKERS = 5
-	QUEUE_SIZE    = 50
-)
-
-type StreamHandler func(stream *Stream)
-
-type AuthHandler func(header http.Header, slot uint8, parent uint32) bool
-
-type idleAwareFramer struct {
-	f              *spdy.Framer
-	conn           *Connection
-	writeLock      sync.Mutex
-	resetChan      chan struct{}
-	setTimeoutLock sync.Mutex
-	setTimeoutChan chan time.Duration
-	timeout        time.Duration
-}
-
-func newIdleAwareFramer(framer *spdy.Framer) *idleAwareFramer {
-	iaf := &idleAwareFramer{
-		f:         framer,
-		resetChan: make(chan struct{}, 2),
-		// setTimeoutChan needs to be buffered to avoid deadlocks when calling setIdleTimeout at about
-		// the same time the connection is being closed
-		setTimeoutChan: make(chan time.Duration, 1),
-	}
-	return iaf
-}
-
-func (i *idleAwareFramer) monitor() {
-	var (
-		timer          *time.Timer
-		expired        <-chan time.Time
-		resetChan      = i.resetChan
-		setTimeoutChan = i.setTimeoutChan
-	)
-Loop:
-	for {
-		select {
-		case timeout := <-i.setTimeoutChan:
-			i.timeout = timeout
-			if timeout == 0 {
-				if timer != nil {
-					timer.Stop()
-				}
-			} else {
-				if timer == nil {
-					timer = time.NewTimer(timeout)
-					expired = timer.C
-				} else {
-					timer.Reset(timeout)
-				}
-			}
-		case <-resetChan:
-			if timer != nil && i.timeout > 0 {
-				timer.Reset(i.timeout)
-			}
-		case <-expired:
-			i.conn.streamCond.L.Lock()
-			streams := i.conn.streams
-			i.conn.streams = make(map[spdy.StreamId]*Stream)
-			i.conn.streamCond.Broadcast()
-			i.conn.streamCond.L.Unlock()
-			go func() {
-				for _, stream := range streams {
-					stream.resetStream()
-				}
-				i.conn.Close()
-			}()
-		case <-i.conn.closeChan:
-			if timer != nil {
-				timer.Stop()
-			}
-
-			// Start a goroutine to drain resetChan. This is needed because we've seen
-			// some unit tests with large numbers of goroutines get into a situation
-			// where resetChan fills up, at least 1 call to Write() is still trying to
-			// send to resetChan, the connection gets closed, and this case statement
-			// attempts to grab the write lock that Write() already has, causing a
-			// deadlock.
-			//
-			// See https://github.com/moby/spdystream/issues/49 for more details.
-			go func() {
-				for range resetChan {
-				}
-			}()
-
-			go func() {
-				for range setTimeoutChan {
-				}
-			}()
-
-			i.writeLock.Lock()
-			close(resetChan)
-			i.resetChan = nil
-			i.writeLock.Unlock()
-
-			i.setTimeoutLock.Lock()
-			close(i.setTimeoutChan)
-			i.setTimeoutChan = nil
-			i.setTimeoutLock.Unlock()
-
-			break Loop
-		}
-	}
-
-	// Drain resetChan
-	for range resetChan {
-	}
-}
-
-func (i *idleAwareFramer) WriteFrame(frame spdy.Frame) error {
-	i.writeLock.Lock()
-	defer i.writeLock.Unlock()
-	if i.resetChan == nil {
-		return io.EOF
-	}
-	err := i.f.WriteFrame(frame)
-	if err != nil {
-		return err
-	}
-
-	i.resetChan <- struct{}{}
-
-	return nil
-}
-
-func (i *idleAwareFramer) ReadFrame() (spdy.Frame, error) {
-	frame, err := i.f.ReadFrame()
-	if err != nil {
-		return nil, err
-	}
-
-	// resetChan should never be closed since it is only closed
-	// when the connection has closed its closeChan. This closure
-	// only occurs after all Reads have finished
-	// TODO (dmcgowan): refactor relationship into connection
-	i.resetChan <- struct{}{}
-
-	return frame, nil
-}
-
-func (i *idleAwareFramer) setIdleTimeout(timeout time.Duration) {
-	i.setTimeoutLock.Lock()
-	defer i.setTimeoutLock.Unlock()
-
-	if i.setTimeoutChan == nil {
-		return
-	}
-
-	i.setTimeoutChan <- timeout
-}
-
-type Connection struct {
-	conn   net.Conn
-	framer *idleAwareFramer
-
-	closeChan      chan bool
-	goneAway       bool
-	lastStreamChan chan<- *Stream
-	goAwayTimeout  time.Duration
-	closeTimeout   time.Duration
-
-	streamLock *sync.RWMutex
-	streamCond *sync.Cond
-	streams    map[spdy.StreamId]*Stream
-
-	nextIdLock       sync.Mutex
-	receiveIdLock    sync.Mutex
-	nextStreamId     spdy.StreamId
-	receivedStreamId spdy.StreamId
-
-	// pingLock protects pingChans and pingId
-	pingLock  sync.Mutex
-	pingId    uint32
-	pingChans map[uint32]chan error
-
-	shutdownLock sync.Mutex
-	shutdownChan chan error
-	hasShutdown  bool
-
-	// for testing https://github.com/moby/spdystream/pull/56
-	dataFrameHandler func(*spdy.DataFrame) error
-}
-
-// NewConnection creates a new spdy connection from an existing
-// network connection.
-func NewConnection(conn net.Conn, server bool) (*Connection, error) {
-	framer, framerErr := spdy.NewFramer(conn, conn)
-	if framerErr != nil {
-		return nil, framerErr
-	}
-	idleAwareFramer := newIdleAwareFramer(framer)
-	var sid spdy.StreamId
-	var rid spdy.StreamId
-	var pid uint32
-	if server {
-		sid = 2
-		rid = 1
-		pid = 2
-	} else {
-		sid = 1
-		rid = 2
-		pid = 1
-	}
-
-	streamLock := new(sync.RWMutex)
-	streamCond := sync.NewCond(streamLock)
-
-	session := &Connection{
-		conn:   conn,
-		framer: idleAwareFramer,
-
-		closeChan:     make(chan bool),
-		goAwayTimeout: time.Duration(0),
-		closeTimeout:  time.Duration(0),
-
-		streamLock:       streamLock,
-		streamCond:       streamCond,
-		streams:          make(map[spdy.StreamId]*Stream),
-		nextStreamId:     sid,
-		receivedStreamId: rid,
-
-		pingId:    pid,
-		pingChans: make(map[uint32]chan error),
-
-		shutdownChan: make(chan error),
-	}
-	session.dataFrameHandler = session.handleDataFrame
-	idleAwareFramer.conn = session
-	go idleAwareFramer.monitor()
-
-	return session, nil
-}
-
-// Ping sends a ping frame across the connection and
-// returns the response time
-func (s *Connection) Ping() (time.Duration, error) {
-	pid := s.pingId
-	s.pingLock.Lock()
-	if s.pingId > 0x7ffffffe {
-		s.pingId = s.pingId - 0x7ffffffe
-	} else {
-		s.pingId = s.pingId + 2
-	}
-	pingChan := make(chan error)
-	s.pingChans[pid] = pingChan
-	s.pingLock.Unlock()
-	defer func() {
-		s.pingLock.Lock()
-		delete(s.pingChans, pid)
-		s.pingLock.Unlock()
-	}()
-
-	frame := &spdy.PingFrame{Id: pid}
-	startTime := time.Now()
-	writeErr := s.framer.WriteFrame(frame)
-	if writeErr != nil {
-		return time.Duration(0), writeErr
-	}
-	select {
-	case <-s.closeChan:
-		return time.Duration(0), errors.New("connection closed")
-	case err, ok := <-pingChan:
-		if ok && err != nil {
-			return time.Duration(0), err
-		}
-		break
-	}
-	return time.Since(startTime), nil
-}
-
-// Serve handles frames sent from the server, including reply frames
-// which are needed to fully initiate connections.  Both clients and servers
-// should call Serve in a separate goroutine before creating streams.
-func (s *Connection) Serve(newHandler StreamHandler) {
-	// use a WaitGroup to wait for all frames to be drained after receiving
-	// go-away.
-	var wg sync.WaitGroup
-
-	// Parition queues to ensure stream frames are handled
-	// by the same worker, ensuring order is maintained
-	frameQueues := make([]*PriorityFrameQueue, FRAME_WORKERS)
-	for i := 0; i < FRAME_WORKERS; i++ {
-		frameQueues[i] = NewPriorityFrameQueue(QUEUE_SIZE)
-
-		// Ensure frame queue is drained when connection is closed
-		go func(frameQueue *PriorityFrameQueue) {
-			<-s.closeChan
-			frameQueue.Drain()
-		}(frameQueues[i])
-
-		wg.Add(1)
-		go func(frameQueue *PriorityFrameQueue) {
-			// let the WaitGroup know this worker is done
-			defer wg.Done()
-
-			s.frameHandler(frameQueue, newHandler)
-		}(frameQueues[i])
-	}
-
-	var (
-		partitionRoundRobin int
-		goAwayFrame         *spdy.GoAwayFrame
-	)
-Loop:
-	for {
-		readFrame, err := s.framer.ReadFrame()
-		if err != nil {
-			if err != io.EOF {
-				debugMessage("frame read error: %s", err)
-			} else {
-				debugMessage("(%p) EOF received", s)
-			}
-			break
-		}
-		var priority uint8
-		var partition int
-		switch frame := readFrame.(type) {
-		case *spdy.SynStreamFrame:
-			if s.checkStreamFrame(frame) {
-				priority = frame.Priority
-				partition = int(frame.StreamId % FRAME_WORKERS)
-				debugMessage("(%p) Add stream frame: %d ", s, frame.StreamId)
-				s.addStreamFrame(frame)
-			} else {
-				debugMessage("(%p) Rejected stream frame: %d ", s, frame.StreamId)
-				continue
-			}
-		case *spdy.SynReplyFrame:
-			priority = s.getStreamPriority(frame.StreamId)
-			partition = int(frame.StreamId % FRAME_WORKERS)
-		case *spdy.DataFrame:
-			priority = s.getStreamPriority(frame.StreamId)
-			partition = int(frame.StreamId % FRAME_WORKERS)
-		case *spdy.RstStreamFrame:
-			priority = s.getStreamPriority(frame.StreamId)
-			partition = int(frame.StreamId % FRAME_WORKERS)
-		case *spdy.HeadersFrame:
-			priority = s.getStreamPriority(frame.StreamId)
-			partition = int(frame.StreamId % FRAME_WORKERS)
-		case *spdy.PingFrame:
-			priority = 0
-			partition = partitionRoundRobin
-			partitionRoundRobin = (partitionRoundRobin + 1) % FRAME_WORKERS
-		case *spdy.GoAwayFrame:
-			// hold on to the go away frame and exit the loop
-			goAwayFrame = frame
-			break Loop
-		default:
-			priority = 7
-			partition = partitionRoundRobin
-			partitionRoundRobin = (partitionRoundRobin + 1) % FRAME_WORKERS
-		}
-		frameQueues[partition].Push(readFrame, priority)
-	}
-	close(s.closeChan)
-
-	// wait for all frame handler workers to indicate they've drained their queues
-	// before handling the go away frame
-	wg.Wait()
-
-	if goAwayFrame != nil {
-		s.handleGoAwayFrame(goAwayFrame)
-	}
-
-	// now it's safe to close remote channels and empty s.streams
-	s.streamCond.L.Lock()
-	// notify streams that they're now closed, which will
-	// unblock any stream Read() calls
-	for _, stream := range s.streams {
-		stream.closeRemoteChannels()
-	}
-	s.streams = make(map[spdy.StreamId]*Stream)
-	s.streamCond.Broadcast()
-	s.streamCond.L.Unlock()
-}
-
-func (s *Connection) frameHandler(frameQueue *PriorityFrameQueue, newHandler StreamHandler) {
-	for {
-		popFrame := frameQueue.Pop()
-		if popFrame == nil {
-			return
-		}
-
-		var frameErr error
-		switch frame := popFrame.(type) {
-		case *spdy.SynStreamFrame:
-			frameErr = s.handleStreamFrame(frame, newHandler)
-		case *spdy.SynReplyFrame:
-			frameErr = s.handleReplyFrame(frame)
-		case *spdy.DataFrame:
-			frameErr = s.dataFrameHandler(frame)
-		case *spdy.RstStreamFrame:
-			frameErr = s.handleResetFrame(frame)
-		case *spdy.HeadersFrame:
-			frameErr = s.handleHeaderFrame(frame)
-		case *spdy.PingFrame:
-			frameErr = s.handlePingFrame(frame)
-		case *spdy.GoAwayFrame:
-			frameErr = s.handleGoAwayFrame(frame)
-		default:
-			frameErr = fmt.Errorf("unhandled frame type: %T", frame)
-		}
-
-		if frameErr != nil {
-			debugMessage("frame handling error: %s", frameErr)
-		}
-	}
-}
-
-func (s *Connection) getStreamPriority(streamId spdy.StreamId) uint8 {
-	stream, streamOk := s.getStream(streamId)
-	if !streamOk {
-		return 7
-	}
-	return stream.priority
-}
-
-func (s *Connection) addStreamFrame(frame *spdy.SynStreamFrame) {
-	var parent *Stream
-	if frame.AssociatedToStreamId != spdy.StreamId(0) {
-		parent, _ = s.getStream(frame.AssociatedToStreamId)
-	}
-
-	stream := &Stream{
-		streamId:   frame.StreamId,
-		parent:     parent,
-		conn:       s,
-		startChan:  make(chan error),
-		headers:    frame.Headers,
-		finished:   (frame.CFHeader.Flags & spdy.ControlFlagUnidirectional) != 0x00,
-		replyCond:  sync.NewCond(new(sync.Mutex)),
-		dataChan:   make(chan []byte),
-		headerChan: make(chan http.Header),
-		closeChan:  make(chan bool),
-		priority:   frame.Priority,
-	}
-	if frame.CFHeader.Flags&spdy.ControlFlagFin != 0x00 {
-		stream.closeRemoteChannels()
-	}
-
-	s.addStream(stream)
-}
-
-// checkStreamFrame checks to see if a stream frame is allowed.
-// If the stream is invalid, then a reset frame with protocol error
-// will be returned.
-func (s *Connection) checkStreamFrame(frame *spdy.SynStreamFrame) bool {
-	s.receiveIdLock.Lock()
-	defer s.receiveIdLock.Unlock()
-	if s.goneAway {
-		return false
-	}
-	validationErr := s.validateStreamId(frame.StreamId)
-	if validationErr != nil {
-		go func() {
-			resetErr := s.sendResetFrame(spdy.ProtocolError, frame.StreamId)
-			if resetErr != nil {
-				debugMessage("reset error: %s", resetErr)
-			}
-		}()
-		return false
-	}
-	return true
-}
-
-func (s *Connection) handleStreamFrame(frame *spdy.SynStreamFrame, newHandler StreamHandler) error {
-	stream, ok := s.getStream(frame.StreamId)
-	if !ok {
-		return fmt.Errorf("Missing stream: %d", frame.StreamId)
-	}
-
-	newHandler(stream)
-
-	return nil
-}
-
-func (s *Connection) handleReplyFrame(frame *spdy.SynReplyFrame) error {
-	debugMessage("(%p) Reply frame received for %d", s, frame.StreamId)
-	stream, streamOk := s.getStream(frame.StreamId)
-	if !streamOk {
-		debugMessage("Reply frame gone away for %d", frame.StreamId)
-		// Stream has already gone away
-		return nil
-	}
-	if stream.replied {
-		// Stream has already received reply
-		return nil
-	}
-	stream.replied = true
-
-	// TODO Check for error
-	if (frame.CFHeader.Flags & spdy.ControlFlagFin) != 0x00 {
-		s.remoteStreamFinish(stream)
-	}
-
-	close(stream.startChan)
-
-	return nil
-}
-
-func (s *Connection) handleResetFrame(frame *spdy.RstStreamFrame) error {
-	stream, streamOk := s.getStream(frame.StreamId)
-	if !streamOk {
-		// Stream has already been removed
-		return nil
-	}
-	s.removeStream(stream)
-	stream.closeRemoteChannels()
-
-	if !stream.replied {
-		stream.replied = true
-		stream.startChan <- ErrReset
-		close(stream.startChan)
-	}
-
-	stream.finishLock.Lock()
-	stream.finished = true
-	stream.finishLock.Unlock()
-
-	return nil
-}
-
-func (s *Connection) handleHeaderFrame(frame *spdy.HeadersFrame) error {
-	stream, streamOk := s.getStream(frame.StreamId)
-	if !streamOk {
-		// Stream has already gone away
-		return nil
-	}
-	if !stream.replied {
-		// No reply received...Protocol error?
-		return nil
-	}
-
-	// TODO limit headers while not blocking (use buffered chan or goroutine?)
-	select {
-	case <-stream.closeChan:
-		return nil
-	case stream.headerChan <- frame.Headers:
-	}
-
-	if (frame.CFHeader.Flags & spdy.ControlFlagFin) != 0x00 {
-		s.remoteStreamFinish(stream)
-	}
-
-	return nil
-}
-
-func (s *Connection) handleDataFrame(frame *spdy.DataFrame) error {
-	debugMessage("(%p) Data frame received for %d", s, frame.StreamId)
-	stream, streamOk := s.getStream(frame.StreamId)
-	if !streamOk {
-		debugMessage("(%p) Data frame gone away for %d", s, frame.StreamId)
-		// Stream has already gone away
-		return nil
-	}
-	if !stream.replied {
-		debugMessage("(%p) Data frame not replied %d", s, frame.StreamId)
-		// No reply received...Protocol error?
-		return nil
-	}
-
-	debugMessage("(%p) (%d) Data frame handling", stream, stream.streamId)
-	if len(frame.Data) > 0 {
-		stream.dataLock.RLock()
-		select {
-		case <-stream.closeChan:
-			debugMessage("(%p) (%d) Data frame not sent (stream shut down)", stream, stream.streamId)
-		case stream.dataChan <- frame.Data:
-			debugMessage("(%p) (%d) Data frame sent", stream, stream.streamId)
-		}
-		stream.dataLock.RUnlock()
-	}
-	if (frame.Flags & spdy.DataFlagFin) != 0x00 {
-		s.remoteStreamFinish(stream)
-	}
-	return nil
-}
-
-func (s *Connection) handlePingFrame(frame *spdy.PingFrame) error {
-	s.pingLock.Lock()
-	pingId := s.pingId
-	pingChan, pingOk := s.pingChans[frame.Id]
-	s.pingLock.Unlock()
-
-	if pingId&0x01 != frame.Id&0x01 {
-		return s.framer.WriteFrame(frame)
-	}
-	if pingOk {
-		close(pingChan)
-	}
-	return nil
-}
-
-func (s *Connection) handleGoAwayFrame(frame *spdy.GoAwayFrame) error {
-	debugMessage("(%p) Go away received", s)
-	s.receiveIdLock.Lock()
-	if s.goneAway {
-		s.receiveIdLock.Unlock()
-		return nil
-	}
-	s.goneAway = true
-	s.receiveIdLock.Unlock()
-
-	if s.lastStreamChan != nil {
-		stream, _ := s.getStream(frame.LastGoodStreamId)
-		go func() {
-			s.lastStreamChan <- stream
-		}()
-	}
-
-	// Do not block frame handler waiting for closure
-	go s.shutdown(s.goAwayTimeout)
-
-	return nil
-}
-
-func (s *Connection) remoteStreamFinish(stream *Stream) {
-	stream.closeRemoteChannels()
-
-	stream.finishLock.Lock()
-	if stream.finished {
-		// Stream is fully closed, cleanup
-		s.removeStream(stream)
-	}
-	stream.finishLock.Unlock()
-}
-
-// CreateStream creates a new spdy stream using the parameters for
-// creating the stream frame.  The stream frame will be sent upon
-// calling this function, however this function does not wait for
-// the reply frame.  If waiting for the reply is desired, use
-// the stream Wait or WaitTimeout function on the stream returned
-// by this function.
-func (s *Connection) CreateStream(headers http.Header, parent *Stream, fin bool) (*Stream, error) {
-	// MUST synchronize stream creation (all the way to writing the frame)
-	// as stream IDs **MUST** increase monotonically.
-	s.nextIdLock.Lock()
-	defer s.nextIdLock.Unlock()
-
-	streamId := s.getNextStreamId()
-	if streamId == 0 {
-		return nil, fmt.Errorf("Unable to get new stream id")
-	}
-
-	stream := &Stream{
-		streamId:   streamId,
-		parent:     parent,
-		conn:       s,
-		startChan:  make(chan error),
-		headers:    headers,
-		dataChan:   make(chan []byte),
-		headerChan: make(chan http.Header),
-		closeChan:  make(chan bool),
-	}
-
-	debugMessage("(%p) (%p) Create stream", s, stream)
-
-	s.addStream(stream)
-
-	return stream, s.sendStream(stream, fin)
-}
-
-func (s *Connection) shutdown(closeTimeout time.Duration) {
-	// TODO Ensure this isn't called multiple times
-	s.shutdownLock.Lock()
-	if s.hasShutdown {
-		s.shutdownLock.Unlock()
-		return
-	}
-	s.hasShutdown = true
-	s.shutdownLock.Unlock()
-
-	var timeout <-chan time.Time
-	if closeTimeout > time.Duration(0) {
-		timer := time.NewTimer(closeTimeout)
-		defer timer.Stop()
-		timeout = timer.C
-	}
-	streamsClosed := make(chan bool)
-
-	go func() {
-		s.streamCond.L.Lock()
-		for len(s.streams) > 0 {
-			debugMessage("Streams opened: %d, %#v", len(s.streams), s.streams)
-			s.streamCond.Wait()
-		}
-		s.streamCond.L.Unlock()
-		close(streamsClosed)
-	}()
-
-	var err error
-	select {
-	case <-streamsClosed:
-		// No active streams, close should be safe
-		err = s.conn.Close()
-	case <-timeout:
-		// Force ungraceful close
-		err = s.conn.Close()
-		// Wait for cleanup to clear active streams
-		<-streamsClosed
-	}
-
-	if err != nil {
-		// default to 1 second
-		duration := time.Second
-		// if a closeTimeout was given, use that, clipped to 1s-10m
-		if closeTimeout > time.Second {
-			duration = closeTimeout
-		}
-		if duration > 10*time.Minute {
-			duration = 10 * time.Minute
-		}
-		timer := time.NewTimer(duration)
-		defer timer.Stop()
-		select {
-		case s.shutdownChan <- err:
-			// error was handled
-		case <-timer.C:
-			debugMessage("Unhandled close error after %s: %s", duration, err)
-		}
-	}
-	close(s.shutdownChan)
-}
-
-// Closes spdy connection by sending GoAway frame and initiating shutdown
-func (s *Connection) Close() error {
-	s.receiveIdLock.Lock()
-	if s.goneAway {
-		s.receiveIdLock.Unlock()
-		return nil
-	}
-	s.goneAway = true
-	s.receiveIdLock.Unlock()
-
-	var lastStreamId spdy.StreamId
-	if s.receivedStreamId > 2 {
-		lastStreamId = s.receivedStreamId - 2
-	}
-
-	goAwayFrame := &spdy.GoAwayFrame{
-		LastGoodStreamId: lastStreamId,
-		Status:           spdy.GoAwayOK,
-	}
-
-	err := s.framer.WriteFrame(goAwayFrame)
-	go s.shutdown(s.closeTimeout)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// CloseWait closes the connection and waits for shutdown
-// to finish.  Note the underlying network Connection
-// is not closed until the end of shutdown.
-func (s *Connection) CloseWait() error {
-	closeErr := s.Close()
-	if closeErr != nil {
-		return closeErr
-	}
-	shutdownErr, ok := <-s.shutdownChan
-	if ok {
-		return shutdownErr
-	}
-	return nil
-}
-
-// Wait waits for the connection to finish shutdown or for
-// the wait timeout duration to expire.  This needs to be
-// called either after Close has been called or the GOAWAYFRAME
-// has been received.  If the wait timeout is 0, this function
-// will block until shutdown finishes.  If wait is never called
-// and a shutdown error occurs, that error will be logged as an
-// unhandled error.
-func (s *Connection) Wait(waitTimeout time.Duration) error {
-	var timeout <-chan time.Time
-	if waitTimeout > time.Duration(0) {
-		timer := time.NewTimer(waitTimeout)
-		defer timer.Stop()
-		timeout = timer.C
-	}
-
-	select {
-	case err, ok := <-s.shutdownChan:
-		if ok {
-			return err
-		}
-	case <-timeout:
-		return ErrTimeout
-	}
-	return nil
-}
-
-// NotifyClose registers a channel to be called when the remote
-// peer inidicates connection closure.  The last stream to be
-// received by the remote will be sent on the channel.  The notify
-// timeout will determine the duration between go away received
-// and the connection being closed.
-func (s *Connection) NotifyClose(c chan<- *Stream, timeout time.Duration) {
-	s.goAwayTimeout = timeout
-	s.lastStreamChan = c
-}
-
-// SetCloseTimeout sets the amount of time close will wait for
-// streams to finish before terminating the underlying network
-// connection.  Setting the timeout to 0 will cause close to
-// wait forever, which is the default.
-func (s *Connection) SetCloseTimeout(timeout time.Duration) {
-	s.closeTimeout = timeout
-}
-
-// SetIdleTimeout sets the amount of time the connection may sit idle before
-// it is forcefully terminated.
-func (s *Connection) SetIdleTimeout(timeout time.Duration) {
-	s.framer.setIdleTimeout(timeout)
-}
-
-func (s *Connection) sendHeaders(headers http.Header, stream *Stream, fin bool) error {
-	var flags spdy.ControlFlags
-	if fin {
-		flags = spdy.ControlFlagFin
-	}
-
-	headerFrame := &spdy.HeadersFrame{
-		StreamId: stream.streamId,
-		Headers:  headers,
-		CFHeader: spdy.ControlFrameHeader{Flags: flags},
-	}
-
-	return s.framer.WriteFrame(headerFrame)
-}
-
-func (s *Connection) sendReply(headers http.Header, stream *Stream, fin bool) error {
-	var flags spdy.ControlFlags
-	if fin {
-		flags = spdy.ControlFlagFin
-	}
-
-	replyFrame := &spdy.SynReplyFrame{
-		StreamId: stream.streamId,
-		Headers:  headers,
-		CFHeader: spdy.ControlFrameHeader{Flags: flags},
-	}
-
-	return s.framer.WriteFrame(replyFrame)
-}
-
-func (s *Connection) sendResetFrame(status spdy.RstStreamStatus, streamId spdy.StreamId) error {
-	resetFrame := &spdy.RstStreamFrame{
-		StreamId: streamId,
-		Status:   status,
-	}
-
-	return s.framer.WriteFrame(resetFrame)
-}
-
-func (s *Connection) sendReset(status spdy.RstStreamStatus, stream *Stream) error {
-	return s.sendResetFrame(status, stream.streamId)
-}
-
-func (s *Connection) sendStream(stream *Stream, fin bool) error {
-	var flags spdy.ControlFlags
-	if fin {
-		flags = spdy.ControlFlagFin
-		stream.finished = true
-	}
-
-	var parentId spdy.StreamId
-	if stream.parent != nil {
-		parentId = stream.parent.streamId
-	}
-
-	streamFrame := &spdy.SynStreamFrame{
-		StreamId:             spdy.StreamId(stream.streamId),
-		AssociatedToStreamId: spdy.StreamId(parentId),
-		Headers:              stream.headers,
-		CFHeader:             spdy.ControlFrameHeader{Flags: flags},
-	}
-
-	return s.framer.WriteFrame(streamFrame)
-}
-
-// getNextStreamId returns the next sequential id
-// every call should produce a unique value or an error
-func (s *Connection) getNextStreamId() spdy.StreamId {
-	sid := s.nextStreamId
-	if sid > 0x7fffffff {
-		return 0
-	}
-	s.nextStreamId = s.nextStreamId + 2
-	return sid
-}
-
-// PeekNextStreamId returns the next sequential id and keeps the next id untouched
-func (s *Connection) PeekNextStreamId() spdy.StreamId {
-	sid := s.nextStreamId
-	return sid
-}
-
-func (s *Connection) validateStreamId(rid spdy.StreamId) error {
-	if rid > 0x7fffffff || rid < s.receivedStreamId {
-		return ErrInvalidStreamId
-	}
-	s.receivedStreamId = rid + 2
-	return nil
-}
-
-func (s *Connection) addStream(stream *Stream) {
-	s.streamCond.L.Lock()
-	s.streams[stream.streamId] = stream
-	debugMessage("(%p) (%p) Stream added, broadcasting: %d", s, stream, stream.streamId)
-	s.streamCond.Broadcast()
-	s.streamCond.L.Unlock()
-}
-
-func (s *Connection) removeStream(stream *Stream) {
-	s.streamCond.L.Lock()
-	delete(s.streams, stream.streamId)
-	debugMessage("(%p) (%p) Stream removed, broadcasting: %d", s, stream, stream.streamId)
-	s.streamCond.Broadcast()
-	s.streamCond.L.Unlock()
-}
-
-func (s *Connection) getStream(streamId spdy.StreamId) (stream *Stream, ok bool) {
-	s.streamLock.RLock()
-	stream, ok = s.streams[streamId]
-	s.streamLock.RUnlock()
-	return
-}
-
-// FindStream looks up the given stream id and either waits for the
-// stream to be found or returns nil if the stream id is no longer
-// valid.
-func (s *Connection) FindStream(streamId uint32) *Stream {
-	var stream *Stream
-	var ok bool
-	s.streamCond.L.Lock()
-	stream, ok = s.streams[spdy.StreamId(streamId)]
-	debugMessage("(%p) Found stream %d? %t", s, spdy.StreamId(streamId), ok)
-	for !ok && streamId >= uint32(s.receivedStreamId) {
-		s.streamCond.Wait()
-		stream, ok = s.streams[spdy.StreamId(streamId)]
-	}
-	s.streamCond.L.Unlock()
-	return stream
-}
-
-func (s *Connection) CloseChan() <-chan bool {
-	return s.closeChan
-}
diff --git a/vendor/github.com/moby/spdystream/handlers.go b/vendor/github.com/moby/spdystream/handlers.go
deleted file mode 100644
index d68f61f81..000000000
--- a/vendor/github.com/moby/spdystream/handlers.go
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package spdystream
-
-import (
-	"io"
-	"net/http"
-)
-
-// MirrorStreamHandler mirrors all streams.
-func MirrorStreamHandler(stream *Stream) {
-	replyErr := stream.SendReply(http.Header{}, false)
-	if replyErr != nil {
-		return
-	}
-
-	go func() {
-		io.Copy(stream, stream)
-		stream.Close()
-	}()
-	go func() {
-		for {
-			header, receiveErr := stream.ReceiveHeader()
-			if receiveErr != nil {
-				return
-			}
-			sendErr := stream.SendHeader(header, false)
-			if sendErr != nil {
-				return
-			}
-		}
-	}()
-}
-
-// NoopStreamHandler does nothing when stream connects.
-func NoOpStreamHandler(stream *Stream) {
-	stream.SendReply(http.Header{}, false)
-}
diff --git a/vendor/github.com/moby/spdystream/priority.go b/vendor/github.com/moby/spdystream/priority.go
deleted file mode 100644
index d8eb3516c..000000000
--- a/vendor/github.com/moby/spdystream/priority.go
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package spdystream
-
-import (
-	"container/heap"
-	"sync"
-
-	"github.com/moby/spdystream/spdy"
-)
-
-type prioritizedFrame struct {
-	frame    spdy.Frame
-	priority uint8
-	insertId uint64
-}
-
-type frameQueue []*prioritizedFrame
-
-func (fq frameQueue) Len() int {
-	return len(fq)
-}
-
-func (fq frameQueue) Less(i, j int) bool {
-	if fq[i].priority == fq[j].priority {
-		return fq[i].insertId < fq[j].insertId
-	}
-	return fq[i].priority < fq[j].priority
-}
-
-func (fq frameQueue) Swap(i, j int) {
-	fq[i], fq[j] = fq[j], fq[i]
-}
-
-func (fq *frameQueue) Push(x interface{}) {
-	*fq = append(*fq, x.(*prioritizedFrame))
-}
-
-func (fq *frameQueue) Pop() interface{} {
-	old := *fq
-	n := len(old)
-	*fq = old[0 : n-1]
-	return old[n-1]
-}
-
-type PriorityFrameQueue struct {
-	queue        *frameQueue
-	c            *sync.Cond
-	size         int
-	nextInsertId uint64
-	drain        bool
-}
-
-func NewPriorityFrameQueue(size int) *PriorityFrameQueue {
-	queue := make(frameQueue, 0, size)
-	heap.Init(&queue)
-
-	return &PriorityFrameQueue{
-		queue: &queue,
-		size:  size,
-		c:     sync.NewCond(&sync.Mutex{}),
-	}
-}
-
-func (q *PriorityFrameQueue) Push(frame spdy.Frame, priority uint8) {
-	q.c.L.Lock()
-	defer q.c.L.Unlock()
-	for q.queue.Len() >= q.size {
-		q.c.Wait()
-	}
-	pFrame := &prioritizedFrame{
-		frame:    frame,
-		priority: priority,
-		insertId: q.nextInsertId,
-	}
-	q.nextInsertId = q.nextInsertId + 1
-	heap.Push(q.queue, pFrame)
-	q.c.Signal()
-}
-
-func (q *PriorityFrameQueue) Pop() spdy.Frame {
-	q.c.L.Lock()
-	defer q.c.L.Unlock()
-	for q.queue.Len() == 0 {
-		if q.drain {
-			return nil
-		}
-		q.c.Wait()
-	}
-	frame := heap.Pop(q.queue).(*prioritizedFrame).frame
-	q.c.Signal()
-	return frame
-}
-
-func (q *PriorityFrameQueue) Drain() {
-	q.c.L.Lock()
-	defer q.c.L.Unlock()
-	q.drain = true
-	q.c.Broadcast()
-}
diff --git a/vendor/github.com/moby/spdystream/spdy/dictionary.go b/vendor/github.com/moby/spdystream/spdy/dictionary.go
deleted file mode 100644
index 392232f17..000000000
--- a/vendor/github.com/moby/spdystream/spdy/dictionary.go
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package spdy
-
-// headerDictionary is the dictionary sent to the zlib compressor/decompressor.
-var headerDictionary = []byte{
-	0x00, 0x00, 0x00, 0x07, 0x6f, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x00, 0x00, 0x00, 0x04, 0x68,
-	0x65, 0x61, 0x64, 0x00, 0x00, 0x00, 0x04, 0x70,
-	0x6f, 0x73, 0x74, 0x00, 0x00, 0x00, 0x03, 0x70,
-	0x75, 0x74, 0x00, 0x00, 0x00, 0x06, 0x64, 0x65,
-	0x6c, 0x65, 0x74, 0x65, 0x00, 0x00, 0x00, 0x05,
-	0x74, 0x72, 0x61, 0x63, 0x65, 0x00, 0x00, 0x00,
-	0x06, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x00,
-	0x00, 0x00, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x70,
-	0x74, 0x2d, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65,
-	0x74, 0x00, 0x00, 0x00, 0x0f, 0x61, 0x63, 0x63,
-	0x65, 0x70, 0x74, 0x2d, 0x65, 0x6e, 0x63, 0x6f,
-	0x64, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x0f,
-	0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x6c,
-	0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x00,
-	0x00, 0x00, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x70,
-	0x74, 0x2d, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x73,
-	0x00, 0x00, 0x00, 0x03, 0x61, 0x67, 0x65, 0x00,
-	0x00, 0x00, 0x05, 0x61, 0x6c, 0x6c, 0x6f, 0x77,
-	0x00, 0x00, 0x00, 0x0d, 0x61, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x00, 0x00, 0x00, 0x0d, 0x63, 0x61, 0x63,
-	0x68, 0x65, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72,
-	0x6f, 0x6c, 0x00, 0x00, 0x00, 0x0a, 0x63, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
-	0x00, 0x00, 0x00, 0x0c, 0x63, 0x6f, 0x6e, 0x74,
-	0x65, 0x6e, 0x74, 0x2d, 0x62, 0x61, 0x73, 0x65,
-	0x00, 0x00, 0x00, 0x10, 0x63, 0x6f, 0x6e, 0x74,
-	0x65, 0x6e, 0x74, 0x2d, 0x65, 0x6e, 0x63, 0x6f,
-	0x64, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x10,
-	0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
-	0x6c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65,
-	0x00, 0x00, 0x00, 0x0e, 0x63, 0x6f, 0x6e, 0x74,
-	0x65, 0x6e, 0x74, 0x2d, 0x6c, 0x65, 0x6e, 0x67,
-	0x74, 0x68, 0x00, 0x00, 0x00, 0x10, 0x63, 0x6f,
-	0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x6c, 0x6f,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00,
-	0x00, 0x0b, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e,
-	0x74, 0x2d, 0x6d, 0x64, 0x35, 0x00, 0x00, 0x00,
-	0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
-	0x2d, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x00, 0x00,
-	0x00, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e,
-	0x74, 0x2d, 0x74, 0x79, 0x70, 0x65, 0x00, 0x00,
-	0x00, 0x04, 0x64, 0x61, 0x74, 0x65, 0x00, 0x00,
-	0x00, 0x04, 0x65, 0x74, 0x61, 0x67, 0x00, 0x00,
-	0x00, 0x06, 0x65, 0x78, 0x70, 0x65, 0x63, 0x74,
-	0x00, 0x00, 0x00, 0x07, 0x65, 0x78, 0x70, 0x69,
-	0x72, 0x65, 0x73, 0x00, 0x00, 0x00, 0x04, 0x66,
-	0x72, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04, 0x68,
-	0x6f, 0x73, 0x74, 0x00, 0x00, 0x00, 0x08, 0x69,
-	0x66, 0x2d, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x00,
-	0x00, 0x00, 0x11, 0x69, 0x66, 0x2d, 0x6d, 0x6f,
-	0x64, 0x69, 0x66, 0x69, 0x65, 0x64, 0x2d, 0x73,
-	0x69, 0x6e, 0x63, 0x65, 0x00, 0x00, 0x00, 0x0d,
-	0x69, 0x66, 0x2d, 0x6e, 0x6f, 0x6e, 0x65, 0x2d,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x00, 0x00, 0x00,
-	0x08, 0x69, 0x66, 0x2d, 0x72, 0x61, 0x6e, 0x67,
-	0x65, 0x00, 0x00, 0x00, 0x13, 0x69, 0x66, 0x2d,
-	0x75, 0x6e, 0x6d, 0x6f, 0x64, 0x69, 0x66, 0x69,
-	0x65, 0x64, 0x2d, 0x73, 0x69, 0x6e, 0x63, 0x65,
-	0x00, 0x00, 0x00, 0x0d, 0x6c, 0x61, 0x73, 0x74,
-	0x2d, 0x6d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65,
-	0x64, 0x00, 0x00, 0x00, 0x08, 0x6c, 0x6f, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00,
-	0x0c, 0x6d, 0x61, 0x78, 0x2d, 0x66, 0x6f, 0x72,
-	0x77, 0x61, 0x72, 0x64, 0x73, 0x00, 0x00, 0x00,
-	0x06, 0x70, 0x72, 0x61, 0x67, 0x6d, 0x61, 0x00,
-	0x00, 0x00, 0x12, 0x70, 0x72, 0x6f, 0x78, 0x79,
-	0x2d, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
-	0x69, 0x63, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00,
-	0x13, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2d, 0x61,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x05,
-	0x72, 0x61, 0x6e, 0x67, 0x65, 0x00, 0x00, 0x00,
-	0x07, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x72,
-	0x00, 0x00, 0x00, 0x0b, 0x72, 0x65, 0x74, 0x72,
-	0x79, 0x2d, 0x61, 0x66, 0x74, 0x65, 0x72, 0x00,
-	0x00, 0x00, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x00, 0x00, 0x00, 0x02, 0x74, 0x65, 0x00,
-	0x00, 0x00, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c,
-	0x65, 0x72, 0x00, 0x00, 0x00, 0x11, 0x74, 0x72,
-	0x61, 0x6e, 0x73, 0x66, 0x65, 0x72, 0x2d, 0x65,
-	0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x00,
-	0x00, 0x00, 0x07, 0x75, 0x70, 0x67, 0x72, 0x61,
-	0x64, 0x65, 0x00, 0x00, 0x00, 0x0a, 0x75, 0x73,
-	0x65, 0x72, 0x2d, 0x61, 0x67, 0x65, 0x6e, 0x74,
-	0x00, 0x00, 0x00, 0x04, 0x76, 0x61, 0x72, 0x79,
-	0x00, 0x00, 0x00, 0x03, 0x76, 0x69, 0x61, 0x00,
-	0x00, 0x00, 0x07, 0x77, 0x61, 0x72, 0x6e, 0x69,
-	0x6e, 0x67, 0x00, 0x00, 0x00, 0x10, 0x77, 0x77,
-	0x77, 0x2d, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e,
-	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x00, 0x00,
-	0x00, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64,
-	0x00, 0x00, 0x00, 0x03, 0x67, 0x65, 0x74, 0x00,
-	0x00, 0x00, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x00, 0x00, 0x00, 0x06, 0x32, 0x30, 0x30,
-	0x20, 0x4f, 0x4b, 0x00, 0x00, 0x00, 0x07, 0x76,
-	0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x00, 0x00,
-	0x00, 0x08, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31,
-	0x2e, 0x31, 0x00, 0x00, 0x00, 0x03, 0x75, 0x72,
-	0x6c, 0x00, 0x00, 0x00, 0x06, 0x70, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x00, 0x00, 0x00, 0x0a, 0x73,
-	0x65, 0x74, 0x2d, 0x63, 0x6f, 0x6f, 0x6b, 0x69,
-	0x65, 0x00, 0x00, 0x00, 0x0a, 0x6b, 0x65, 0x65,
-	0x70, 0x2d, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x00,
-	0x00, 0x00, 0x06, 0x6f, 0x72, 0x69, 0x67, 0x69,
-	0x6e, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, 0x32,
-	0x30, 0x31, 0x32, 0x30, 0x32, 0x32, 0x30, 0x35,
-	0x32, 0x30, 0x36, 0x33, 0x30, 0x30, 0x33, 0x30,
-	0x32, 0x33, 0x30, 0x33, 0x33, 0x30, 0x34, 0x33,
-	0x30, 0x35, 0x33, 0x30, 0x36, 0x33, 0x30, 0x37,
-	0x34, 0x30, 0x32, 0x34, 0x30, 0x35, 0x34, 0x30,
-	0x36, 0x34, 0x30, 0x37, 0x34, 0x30, 0x38, 0x34,
-	0x30, 0x39, 0x34, 0x31, 0x30, 0x34, 0x31, 0x31,
-	0x34, 0x31, 0x32, 0x34, 0x31, 0x33, 0x34, 0x31,
-	0x34, 0x34, 0x31, 0x35, 0x34, 0x31, 0x36, 0x34,
-	0x31, 0x37, 0x35, 0x30, 0x32, 0x35, 0x30, 0x34,
-	0x35, 0x30, 0x35, 0x32, 0x30, 0x33, 0x20, 0x4e,
-	0x6f, 0x6e, 0x2d, 0x41, 0x75, 0x74, 0x68, 0x6f,
-	0x72, 0x69, 0x74, 0x61, 0x74, 0x69, 0x76, 0x65,
-	0x20, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x32, 0x30, 0x34, 0x20,
-	0x4e, 0x6f, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x65,
-	0x6e, 0x74, 0x33, 0x30, 0x31, 0x20, 0x4d, 0x6f,
-	0x76, 0x65, 0x64, 0x20, 0x50, 0x65, 0x72, 0x6d,
-	0x61, 0x6e, 0x65, 0x6e, 0x74, 0x6c, 0x79, 0x34,
-	0x30, 0x30, 0x20, 0x42, 0x61, 0x64, 0x20, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x34, 0x30,
-	0x31, 0x20, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x34, 0x30,
-	0x33, 0x20, 0x46, 0x6f, 0x72, 0x62, 0x69, 0x64,
-	0x64, 0x65, 0x6e, 0x34, 0x30, 0x34, 0x20, 0x4e,
-	0x6f, 0x74, 0x20, 0x46, 0x6f, 0x75, 0x6e, 0x64,
-	0x35, 0x30, 0x30, 0x20, 0x49, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x61, 0x6c, 0x20, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x20, 0x45, 0x72, 0x72, 0x6f,
-	0x72, 0x35, 0x30, 0x31, 0x20, 0x4e, 0x6f, 0x74,
-	0x20, 0x49, 0x6d, 0x70, 0x6c, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x65, 0x64, 0x35, 0x30, 0x33, 0x20,
-	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20,
-	0x55, 0x6e, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61,
-	0x62, 0x6c, 0x65, 0x4a, 0x61, 0x6e, 0x20, 0x46,
-	0x65, 0x62, 0x20, 0x4d, 0x61, 0x72, 0x20, 0x41,
-	0x70, 0x72, 0x20, 0x4d, 0x61, 0x79, 0x20, 0x4a,
-	0x75, 0x6e, 0x20, 0x4a, 0x75, 0x6c, 0x20, 0x41,
-	0x75, 0x67, 0x20, 0x53, 0x65, 0x70, 0x74, 0x20,
-	0x4f, 0x63, 0x74, 0x20, 0x4e, 0x6f, 0x76, 0x20,
-	0x44, 0x65, 0x63, 0x20, 0x30, 0x30, 0x3a, 0x30,
-	0x30, 0x3a, 0x30, 0x30, 0x20, 0x4d, 0x6f, 0x6e,
-	0x2c, 0x20, 0x54, 0x75, 0x65, 0x2c, 0x20, 0x57,
-	0x65, 0x64, 0x2c, 0x20, 0x54, 0x68, 0x75, 0x2c,
-	0x20, 0x46, 0x72, 0x69, 0x2c, 0x20, 0x53, 0x61,
-	0x74, 0x2c, 0x20, 0x53, 0x75, 0x6e, 0x2c, 0x20,
-	0x47, 0x4d, 0x54, 0x63, 0x68, 0x75, 0x6e, 0x6b,
-	0x65, 0x64, 0x2c, 0x74, 0x65, 0x78, 0x74, 0x2f,
-	0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x69, 0x6d, 0x61,
-	0x67, 0x65, 0x2f, 0x70, 0x6e, 0x67, 0x2c, 0x69,
-	0x6d, 0x61, 0x67, 0x65, 0x2f, 0x6a, 0x70, 0x67,
-	0x2c, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x2f, 0x67,
-	0x69, 0x66, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78,
-	0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78,
-	0x68, 0x74, 0x6d, 0x6c, 0x2b, 0x78, 0x6d, 0x6c,
-	0x2c, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x70, 0x6c,
-	0x61, 0x69, 0x6e, 0x2c, 0x74, 0x65, 0x78, 0x74,
-	0x2f, 0x6a, 0x61, 0x76, 0x61, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x2c, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
-	0x65, 0x6d, 0x61, 0x78, 0x2d, 0x61, 0x67, 0x65,
-	0x3d, 0x67, 0x7a, 0x69, 0x70, 0x2c, 0x64, 0x65,
-	0x66, 0x6c, 0x61, 0x74, 0x65, 0x2c, 0x73, 0x64,
-	0x63, 0x68, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65,
-	0x74, 0x3d, 0x75, 0x74, 0x66, 0x2d, 0x38, 0x63,
-	0x68, 0x61, 0x72, 0x73, 0x65, 0x74, 0x3d, 0x69,
-	0x73, 0x6f, 0x2d, 0x38, 0x38, 0x35, 0x39, 0x2d,
-	0x31, 0x2c, 0x75, 0x74, 0x66, 0x2d, 0x2c, 0x2a,
-	0x2c, 0x65, 0x6e, 0x71, 0x3d, 0x30, 0x2e,
-}
diff --git a/vendor/github.com/moby/spdystream/spdy/read.go b/vendor/github.com/moby/spdystream/spdy/read.go
deleted file mode 100644
index 75ea045b8..000000000
--- a/vendor/github.com/moby/spdystream/spdy/read.go
+++ /dev/null
@@ -1,364 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package spdy
-
-import (
-	"compress/zlib"
-	"encoding/binary"
-	"io"
-	"net/http"
-	"strings"
-)
-
-func (frame *SynStreamFrame) read(h ControlFrameHeader, f *Framer) error {
-	return f.readSynStreamFrame(h, frame)
-}
-
-func (frame *SynReplyFrame) read(h ControlFrameHeader, f *Framer) error {
-	return f.readSynReplyFrame(h, frame)
-}
-
-func (frame *RstStreamFrame) read(h ControlFrameHeader, f *Framer) error {
-	frame.CFHeader = h
-	if err := binary.Read(f.r, binary.BigEndian, &frame.StreamId); err != nil {
-		return err
-	}
-	if err := binary.Read(f.r, binary.BigEndian, &frame.Status); err != nil {
-		return err
-	}
-	if frame.Status == 0 {
-		return &Error{InvalidControlFrame, frame.StreamId}
-	}
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	return nil
-}
-
-func (frame *SettingsFrame) read(h ControlFrameHeader, f *Framer) error {
-	frame.CFHeader = h
-	var numSettings uint32
-	if err := binary.Read(f.r, binary.BigEndian, &numSettings); err != nil {
-		return err
-	}
-	frame.FlagIdValues = make([]SettingsFlagIdValue, numSettings)
-	for i := uint32(0); i < numSettings; i++ {
-		if err := binary.Read(f.r, binary.BigEndian, &frame.FlagIdValues[i].Id); err != nil {
-			return err
-		}
-		frame.FlagIdValues[i].Flag = SettingsFlag((frame.FlagIdValues[i].Id & 0xff000000) >> 24)
-		frame.FlagIdValues[i].Id &= 0xffffff
-		if err := binary.Read(f.r, binary.BigEndian, &frame.FlagIdValues[i].Value); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (frame *PingFrame) read(h ControlFrameHeader, f *Framer) error {
-	frame.CFHeader = h
-	if err := binary.Read(f.r, binary.BigEndian, &frame.Id); err != nil {
-		return err
-	}
-	if frame.Id == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	if frame.CFHeader.Flags != 0 {
-		return &Error{InvalidControlFrame, StreamId(frame.Id)}
-	}
-	return nil
-}
-
-func (frame *GoAwayFrame) read(h ControlFrameHeader, f *Framer) error {
-	frame.CFHeader = h
-	if err := binary.Read(f.r, binary.BigEndian, &frame.LastGoodStreamId); err != nil {
-		return err
-	}
-	if frame.CFHeader.Flags != 0 {
-		return &Error{InvalidControlFrame, frame.LastGoodStreamId}
-	}
-	if frame.CFHeader.length != 8 {
-		return &Error{InvalidControlFrame, frame.LastGoodStreamId}
-	}
-	if err := binary.Read(f.r, binary.BigEndian, &frame.Status); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (frame *HeadersFrame) read(h ControlFrameHeader, f *Framer) error {
-	return f.readHeadersFrame(h, frame)
-}
-
-func (frame *WindowUpdateFrame) read(h ControlFrameHeader, f *Framer) error {
-	frame.CFHeader = h
-	if err := binary.Read(f.r, binary.BigEndian, &frame.StreamId); err != nil {
-		return err
-	}
-	if frame.CFHeader.Flags != 0 {
-		return &Error{InvalidControlFrame, frame.StreamId}
-	}
-	if frame.CFHeader.length != 8 {
-		return &Error{InvalidControlFrame, frame.StreamId}
-	}
-	if err := binary.Read(f.r, binary.BigEndian, &frame.DeltaWindowSize); err != nil {
-		return err
-	}
-	return nil
-}
-
-func newControlFrame(frameType ControlFrameType) (controlFrame, error) {
-	ctor, ok := cframeCtor[frameType]
-	if !ok {
-		return nil, &Error{Err: InvalidControlFrame}
-	}
-	return ctor(), nil
-}
-
-var cframeCtor = map[ControlFrameType]func() controlFrame{
-	TypeSynStream:    func() controlFrame { return new(SynStreamFrame) },
-	TypeSynReply:     func() controlFrame { return new(SynReplyFrame) },
-	TypeRstStream:    func() controlFrame { return new(RstStreamFrame) },
-	TypeSettings:     func() controlFrame { return new(SettingsFrame) },
-	TypePing:         func() controlFrame { return new(PingFrame) },
-	TypeGoAway:       func() controlFrame { return new(GoAwayFrame) },
-	TypeHeaders:      func() controlFrame { return new(HeadersFrame) },
-	TypeWindowUpdate: func() controlFrame { return new(WindowUpdateFrame) },
-}
-
-func (f *Framer) uncorkHeaderDecompressor(payloadSize int64) error {
-	if f.headerDecompressor != nil {
-		f.headerReader.N = payloadSize
-		return nil
-	}
-	f.headerReader = io.LimitedReader{R: f.r, N: payloadSize}
-	decompressor, err := zlib.NewReaderDict(&f.headerReader, []byte(headerDictionary))
-	if err != nil {
-		return err
-	}
-	f.headerDecompressor = decompressor
-	return nil
-}
-
-// ReadFrame reads SPDY encoded data and returns a decompressed Frame.
-func (f *Framer) ReadFrame() (Frame, error) {
-	var firstWord uint32
-	if err := binary.Read(f.r, binary.BigEndian, &firstWord); err != nil {
-		return nil, err
-	}
-	if firstWord&0x80000000 != 0 {
-		frameType := ControlFrameType(firstWord & 0xffff)
-		version := uint16(firstWord >> 16 & 0x7fff)
-		return f.parseControlFrame(version, frameType)
-	}
-	return f.parseDataFrame(StreamId(firstWord & 0x7fffffff))
-}
-
-func (f *Framer) parseControlFrame(version uint16, frameType ControlFrameType) (Frame, error) {
-	var length uint32
-	if err := binary.Read(f.r, binary.BigEndian, &length); err != nil {
-		return nil, err
-	}
-	flags := ControlFlags((length & 0xff000000) >> 24)
-	length &= 0xffffff
-	header := ControlFrameHeader{version, frameType, flags, length}
-	cframe, err := newControlFrame(frameType)
-	if err != nil {
-		return nil, err
-	}
-	if err = cframe.read(header, f); err != nil {
-		return nil, err
-	}
-	return cframe, nil
-}
-
-func parseHeaderValueBlock(r io.Reader, streamId StreamId) (http.Header, error) {
-	var numHeaders uint32
-	if err := binary.Read(r, binary.BigEndian, &numHeaders); err != nil {
-		return nil, err
-	}
-	var e error
-	h := make(http.Header, int(numHeaders))
-	for i := 0; i < int(numHeaders); i++ {
-		var length uint32
-		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
-			return nil, err
-		}
-		nameBytes := make([]byte, length)
-		if _, err := io.ReadFull(r, nameBytes); err != nil {
-			return nil, err
-		}
-		name := string(nameBytes)
-		if name != strings.ToLower(name) {
-			e = &Error{UnlowercasedHeaderName, streamId}
-			name = strings.ToLower(name)
-		}
-		if h[name] != nil {
-			e = &Error{DuplicateHeaders, streamId}
-		}
-		if err := binary.Read(r, binary.BigEndian, &length); err != nil {
-			return nil, err
-		}
-		value := make([]byte, length)
-		if _, err := io.ReadFull(r, value); err != nil {
-			return nil, err
-		}
-		valueList := strings.Split(string(value), headerValueSeparator)
-		for _, v := range valueList {
-			h.Add(name, v)
-		}
-	}
-	if e != nil {
-		return h, e
-	}
-	return h, nil
-}
-
-func (f *Framer) readSynStreamFrame(h ControlFrameHeader, frame *SynStreamFrame) error {
-	frame.CFHeader = h
-	var err error
-	if err = binary.Read(f.r, binary.BigEndian, &frame.StreamId); err != nil {
-		return err
-	}
-	if err = binary.Read(f.r, binary.BigEndian, &frame.AssociatedToStreamId); err != nil {
-		return err
-	}
-	if err = binary.Read(f.r, binary.BigEndian, &frame.Priority); err != nil {
-		return err
-	}
-	frame.Priority >>= 5
-	if err = binary.Read(f.r, binary.BigEndian, &frame.Slot); err != nil {
-		return err
-	}
-	reader := f.r
-	if !f.headerCompressionDisabled {
-		err := f.uncorkHeaderDecompressor(int64(h.length - 10))
-		if err != nil {
-			return err
-		}
-		reader = f.headerDecompressor
-	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
-	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
-		err = &Error{WrongCompressedPayloadSize, 0}
-	}
-	if err != nil {
-		return err
-	}
-	for h := range frame.Headers {
-		if invalidReqHeaders[h] {
-			return &Error{InvalidHeaderPresent, frame.StreamId}
-		}
-	}
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	return nil
-}
-
-func (f *Framer) readSynReplyFrame(h ControlFrameHeader, frame *SynReplyFrame) error {
-	frame.CFHeader = h
-	var err error
-	if err = binary.Read(f.r, binary.BigEndian, &frame.StreamId); err != nil {
-		return err
-	}
-	reader := f.r
-	if !f.headerCompressionDisabled {
-		err := f.uncorkHeaderDecompressor(int64(h.length - 4))
-		if err != nil {
-			return err
-		}
-		reader = f.headerDecompressor
-	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
-	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
-		err = &Error{WrongCompressedPayloadSize, 0}
-	}
-	if err != nil {
-		return err
-	}
-	for h := range frame.Headers {
-		if invalidRespHeaders[h] {
-			return &Error{InvalidHeaderPresent, frame.StreamId}
-		}
-	}
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	return nil
-}
-
-func (f *Framer) readHeadersFrame(h ControlFrameHeader, frame *HeadersFrame) error {
-	frame.CFHeader = h
-	var err error
-	if err = binary.Read(f.r, binary.BigEndian, &frame.StreamId); err != nil {
-		return err
-	}
-	reader := f.r
-	if !f.headerCompressionDisabled {
-		err := f.uncorkHeaderDecompressor(int64(h.length - 4))
-		if err != nil {
-			return err
-		}
-		reader = f.headerDecompressor
-	}
-	frame.Headers, err = parseHeaderValueBlock(reader, frame.StreamId)
-	if !f.headerCompressionDisabled && (err == io.EOF && f.headerReader.N == 0 || f.headerReader.N != 0) {
-		err = &Error{WrongCompressedPayloadSize, 0}
-	}
-	if err != nil {
-		return err
-	}
-	var invalidHeaders map[string]bool
-	if frame.StreamId%2 == 0 {
-		invalidHeaders = invalidReqHeaders
-	} else {
-		invalidHeaders = invalidRespHeaders
-	}
-	for h := range frame.Headers {
-		if invalidHeaders[h] {
-			return &Error{InvalidHeaderPresent, frame.StreamId}
-		}
-	}
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	return nil
-}
-
-func (f *Framer) parseDataFrame(streamId StreamId) (*DataFrame, error) {
-	var length uint32
-	if err := binary.Read(f.r, binary.BigEndian, &length); err != nil {
-		return nil, err
-	}
-	var frame DataFrame
-	frame.StreamId = streamId
-	frame.Flags = DataFlags(length >> 24)
-	length &= 0xffffff
-	frame.Data = make([]byte, length)
-	if _, err := io.ReadFull(f.r, frame.Data); err != nil {
-		return nil, err
-	}
-	if frame.StreamId == 0 {
-		return nil, &Error{ZeroStreamId, 0}
-	}
-	return &frame, nil
-}
diff --git a/vendor/github.com/moby/spdystream/spdy/types.go b/vendor/github.com/moby/spdystream/spdy/types.go
deleted file mode 100644
index a254a43ab..000000000
--- a/vendor/github.com/moby/spdystream/spdy/types.go
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package spdy implements the SPDY protocol (currently SPDY/3), described in
-// http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3.
-package spdy
-
-import (
-	"bytes"
-	"compress/zlib"
-	"io"
-	"net/http"
-)
-
-// Version is the protocol version number that this package implements.
-const Version = 3
-
-// ControlFrameType stores the type field in a control frame header.
-type ControlFrameType uint16
-
-const (
-	TypeSynStream    ControlFrameType = 0x0001
-	TypeSynReply     ControlFrameType = 0x0002
-	TypeRstStream    ControlFrameType = 0x0003
-	TypeSettings     ControlFrameType = 0x0004
-	TypePing         ControlFrameType = 0x0006
-	TypeGoAway       ControlFrameType = 0x0007
-	TypeHeaders      ControlFrameType = 0x0008
-	TypeWindowUpdate ControlFrameType = 0x0009
-)
-
-// ControlFlags are the flags that can be set on a control frame.
-type ControlFlags uint8
-
-const (
-	ControlFlagFin                   ControlFlags = 0x01
-	ControlFlagUnidirectional        ControlFlags = 0x02
-	ControlFlagSettingsClearSettings ControlFlags = 0x01
-)
-
-// DataFlags are the flags that can be set on a data frame.
-type DataFlags uint8
-
-const (
-	DataFlagFin DataFlags = 0x01
-)
-
-// MaxDataLength is the maximum number of bytes that can be stored in one frame.
-const MaxDataLength = 1<<24 - 1
-
-// headerValueSepator separates multiple header values.
-const headerValueSeparator = "\x00"
-
-// Frame is a single SPDY frame in its unpacked in-memory representation. Use
-// Framer to read and write it.
-type Frame interface {
-	write(f *Framer) error
-}
-
-// ControlFrameHeader contains all the fields in a control frame header,
-// in its unpacked in-memory representation.
-type ControlFrameHeader struct {
-	// Note, high bit is the "Control" bit.
-	version   uint16 // spdy version number
-	frameType ControlFrameType
-	Flags     ControlFlags
-	length    uint32 // length of data field
-}
-
-type controlFrame interface {
-	Frame
-	read(h ControlFrameHeader, f *Framer) error
-}
-
-// StreamId represents a 31-bit value identifying the stream.
-type StreamId uint32
-
-// SynStreamFrame is the unpacked, in-memory representation of a SYN_STREAM
-// frame.
-type SynStreamFrame struct {
-	CFHeader             ControlFrameHeader
-	StreamId             StreamId
-	AssociatedToStreamId StreamId // stream id for a stream which this stream is associated to
-	Priority             uint8    // priority of this frame (3-bit)
-	Slot                 uint8    // index in the server's credential vector of the client certificate
-	Headers              http.Header
-}
-
-// SynReplyFrame is the unpacked, in-memory representation of a SYN_REPLY frame.
-type SynReplyFrame struct {
-	CFHeader ControlFrameHeader
-	StreamId StreamId
-	Headers  http.Header
-}
-
-// RstStreamStatus represents the status that led to a RST_STREAM.
-type RstStreamStatus uint32
-
-const (
-	ProtocolError RstStreamStatus = iota + 1
-	InvalidStream
-	RefusedStream
-	UnsupportedVersion
-	Cancel
-	InternalError
-	FlowControlError
-	StreamInUse
-	StreamAlreadyClosed
-	InvalidCredentials
-	FrameTooLarge
-)
-
-// RstStreamFrame is the unpacked, in-memory representation of a RST_STREAM
-// frame.
-type RstStreamFrame struct {
-	CFHeader ControlFrameHeader
-	StreamId StreamId
-	Status   RstStreamStatus
-}
-
-// SettingsFlag represents a flag in a SETTINGS frame.
-type SettingsFlag uint8
-
-const (
-	FlagSettingsPersistValue SettingsFlag = 0x1
-	FlagSettingsPersisted    SettingsFlag = 0x2
-)
-
-// SettingsFlag represents the id of an id/value pair in a SETTINGS frame.
-type SettingsId uint32
-
-const (
-	SettingsUploadBandwidth SettingsId = iota + 1
-	SettingsDownloadBandwidth
-	SettingsRoundTripTime
-	SettingsMaxConcurrentStreams
-	SettingsCurrentCwnd
-	SettingsDownloadRetransRate
-	SettingsInitialWindowSize
-	SettingsClientCretificateVectorSize
-)
-
-// SettingsFlagIdValue is the unpacked, in-memory representation of the
-// combined flag/id/value for a setting in a SETTINGS frame.
-type SettingsFlagIdValue struct {
-	Flag  SettingsFlag
-	Id    SettingsId
-	Value uint32
-}
-
-// SettingsFrame is the unpacked, in-memory representation of a SPDY
-// SETTINGS frame.
-type SettingsFrame struct {
-	CFHeader     ControlFrameHeader
-	FlagIdValues []SettingsFlagIdValue
-}
-
-// PingFrame is the unpacked, in-memory representation of a PING frame.
-type PingFrame struct {
-	CFHeader ControlFrameHeader
-	Id       uint32 // unique id for this ping, from server is even, from client is odd.
-}
-
-// GoAwayStatus represents the status in a GoAwayFrame.
-type GoAwayStatus uint32
-
-const (
-	GoAwayOK GoAwayStatus = iota
-	GoAwayProtocolError
-	GoAwayInternalError
-)
-
-// GoAwayFrame is the unpacked, in-memory representation of a GOAWAY frame.
-type GoAwayFrame struct {
-	CFHeader         ControlFrameHeader
-	LastGoodStreamId StreamId // last stream id which was accepted by sender
-	Status           GoAwayStatus
-}
-
-// HeadersFrame is the unpacked, in-memory representation of a HEADERS frame.
-type HeadersFrame struct {
-	CFHeader ControlFrameHeader
-	StreamId StreamId
-	Headers  http.Header
-}
-
-// WindowUpdateFrame is the unpacked, in-memory representation of a
-// WINDOW_UPDATE frame.
-type WindowUpdateFrame struct {
-	CFHeader        ControlFrameHeader
-	StreamId        StreamId
-	DeltaWindowSize uint32 // additional number of bytes to existing window size
-}
-
-// TODO: Implement credential frame and related methods.
-
-// DataFrame is the unpacked, in-memory representation of a DATA frame.
-type DataFrame struct {
-	// Note, high bit is the "Control" bit. Should be 0 for data frames.
-	StreamId StreamId
-	Flags    DataFlags
-	Data     []byte // payload data of this frame
-}
-
-// A SPDY specific error.
-type ErrorCode string
-
-const (
-	UnlowercasedHeaderName     ErrorCode = "header was not lowercased"
-	DuplicateHeaders           ErrorCode = "multiple headers with same name"
-	WrongCompressedPayloadSize ErrorCode = "compressed payload size was incorrect"
-	UnknownFrameType           ErrorCode = "unknown frame type"
-	InvalidControlFrame        ErrorCode = "invalid control frame"
-	InvalidDataFrame           ErrorCode = "invalid data frame"
-	InvalidHeaderPresent       ErrorCode = "frame contained invalid header"
-	ZeroStreamId               ErrorCode = "stream id zero is disallowed"
-)
-
-// Error contains both the type of error and additional values. StreamId is 0
-// if Error is not associated with a stream.
-type Error struct {
-	Err      ErrorCode
-	StreamId StreamId
-}
-
-func (e *Error) Error() string {
-	return string(e.Err)
-}
-
-var invalidReqHeaders = map[string]bool{
-	"Connection":        true,
-	"Host":              true,
-	"Keep-Alive":        true,
-	"Proxy-Connection":  true,
-	"Transfer-Encoding": true,
-}
-
-var invalidRespHeaders = map[string]bool{
-	"Connection":        true,
-	"Keep-Alive":        true,
-	"Proxy-Connection":  true,
-	"Transfer-Encoding": true,
-}
-
-// Framer handles serializing/deserializing SPDY frames, including compressing/
-// decompressing payloads.
-type Framer struct {
-	headerCompressionDisabled bool
-	w                         io.Writer
-	headerBuf                 *bytes.Buffer
-	headerCompressor          *zlib.Writer
-	r                         io.Reader
-	headerReader              io.LimitedReader
-	headerDecompressor        io.ReadCloser
-}
-
-// NewFramer allocates a new Framer for a given SPDY connection, represented by
-// a io.Writer and io.Reader. Note that Framer will read and write individual fields
-// from/to the Reader and Writer, so the caller should pass in an appropriately
-// buffered implementation to optimize performance.
-func NewFramer(w io.Writer, r io.Reader) (*Framer, error) {
-	compressBuf := new(bytes.Buffer)
-	compressor, err := zlib.NewWriterLevelDict(compressBuf, zlib.BestCompression, []byte(headerDictionary))
-	if err != nil {
-		return nil, err
-	}
-	framer := &Framer{
-		w:                w,
-		headerBuf:        compressBuf,
-		headerCompressor: compressor,
-		r:                r,
-	}
-	return framer, nil
-}
diff --git a/vendor/github.com/moby/spdystream/spdy/write.go b/vendor/github.com/moby/spdystream/spdy/write.go
deleted file mode 100644
index ab6d91f3b..000000000
--- a/vendor/github.com/moby/spdystream/spdy/write.go
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package spdy
-
-import (
-	"encoding/binary"
-	"io"
-	"net/http"
-	"strings"
-)
-
-func (frame *SynStreamFrame) write(f *Framer) error {
-	return f.writeSynStreamFrame(frame)
-}
-
-func (frame *SynReplyFrame) write(f *Framer) error {
-	return f.writeSynReplyFrame(frame)
-}
-
-func (frame *RstStreamFrame) write(f *Framer) (err error) {
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeRstStream
-	frame.CFHeader.Flags = 0
-	frame.CFHeader.length = 8
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return
-	}
-	if frame.Status == 0 {
-		return &Error{InvalidControlFrame, frame.StreamId}
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.Status); err != nil {
-		return
-	}
-	return
-}
-
-func (frame *SettingsFrame) write(f *Framer) (err error) {
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeSettings
-	frame.CFHeader.length = uint32(len(frame.FlagIdValues)*8 + 4)
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, uint32(len(frame.FlagIdValues))); err != nil {
-		return
-	}
-	for _, flagIdValue := range frame.FlagIdValues {
-		flagId := uint32(flagIdValue.Flag)<<24 | uint32(flagIdValue.Id)
-		if err = binary.Write(f.w, binary.BigEndian, flagId); err != nil {
-			return
-		}
-		if err = binary.Write(f.w, binary.BigEndian, flagIdValue.Value); err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (frame *PingFrame) write(f *Framer) (err error) {
-	if frame.Id == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypePing
-	frame.CFHeader.Flags = 0
-	frame.CFHeader.length = 4
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.Id); err != nil {
-		return
-	}
-	return
-}
-
-func (frame *GoAwayFrame) write(f *Framer) (err error) {
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeGoAway
-	frame.CFHeader.Flags = 0
-	frame.CFHeader.length = 8
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.LastGoodStreamId); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.Status); err != nil {
-		return
-	}
-	return nil
-}
-
-func (frame *HeadersFrame) write(f *Framer) error {
-	return f.writeHeadersFrame(frame)
-}
-
-func (frame *WindowUpdateFrame) write(f *Framer) (err error) {
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeWindowUpdate
-	frame.CFHeader.Flags = 0
-	frame.CFHeader.length = 8
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.DeltaWindowSize); err != nil {
-		return
-	}
-	return nil
-}
-
-func (frame *DataFrame) write(f *Framer) error {
-	return f.writeDataFrame(frame)
-}
-
-// WriteFrame writes a frame.
-func (f *Framer) WriteFrame(frame Frame) error {
-	return frame.write(f)
-}
-
-func writeControlFrameHeader(w io.Writer, h ControlFrameHeader) error {
-	if err := binary.Write(w, binary.BigEndian, 0x8000|h.version); err != nil {
-		return err
-	}
-	if err := binary.Write(w, binary.BigEndian, h.frameType); err != nil {
-		return err
-	}
-	flagsAndLength := uint32(h.Flags)<<24 | h.length
-	if err := binary.Write(w, binary.BigEndian, flagsAndLength); err != nil {
-		return err
-	}
-	return nil
-}
-
-func writeHeaderValueBlock(w io.Writer, h http.Header) (n int, err error) {
-	n = 0
-	if err = binary.Write(w, binary.BigEndian, uint32(len(h))); err != nil {
-		return
-	}
-	n += 2
-	for name, values := range h {
-		if err = binary.Write(w, binary.BigEndian, uint32(len(name))); err != nil {
-			return
-		}
-		n += 2
-		name = strings.ToLower(name)
-		if _, err = io.WriteString(w, name); err != nil {
-			return
-		}
-		n += len(name)
-		v := strings.Join(values, headerValueSeparator)
-		if err = binary.Write(w, binary.BigEndian, uint32(len(v))); err != nil {
-			return
-		}
-		n += 2
-		if _, err = io.WriteString(w, v); err != nil {
-			return
-		}
-		n += len(v)
-	}
-	return
-}
-
-func (f *Framer) writeSynStreamFrame(frame *SynStreamFrame) (err error) {
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	// Marshal the headers.
-	var writer io.Writer = f.headerBuf
-	if !f.headerCompressionDisabled {
-		writer = f.headerCompressor
-	}
-	if _, err = writeHeaderValueBlock(writer, frame.Headers); err != nil {
-		return
-	}
-	if !f.headerCompressionDisabled {
-		f.headerCompressor.Flush()
-	}
-
-	// Set ControlFrameHeader.
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeSynStream
-	frame.CFHeader.length = uint32(len(f.headerBuf.Bytes()) + 10)
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return err
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return err
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.AssociatedToStreamId); err != nil {
-		return err
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.Priority<<5); err != nil {
-		return err
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.Slot); err != nil {
-		return err
-	}
-	if _, err = f.w.Write(f.headerBuf.Bytes()); err != nil {
-		return err
-	}
-	f.headerBuf.Reset()
-	return nil
-}
-
-func (f *Framer) writeSynReplyFrame(frame *SynReplyFrame) (err error) {
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	// Marshal the headers.
-	var writer io.Writer = f.headerBuf
-	if !f.headerCompressionDisabled {
-		writer = f.headerCompressor
-	}
-	if _, err = writeHeaderValueBlock(writer, frame.Headers); err != nil {
-		return
-	}
-	if !f.headerCompressionDisabled {
-		f.headerCompressor.Flush()
-	}
-
-	// Set ControlFrameHeader.
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeSynReply
-	frame.CFHeader.length = uint32(len(f.headerBuf.Bytes()) + 4)
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return
-	}
-	if _, err = f.w.Write(f.headerBuf.Bytes()); err != nil {
-		return
-	}
-	f.headerBuf.Reset()
-	return
-}
-
-func (f *Framer) writeHeadersFrame(frame *HeadersFrame) (err error) {
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	// Marshal the headers.
-	var writer io.Writer = f.headerBuf
-	if !f.headerCompressionDisabled {
-		writer = f.headerCompressor
-	}
-	if _, err = writeHeaderValueBlock(writer, frame.Headers); err != nil {
-		return
-	}
-	if !f.headerCompressionDisabled {
-		f.headerCompressor.Flush()
-	}
-
-	// Set ControlFrameHeader.
-	frame.CFHeader.version = Version
-	frame.CFHeader.frameType = TypeHeaders
-	frame.CFHeader.length = uint32(len(f.headerBuf.Bytes()) + 4)
-
-	// Serialize frame to Writer.
-	if err = writeControlFrameHeader(f.w, frame.CFHeader); err != nil {
-		return
-	}
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return
-	}
-	if _, err = f.w.Write(f.headerBuf.Bytes()); err != nil {
-		return
-	}
-	f.headerBuf.Reset()
-	return
-}
-
-func (f *Framer) writeDataFrame(frame *DataFrame) (err error) {
-	if frame.StreamId == 0 {
-		return &Error{ZeroStreamId, 0}
-	}
-	if frame.StreamId&0x80000000 != 0 || len(frame.Data) > MaxDataLength {
-		return &Error{InvalidDataFrame, frame.StreamId}
-	}
-
-	// Serialize frame to Writer.
-	if err = binary.Write(f.w, binary.BigEndian, frame.StreamId); err != nil {
-		return
-	}
-	flagsAndLength := uint32(frame.Flags)<<24 | uint32(len(frame.Data))
-	if err = binary.Write(f.w, binary.BigEndian, flagsAndLength); err != nil {
-		return
-	}
-	if _, err = f.w.Write(frame.Data); err != nil {
-		return
-	}
-	return nil
-}
diff --git a/vendor/github.com/moby/spdystream/stream.go b/vendor/github.com/moby/spdystream/stream.go
deleted file mode 100644
index 171c1e9e3..000000000
--- a/vendor/github.com/moby/spdystream/stream.go
+++ /dev/null
@@ -1,345 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package spdystream
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/moby/spdystream/spdy"
-)
-
-var (
-	ErrUnreadPartialData = errors.New("unread partial data")
-)
-
-type Stream struct {
-	streamId  spdy.StreamId
-	parent    *Stream
-	conn      *Connection
-	startChan chan error
-
-	dataLock sync.RWMutex
-	dataChan chan []byte
-	unread   []byte
-
-	priority   uint8
-	headers    http.Header
-	headerChan chan http.Header
-	finishLock sync.Mutex
-	finished   bool
-	replyCond  *sync.Cond
-	replied    bool
-	closeLock  sync.Mutex
-	closeChan  chan bool
-}
-
-// WriteData writes data to stream, sending a dataframe per call
-func (s *Stream) WriteData(data []byte, fin bool) error {
-	s.waitWriteReply()
-	var flags spdy.DataFlags
-
-	if fin {
-		flags = spdy.DataFlagFin
-		s.finishLock.Lock()
-		if s.finished {
-			s.finishLock.Unlock()
-			return ErrWriteClosedStream
-		}
-		s.finished = true
-		s.finishLock.Unlock()
-	}
-
-	dataFrame := &spdy.DataFrame{
-		StreamId: s.streamId,
-		Flags:    flags,
-		Data:     data,
-	}
-
-	debugMessage("(%p) (%d) Writing data frame", s, s.streamId)
-	return s.conn.framer.WriteFrame(dataFrame)
-}
-
-// Write writes bytes to a stream, calling write data for each call.
-func (s *Stream) Write(data []byte) (n int, err error) {
-	err = s.WriteData(data, false)
-	if err == nil {
-		n = len(data)
-	}
-	return
-}
-
-// Read reads bytes from a stream, a single read will never get more
-// than what is sent on a single data frame, but a multiple calls to
-// read may get data from the same data frame.
-func (s *Stream) Read(p []byte) (n int, err error) {
-	if s.unread == nil {
-		select {
-		case <-s.closeChan:
-			return 0, io.EOF
-		case read, ok := <-s.dataChan:
-			if !ok {
-				return 0, io.EOF
-			}
-			s.unread = read
-		}
-	}
-	n = copy(p, s.unread)
-	if n < len(s.unread) {
-		s.unread = s.unread[n:]
-	} else {
-		s.unread = nil
-	}
-	return
-}
-
-// ReadData reads an entire data frame and returns the byte array
-// from the data frame.  If there is unread data from the result
-// of a Read call, this function will return an ErrUnreadPartialData.
-func (s *Stream) ReadData() ([]byte, error) {
-	debugMessage("(%p) Reading data from %d", s, s.streamId)
-	if s.unread != nil {
-		return nil, ErrUnreadPartialData
-	}
-	select {
-	case <-s.closeChan:
-		return nil, io.EOF
-	case read, ok := <-s.dataChan:
-		if !ok {
-			return nil, io.EOF
-		}
-		return read, nil
-	}
-}
-
-func (s *Stream) waitWriteReply() {
-	if s.replyCond != nil {
-		s.replyCond.L.Lock()
-		for !s.replied {
-			s.replyCond.Wait()
-		}
-		s.replyCond.L.Unlock()
-	}
-}
-
-// Wait waits for the stream to receive a reply.
-func (s *Stream) Wait() error {
-	return s.WaitTimeout(time.Duration(0))
-}
-
-// WaitTimeout waits for the stream to receive a reply or for timeout.
-// When the timeout is reached, ErrTimeout will be returned.
-func (s *Stream) WaitTimeout(timeout time.Duration) error {
-	var timeoutChan <-chan time.Time
-	if timeout > time.Duration(0) {
-		timeoutChan = time.After(timeout)
-	}
-
-	select {
-	case err := <-s.startChan:
-		if err != nil {
-			return err
-		}
-		break
-	case <-timeoutChan:
-		return ErrTimeout
-	}
-	return nil
-}
-
-// Close closes the stream by sending an empty data frame with the
-// finish flag set, indicating this side is finished with the stream.
-func (s *Stream) Close() error {
-	select {
-	case <-s.closeChan:
-		// Stream is now fully closed
-		s.conn.removeStream(s)
-	default:
-		break
-	}
-	return s.WriteData([]byte{}, true)
-}
-
-// Reset sends a reset frame, putting the stream into the fully closed state.
-func (s *Stream) Reset() error {
-	s.conn.removeStream(s)
-	return s.resetStream()
-}
-
-func (s *Stream) resetStream() error {
-	// Always call closeRemoteChannels, even if s.finished is already true.
-	// This makes it so that stream.Close() followed by stream.Reset() allows
-	// stream.Read() to unblock.
-	s.closeRemoteChannels()
-
-	s.finishLock.Lock()
-	if s.finished {
-		s.finishLock.Unlock()
-		return nil
-	}
-	s.finished = true
-	s.finishLock.Unlock()
-
-	resetFrame := &spdy.RstStreamFrame{
-		StreamId: s.streamId,
-		Status:   spdy.Cancel,
-	}
-	return s.conn.framer.WriteFrame(resetFrame)
-}
-
-// CreateSubStream creates a stream using the current as the parent
-func (s *Stream) CreateSubStream(headers http.Header, fin bool) (*Stream, error) {
-	return s.conn.CreateStream(headers, s, fin)
-}
-
-// SetPriority sets the stream priority, does not affect the
-// remote priority of this stream after Open has been called.
-// Valid values are 0 through 7, 0 being the highest priority
-// and 7 the lowest.
-func (s *Stream) SetPriority(priority uint8) {
-	s.priority = priority
-}
-
-// SendHeader sends a header frame across the stream
-func (s *Stream) SendHeader(headers http.Header, fin bool) error {
-	return s.conn.sendHeaders(headers, s, fin)
-}
-
-// SendReply sends a reply on a stream, only valid to be called once
-// when handling a new stream
-func (s *Stream) SendReply(headers http.Header, fin bool) error {
-	if s.replyCond == nil {
-		return errors.New("cannot reply on initiated stream")
-	}
-	s.replyCond.L.Lock()
-	defer s.replyCond.L.Unlock()
-	if s.replied {
-		return nil
-	}
-
-	err := s.conn.sendReply(headers, s, fin)
-	if err != nil {
-		return err
-	}
-
-	s.replied = true
-	s.replyCond.Broadcast()
-	return nil
-}
-
-// Refuse sends a reset frame with the status refuse, only
-// valid to be called once when handling a new stream.  This
-// may be used to indicate that a stream is not allowed
-// when http status codes are not being used.
-func (s *Stream) Refuse() error {
-	if s.replied {
-		return nil
-	}
-	s.replied = true
-	return s.conn.sendReset(spdy.RefusedStream, s)
-}
-
-// Cancel sends a reset frame with the status canceled. This
-// can be used at any time by the creator of the Stream to
-// indicate the stream is no longer needed.
-func (s *Stream) Cancel() error {
-	return s.conn.sendReset(spdy.Cancel, s)
-}
-
-// ReceiveHeader receives a header sent on the other side
-// of the stream.  This function will block until a header
-// is received or stream is closed.
-func (s *Stream) ReceiveHeader() (http.Header, error) {
-	select {
-	case <-s.closeChan:
-		break
-	case header, ok := <-s.headerChan:
-		if !ok {
-			return nil, fmt.Errorf("header chan closed")
-		}
-		return header, nil
-	}
-	return nil, fmt.Errorf("stream closed")
-}
-
-// Parent returns the parent stream
-func (s *Stream) Parent() *Stream {
-	return s.parent
-}
-
-// Headers returns the headers used to create the stream
-func (s *Stream) Headers() http.Header {
-	return s.headers
-}
-
-// String returns the string version of stream using the
-// streamId to uniquely identify the stream
-func (s *Stream) String() string {
-	return fmt.Sprintf("stream:%d", s.streamId)
-}
-
-// Identifier returns a 32 bit identifier for the stream
-func (s *Stream) Identifier() uint32 {
-	return uint32(s.streamId)
-}
-
-// IsFinished returns whether the stream has finished
-// sending data
-func (s *Stream) IsFinished() bool {
-	s.finishLock.Lock()
-	defer s.finishLock.Unlock()
-	return s.finished
-}
-
-// Implement net.Conn interface
-
-func (s *Stream) LocalAddr() net.Addr {
-	return s.conn.conn.LocalAddr()
-}
-
-func (s *Stream) RemoteAddr() net.Addr {
-	return s.conn.conn.RemoteAddr()
-}
-
-// TODO set per stream values instead of connection-wide
-
-func (s *Stream) SetDeadline(t time.Time) error {
-	return s.conn.conn.SetDeadline(t)
-}
-
-func (s *Stream) SetReadDeadline(t time.Time) error {
-	return s.conn.conn.SetReadDeadline(t)
-}
-
-func (s *Stream) SetWriteDeadline(t time.Time) error {
-	return s.conn.conn.SetWriteDeadline(t)
-}
-
-func (s *Stream) closeRemoteChannels() {
-	s.closeLock.Lock()
-	defer s.closeLock.Unlock()
-	select {
-	case <-s.closeChan:
-	default:
-		close(s.closeChan)
-	}
-}
diff --git a/vendor/github.com/moby/spdystream/utils.go b/vendor/github.com/moby/spdystream/utils.go
deleted file mode 100644
index e9f7fffd6..000000000
--- a/vendor/github.com/moby/spdystream/utils.go
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
-   Copyright 2014-2021 Docker Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package spdystream
-
-import (
-	"log"
-	"os"
-)
-
-var (
-	DEBUG = os.Getenv("DEBUG")
-)
-
-func debugMessage(fmt string, args ...interface{}) {
-	if DEBUG != "" {
-		log.Printf(fmt, args...)
-	}
-}
diff --git a/vendor/github.com/mxk/go-flowrate/LICENSE b/vendor/github.com/mxk/go-flowrate/LICENSE
deleted file mode 100644
index e9f9f628b..000000000
--- a/vendor/github.com/mxk/go-flowrate/LICENSE
+++ /dev/null
@@ -1,29 +0,0 @@
-Copyright (c) 2014 The Go-FlowRate Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the
-   distribution.
-
- * Neither the name of the go-flowrate project nor the names of its
-   contributors may be used to endorse or promote products derived
-   from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go b/vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go
deleted file mode 100644
index 1b727721e..000000000
--- a/vendor/github.com/mxk/go-flowrate/flowrate/flowrate.go
+++ /dev/null
@@ -1,267 +0,0 @@
-//
-// Written by Maxim Khitrov (November 2012)
-//
-
-// Package flowrate provides the tools for monitoring and limiting the flow rate
-// of an arbitrary data stream.
-package flowrate
-
-import (
-	"math"
-	"sync"
-	"time"
-)
-
-// Monitor monitors and limits the transfer rate of a data stream.
-type Monitor struct {
-	mu      sync.Mutex    // Mutex guarding access to all internal fields
-	active  bool          // Flag indicating an active transfer
-	start   time.Duration // Transfer start time (clock() value)
-	bytes   int64         // Total number of bytes transferred
-	samples int64         // Total number of samples taken
-
-	rSample float64 // Most recent transfer rate sample (bytes per second)
-	rEMA    float64 // Exponential moving average of rSample
-	rPeak   float64 // Peak transfer rate (max of all rSamples)
-	rWindow float64 // rEMA window (seconds)
-
-	sBytes int64         // Number of bytes transferred since sLast
-	sLast  time.Duration // Most recent sample time (stop time when inactive)
-	sRate  time.Duration // Sampling rate
-
-	tBytes int64         // Number of bytes expected in the current transfer
-	tLast  time.Duration // Time of the most recent transfer of at least 1 byte
-}
-
-// New creates a new flow control monitor. Instantaneous transfer rate is
-// measured and updated for each sampleRate interval. windowSize determines the
-// weight of each sample in the exponential moving average (EMA) calculation.
-// The exact formulas are:
-//
-// 	sampleTime = currentTime - prevSampleTime
-// 	sampleRate = byteCount / sampleTime
-// 	weight     = 1 - exp(-sampleTime/windowSize)
-// 	newRate    = weight*sampleRate + (1-weight)*oldRate
-//
-// The default values for sampleRate and windowSize (if <= 0) are 100ms and 1s,
-// respectively.
-func New(sampleRate, windowSize time.Duration) *Monitor {
-	if sampleRate = clockRound(sampleRate); sampleRate <= 0 {
-		sampleRate = 5 * clockRate
-	}
-	if windowSize <= 0 {
-		windowSize = 1 * time.Second
-	}
-	now := clock()
-	return &Monitor{
-		active:  true,
-		start:   now,
-		rWindow: windowSize.Seconds(),
-		sLast:   now,
-		sRate:   sampleRate,
-		tLast:   now,
-	}
-}
-
-// Update records the transfer of n bytes and returns n. It should be called
-// after each Read/Write operation, even if n is 0.
-func (m *Monitor) Update(n int) int {
-	m.mu.Lock()
-	m.update(n)
-	m.mu.Unlock()
-	return n
-}
-
-// IO is a convenience method intended to wrap io.Reader and io.Writer method
-// execution. It calls m.Update(n) and then returns (n, err) unmodified.
-func (m *Monitor) IO(n int, err error) (int, error) {
-	return m.Update(n), err
-}
-
-// Done marks the transfer as finished and prevents any further updates or
-// limiting. Instantaneous and current transfer rates drop to 0. Update, IO, and
-// Limit methods become NOOPs. It returns the total number of bytes transferred.
-func (m *Monitor) Done() int64 {
-	m.mu.Lock()
-	if now := m.update(0); m.sBytes > 0 {
-		m.reset(now)
-	}
-	m.active = false
-	m.tLast = 0
-	n := m.bytes
-	m.mu.Unlock()
-	return n
-}
-
-// timeRemLimit is the maximum Status.TimeRem value.
-const timeRemLimit = 999*time.Hour + 59*time.Minute + 59*time.Second
-
-// Status represents the current Monitor status. All transfer rates are in bytes
-// per second rounded to the nearest byte.
-type Status struct {
-	Active   bool          // Flag indicating an active transfer
-	Start    time.Time     // Transfer start time
-	Duration time.Duration // Time period covered by the statistics
-	Idle     time.Duration // Time since the last transfer of at least 1 byte
-	Bytes    int64         // Total number of bytes transferred
-	Samples  int64         // Total number of samples taken
-	InstRate int64         // Instantaneous transfer rate
-	CurRate  int64         // Current transfer rate (EMA of InstRate)
-	AvgRate  int64         // Average transfer rate (Bytes / Duration)
-	PeakRate int64         // Maximum instantaneous transfer rate
-	BytesRem int64         // Number of bytes remaining in the transfer
-	TimeRem  time.Duration // Estimated time to completion
-	Progress Percent       // Overall transfer progress
-}
-
-// Status returns current transfer status information. The returned value
-// becomes static after a call to Done.
-func (m *Monitor) Status() Status {
-	m.mu.Lock()
-	now := m.update(0)
-	s := Status{
-		Active:   m.active,
-		Start:    clockToTime(m.start),
-		Duration: m.sLast - m.start,
-		Idle:     now - m.tLast,
-		Bytes:    m.bytes,
-		Samples:  m.samples,
-		PeakRate: round(m.rPeak),
-		BytesRem: m.tBytes - m.bytes,
-		Progress: percentOf(float64(m.bytes), float64(m.tBytes)),
-	}
-	if s.BytesRem < 0 {
-		s.BytesRem = 0
-	}
-	if s.Duration > 0 {
-		rAvg := float64(s.Bytes) / s.Duration.Seconds()
-		s.AvgRate = round(rAvg)
-		if s.Active {
-			s.InstRate = round(m.rSample)
-			s.CurRate = round(m.rEMA)
-			if s.BytesRem > 0 {
-				if tRate := 0.8*m.rEMA + 0.2*rAvg; tRate > 0 {
-					ns := float64(s.BytesRem) / tRate * 1e9
-					if ns > float64(timeRemLimit) {
-						ns = float64(timeRemLimit)
-					}
-					s.TimeRem = clockRound(time.Duration(ns))
-				}
-			}
-		}
-	}
-	m.mu.Unlock()
-	return s
-}
-
-// Limit restricts the instantaneous (per-sample) data flow to rate bytes per
-// second. It returns the maximum number of bytes (0 <= n <= want) that may be
-// transferred immediately without exceeding the limit. If block == true, the
-// call blocks until n > 0. want is returned unmodified if want < 1, rate < 1,
-// or the transfer is inactive (after a call to Done).
-//
-// At least one byte is always allowed to be transferred in any given sampling
-// period. Thus, if the sampling rate is 100ms, the lowest achievable flow rate
-// is 10 bytes per second.
-//
-// For usage examples, see the implementation of Reader and Writer in io.go.
-func (m *Monitor) Limit(want int, rate int64, block bool) (n int) {
-	if want < 1 || rate < 1 {
-		return want
-	}
-	m.mu.Lock()
-
-	// Determine the maximum number of bytes that can be sent in one sample
-	limit := round(float64(rate) * m.sRate.Seconds())
-	if limit <= 0 {
-		limit = 1
-	}
-
-	// If block == true, wait until m.sBytes < limit
-	if now := m.update(0); block {
-		for m.sBytes >= limit && m.active {
-			now = m.waitNextSample(now)
-		}
-	}
-
-	// Make limit <= want (unlimited if the transfer is no longer active)
-	if limit -= m.sBytes; limit > int64(want) || !m.active {
-		limit = int64(want)
-	}
-	m.mu.Unlock()
-
-	if limit < 0 {
-		limit = 0
-	}
-	return int(limit)
-}
-
-// SetTransferSize specifies the total size of the data transfer, which allows
-// the Monitor to calculate the overall progress and time to completion.
-func (m *Monitor) SetTransferSize(bytes int64) {
-	if bytes < 0 {
-		bytes = 0
-	}
-	m.mu.Lock()
-	m.tBytes = bytes
-	m.mu.Unlock()
-}
-
-// update accumulates the transferred byte count for the current sample until
-// clock() - m.sLast >= m.sRate. The monitor status is updated once the current
-// sample is done.
-func (m *Monitor) update(n int) (now time.Duration) {
-	if !m.active {
-		return
-	}
-	if now = clock(); n > 0 {
-		m.tLast = now
-	}
-	m.sBytes += int64(n)
-	if sTime := now - m.sLast; sTime >= m.sRate {
-		t := sTime.Seconds()
-		if m.rSample = float64(m.sBytes) / t; m.rSample > m.rPeak {
-			m.rPeak = m.rSample
-		}
-
-		// Exponential moving average using a method similar to *nix load
-		// average calculation. Longer sampling periods carry greater weight.
-		if m.samples > 0 {
-			w := math.Exp(-t / m.rWindow)
-			m.rEMA = m.rSample + w*(m.rEMA-m.rSample)
-		} else {
-			m.rEMA = m.rSample
-		}
-		m.reset(now)
-	}
-	return
-}
-
-// reset clears the current sample state in preparation for the next sample.
-func (m *Monitor) reset(sampleTime time.Duration) {
-	m.bytes += m.sBytes
-	m.samples++
-	m.sBytes = 0
-	m.sLast = sampleTime
-}
-
-// waitNextSample sleeps for the remainder of the current sample. The lock is
-// released and reacquired during the actual sleep period, so it's possible for
-// the transfer to be inactive when this method returns.
-func (m *Monitor) waitNextSample(now time.Duration) time.Duration {
-	const minWait = 5 * time.Millisecond
-	current := m.sLast
-
-	// sleep until the last sample time changes (ideally, just one iteration)
-	for m.sLast == current && m.active {
-		d := current + m.sRate - now
-		m.mu.Unlock()
-		if d < minWait {
-			d = minWait
-		}
-		time.Sleep(d)
-		m.mu.Lock()
-		now = m.update(0)
-	}
-	return now
-}
diff --git a/vendor/github.com/mxk/go-flowrate/flowrate/io.go b/vendor/github.com/mxk/go-flowrate/flowrate/io.go
deleted file mode 100644
index fbe090972..000000000
--- a/vendor/github.com/mxk/go-flowrate/flowrate/io.go
+++ /dev/null
@@ -1,133 +0,0 @@
-//
-// Written by Maxim Khitrov (November 2012)
-//
-
-package flowrate
-
-import (
-	"errors"
-	"io"
-)
-
-// ErrLimit is returned by the Writer when a non-blocking write is short due to
-// the transfer rate limit.
-var ErrLimit = errors.New("flowrate: flow rate limit exceeded")
-
-// Limiter is implemented by the Reader and Writer to provide a consistent
-// interface for monitoring and controlling data transfer.
-type Limiter interface {
-	Done() int64
-	Status() Status
-	SetTransferSize(bytes int64)
-	SetLimit(new int64) (old int64)
-	SetBlocking(new bool) (old bool)
-}
-
-// Reader implements io.ReadCloser with a restriction on the rate of data
-// transfer.
-type Reader struct {
-	io.Reader // Data source
-	*Monitor  // Flow control monitor
-
-	limit int64 // Rate limit in bytes per second (unlimited when <= 0)
-	block bool  // What to do when no new bytes can be read due to the limit
-}
-
-// NewReader restricts all Read operations on r to limit bytes per second.
-func NewReader(r io.Reader, limit int64) *Reader {
-	return &Reader{r, New(0, 0), limit, true}
-}
-
-// Read reads up to len(p) bytes into p without exceeding the current transfer
-// rate limit. It returns (0, nil) immediately if r is non-blocking and no new
-// bytes can be read at this time.
-func (r *Reader) Read(p []byte) (n int, err error) {
-	p = p[:r.Limit(len(p), r.limit, r.block)]
-	if len(p) > 0 {
-		n, err = r.IO(r.Reader.Read(p))
-	}
-	return
-}
-
-// SetLimit changes the transfer rate limit to new bytes per second and returns
-// the previous setting.
-func (r *Reader) SetLimit(new int64) (old int64) {
-	old, r.limit = r.limit, new
-	return
-}
-
-// SetBlocking changes the blocking behavior and returns the previous setting. A
-// Read call on a non-blocking reader returns immediately if no additional bytes
-// may be read at this time due to the rate limit.
-func (r *Reader) SetBlocking(new bool) (old bool) {
-	old, r.block = r.block, new
-	return
-}
-
-// Close closes the underlying reader if it implements the io.Closer interface.
-func (r *Reader) Close() error {
-	defer r.Done()
-	if c, ok := r.Reader.(io.Closer); ok {
-		return c.Close()
-	}
-	return nil
-}
-
-// Writer implements io.WriteCloser with a restriction on the rate of data
-// transfer.
-type Writer struct {
-	io.Writer // Data destination
-	*Monitor  // Flow control monitor
-
-	limit int64 // Rate limit in bytes per second (unlimited when <= 0)
-	block bool  // What to do when no new bytes can be written due to the limit
-}
-
-// NewWriter restricts all Write operations on w to limit bytes per second. The
-// transfer rate and the default blocking behavior (true) can be changed
-// directly on the returned *Writer.
-func NewWriter(w io.Writer, limit int64) *Writer {
-	return &Writer{w, New(0, 0), limit, true}
-}
-
-// Write writes len(p) bytes from p to the underlying data stream without
-// exceeding the current transfer rate limit. It returns (n, ErrLimit) if w is
-// non-blocking and no additional bytes can be written at this time.
-func (w *Writer) Write(p []byte) (n int, err error) {
-	var c int
-	for len(p) > 0 && err == nil {
-		s := p[:w.Limit(len(p), w.limit, w.block)]
-		if len(s) > 0 {
-			c, err = w.IO(w.Writer.Write(s))
-		} else {
-			return n, ErrLimit
-		}
-		p = p[c:]
-		n += c
-	}
-	return
-}
-
-// SetLimit changes the transfer rate limit to new bytes per second and returns
-// the previous setting.
-func (w *Writer) SetLimit(new int64) (old int64) {
-	old, w.limit = w.limit, new
-	return
-}
-
-// SetBlocking changes the blocking behavior and returns the previous setting. A
-// Write call on a non-blocking writer returns as soon as no additional bytes
-// may be written at this time due to the rate limit.
-func (w *Writer) SetBlocking(new bool) (old bool) {
-	old, w.block = w.block, new
-	return
-}
-
-// Close closes the underlying writer if it implements the io.Closer interface.
-func (w *Writer) Close() error {
-	defer w.Done()
-	if c, ok := w.Writer.(io.Closer); ok {
-		return c.Close()
-	}
-	return nil
-}
diff --git a/vendor/github.com/mxk/go-flowrate/flowrate/util.go b/vendor/github.com/mxk/go-flowrate/flowrate/util.go
deleted file mode 100644
index 4caac583f..000000000
--- a/vendor/github.com/mxk/go-flowrate/flowrate/util.go
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// Written by Maxim Khitrov (November 2012)
-//
-
-package flowrate
-
-import (
-	"math"
-	"strconv"
-	"time"
-)
-
-// clockRate is the resolution and precision of clock().
-const clockRate = 20 * time.Millisecond
-
-// czero is the process start time rounded down to the nearest clockRate
-// increment.
-var czero = time.Duration(time.Now().UnixNano()) / clockRate * clockRate
-
-// clock returns a low resolution timestamp relative to the process start time.
-func clock() time.Duration {
-	return time.Duration(time.Now().UnixNano())/clockRate*clockRate - czero
-}
-
-// clockToTime converts a clock() timestamp to an absolute time.Time value.
-func clockToTime(c time.Duration) time.Time {
-	return time.Unix(0, int64(czero+c))
-}
-
-// clockRound returns d rounded to the nearest clockRate increment.
-func clockRound(d time.Duration) time.Duration {
-	return (d + clockRate>>1) / clockRate * clockRate
-}
-
-// round returns x rounded to the nearest int64 (non-negative values only).
-func round(x float64) int64 {
-	if _, frac := math.Modf(x); frac >= 0.5 {
-		return int64(math.Ceil(x))
-	}
-	return int64(math.Floor(x))
-}
-
-// Percent represents a percentage in increments of 1/1000th of a percent.
-type Percent uint32
-
-// percentOf calculates what percent of the total is x.
-func percentOf(x, total float64) Percent {
-	if x < 0 || total <= 0 {
-		return 0
-	} else if p := round(x / total * 1e5); p <= math.MaxUint32 {
-		return Percent(p)
-	}
-	return Percent(math.MaxUint32)
-}
-
-func (p Percent) Float() float64 {
-	return float64(p) * 1e-3
-}
-
-func (p Percent) String() string {
-	var buf [12]byte
-	b := strconv.AppendUint(buf[:0], uint64(p)/1000, 10)
-	n := len(b)
-	b = strconv.AppendUint(b, 1000+uint64(p)%1000, 10)
-	b[n] = '.'
-	return string(append(b, '%'))
-}
diff --git a/vendor/golang.org/x/net/websocket/client.go b/vendor/golang.org/x/net/websocket/client.go
deleted file mode 100644
index 1e64157f3..000000000
--- a/vendor/golang.org/x/net/websocket/client.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package websocket
-
-import (
-	"bufio"
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"time"
-)
-
-// DialError is an error that occurs while dialling a websocket server.
-type DialError struct {
-	*Config
-	Err error
-}
-
-func (e *DialError) Error() string {
-	return "websocket.Dial " + e.Config.Location.String() + ": " + e.Err.Error()
-}
-
-// NewConfig creates a new WebSocket config for client connection.
-func NewConfig(server, origin string) (config *Config, err error) {
-	config = new(Config)
-	config.Version = ProtocolVersionHybi13
-	config.Location, err = url.ParseRequestURI(server)
-	if err != nil {
-		return
-	}
-	config.Origin, err = url.ParseRequestURI(origin)
-	if err != nil {
-		return
-	}
-	config.Header = http.Header(make(map[string][]string))
-	return
-}
-
-// NewClient creates a new WebSocket client connection over rwc.
-func NewClient(config *Config, rwc io.ReadWriteCloser) (ws *Conn, err error) {
-	br := bufio.NewReader(rwc)
-	bw := bufio.NewWriter(rwc)
-	err = hybiClientHandshake(config, br, bw)
-	if err != nil {
-		return
-	}
-	buf := bufio.NewReadWriter(br, bw)
-	ws = newHybiClientConn(config, buf, rwc)
-	return
-}
-
-// Dial opens a new client connection to a WebSocket.
-func Dial(url_, protocol, origin string) (ws *Conn, err error) {
-	config, err := NewConfig(url_, origin)
-	if err != nil {
-		return nil, err
-	}
-	if protocol != "" {
-		config.Protocol = []string{protocol}
-	}
-	return DialConfig(config)
-}
-
-var portMap = map[string]string{
-	"ws":  "80",
-	"wss": "443",
-}
-
-func parseAuthority(location *url.URL) string {
-	if _, ok := portMap[location.Scheme]; ok {
-		if _, _, err := net.SplitHostPort(location.Host); err != nil {
-			return net.JoinHostPort(location.Host, portMap[location.Scheme])
-		}
-	}
-	return location.Host
-}
-
-// DialConfig opens a new client connection to a WebSocket with a config.
-func DialConfig(config *Config) (ws *Conn, err error) {
-	return config.DialContext(context.Background())
-}
-
-// DialContext opens a new client connection to a WebSocket, with context support for timeouts/cancellation.
-func (config *Config) DialContext(ctx context.Context) (*Conn, error) {
-	if config.Location == nil {
-		return nil, &DialError{config, ErrBadWebSocketLocation}
-	}
-	if config.Origin == nil {
-		return nil, &DialError{config, ErrBadWebSocketOrigin}
-	}
-
-	dialer := config.Dialer
-	if dialer == nil {
-		dialer = &net.Dialer{}
-	}
-
-	client, err := dialWithDialer(ctx, dialer, config)
-	if err != nil {
-		return nil, &DialError{config, err}
-	}
-
-	// Cleanup the connection if we fail to create the websocket successfully
-	success := false
-	defer func() {
-		if !success {
-			_ = client.Close()
-		}
-	}()
-
-	var ws *Conn
-	var wsErr error
-	doneConnecting := make(chan struct{})
-	go func() {
-		defer close(doneConnecting)
-		ws, err = NewClient(config, client)
-		if err != nil {
-			wsErr = &DialError{config, err}
-		}
-	}()
-
-	// The websocket.NewClient() function can block indefinitely, make sure that we
-	// respect the deadlines specified by the context.
-	select {
-	case <-ctx.Done():
-		// Force the pending operations to fail, terminating the pending connection attempt
-		_ = client.SetDeadline(time.Now())
-		<-doneConnecting // Wait for the goroutine that tries to establish the connection to finish
-		return nil, &DialError{config, ctx.Err()}
-	case <-doneConnecting:
-		if wsErr == nil {
-			success = true // Disarm the deferred connection cleanup
-		}
-		return ws, wsErr
-	}
-}
diff --git a/vendor/golang.org/x/net/websocket/dial.go b/vendor/golang.org/x/net/websocket/dial.go
deleted file mode 100644
index 8a2d83c47..000000000
--- a/vendor/golang.org/x/net/websocket/dial.go
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package websocket
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-)
-
-func dialWithDialer(ctx context.Context, dialer *net.Dialer, config *Config) (conn net.Conn, err error) {
-	switch config.Location.Scheme {
-	case "ws":
-		conn, err = dialer.DialContext(ctx, "tcp", parseAuthority(config.Location))
-
-	case "wss":
-		tlsDialer := &tls.Dialer{
-			NetDialer: dialer,
-			Config:    config.TlsConfig,
-		}
-
-		conn, err = tlsDialer.DialContext(ctx, "tcp", parseAuthority(config.Location))
-	default:
-		err = ErrBadScheme
-	}
-	return
-}
diff --git a/vendor/golang.org/x/net/websocket/hybi.go b/vendor/golang.org/x/net/websocket/hybi.go
deleted file mode 100644
index dda743466..000000000
--- a/vendor/golang.org/x/net/websocket/hybi.go
+++ /dev/null
@@ -1,582 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package websocket
-
-// This file implements a protocol of hybi draft.
-// http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-17
-
-import (
-	"bufio"
-	"bytes"
-	"crypto/rand"
-	"crypto/sha1"
-	"encoding/base64"
-	"encoding/binary"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
-)
-
-const (
-	websocketGUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
-
-	closeStatusNormal            = 1000
-	closeStatusGoingAway         = 1001
-	closeStatusProtocolError     = 1002
-	closeStatusUnsupportedData   = 1003
-	closeStatusFrameTooLarge     = 1004
-	closeStatusNoStatusRcvd      = 1005
-	closeStatusAbnormalClosure   = 1006
-	closeStatusBadMessageData    = 1007
-	closeStatusPolicyViolation   = 1008
-	closeStatusTooBigData        = 1009
-	closeStatusExtensionMismatch = 1010
-
-	maxControlFramePayloadLength = 125
-)
-
-var (
-	ErrBadMaskingKey         = &ProtocolError{"bad masking key"}
-	ErrBadPongMessage        = &ProtocolError{"bad pong message"}
-	ErrBadClosingStatus      = &ProtocolError{"bad closing status"}
-	ErrUnsupportedExtensions = &ProtocolError{"unsupported extensions"}
-	ErrNotImplemented        = &ProtocolError{"not implemented"}
-
-	handshakeHeader = map[string]bool{
-		"Host":                   true,
-		"Upgrade":                true,
-		"Connection":             true,
-		"Sec-Websocket-Key":      true,
-		"Sec-Websocket-Origin":   true,
-		"Sec-Websocket-Version":  true,
-		"Sec-Websocket-Protocol": true,
-		"Sec-Websocket-Accept":   true,
-	}
-)
-
-// A hybiFrameHeader is a frame header as defined in hybi draft.
-type hybiFrameHeader struct {
-	Fin        bool
-	Rsv        [3]bool
-	OpCode     byte
-	Length     int64
-	MaskingKey []byte
-
-	data *bytes.Buffer
-}
-
-// A hybiFrameReader is a reader for hybi frame.
-type hybiFrameReader struct {
-	reader io.Reader
-
-	header hybiFrameHeader
-	pos    int64
-	length int
-}
-
-func (frame *hybiFrameReader) Read(msg []byte) (n int, err error) {
-	n, err = frame.reader.Read(msg)
-	if frame.header.MaskingKey != nil {
-		for i := 0; i < n; i++ {
-			msg[i] = msg[i] ^ frame.header.MaskingKey[frame.pos%4]
-			frame.pos++
-		}
-	}
-	return n, err
-}
-
-func (frame *hybiFrameReader) PayloadType() byte { return frame.header.OpCode }
-
-func (frame *hybiFrameReader) HeaderReader() io.Reader {
-	if frame.header.data == nil {
-		return nil
-	}
-	if frame.header.data.Len() == 0 {
-		return nil
-	}
-	return frame.header.data
-}
-
-func (frame *hybiFrameReader) TrailerReader() io.Reader { return nil }
-
-func (frame *hybiFrameReader) Len() (n int) { return frame.length }
-
-// A hybiFrameReaderFactory creates new frame reader based on its frame type.
-type hybiFrameReaderFactory struct {
-	*bufio.Reader
-}
-
-// NewFrameReader reads a frame header from the connection, and creates new reader for the frame.
-// See Section 5.2 Base Framing protocol for detail.
-// http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-17#section-5.2
-func (buf hybiFrameReaderFactory) NewFrameReader() (frame frameReader, err error) {
-	hybiFrame := new(hybiFrameReader)
-	frame = hybiFrame
-	var header []byte
-	var b byte
-	// First byte. FIN/RSV1/RSV2/RSV3/OpCode(4bits)
-	b, err = buf.ReadByte()
-	if err != nil {
-		return
-	}
-	header = append(header, b)
-	hybiFrame.header.Fin = ((header[0] >> 7) & 1) != 0
-	for i := 0; i < 3; i++ {
-		j := uint(6 - i)
-		hybiFrame.header.Rsv[i] = ((header[0] >> j) & 1) != 0
-	}
-	hybiFrame.header.OpCode = header[0] & 0x0f
-
-	// Second byte. Mask/Payload len(7bits)
-	b, err = buf.ReadByte()
-	if err != nil {
-		return
-	}
-	header = append(header, b)
-	mask := (b & 0x80) != 0
-	b &= 0x7f
-	lengthFields := 0
-	switch {
-	case b <= 125: // Payload length 7bits.
-		hybiFrame.header.Length = int64(b)
-	case b == 126: // Payload length 7+16bits
-		lengthFields = 2
-	case b == 127: // Payload length 7+64bits
-		lengthFields = 8
-	}
-	for i := 0; i < lengthFields; i++ {
-		b, err = buf.ReadByte()
-		if err != nil {
-			return
-		}
-		if lengthFields == 8 && i == 0 { // MSB must be zero when 7+64 bits
-			b &= 0x7f
-		}
-		header = append(header, b)
-		hybiFrame.header.Length = hybiFrame.header.Length*256 + int64(b)
-	}
-	if mask {
-		// Masking key. 4 bytes.
-		for i := 0; i < 4; i++ {
-			b, err = buf.ReadByte()
-			if err != nil {
-				return
-			}
-			header = append(header, b)
-			hybiFrame.header.MaskingKey = append(hybiFrame.header.MaskingKey, b)
-		}
-	}
-	hybiFrame.reader = io.LimitReader(buf.Reader, hybiFrame.header.Length)
-	hybiFrame.header.data = bytes.NewBuffer(header)
-	hybiFrame.length = len(header) + int(hybiFrame.header.Length)
-	return
-}
-
-// A HybiFrameWriter is a writer for hybi frame.
-type hybiFrameWriter struct {
-	writer *bufio.Writer
-
-	header *hybiFrameHeader
-}
-
-func (frame *hybiFrameWriter) Write(msg []byte) (n int, err error) {
-	var header []byte
-	var b byte
-	if frame.header.Fin {
-		b |= 0x80
-	}
-	for i := 0; i < 3; i++ {
-		if frame.header.Rsv[i] {
-			j := uint(6 - i)
-			b |= 1 << j
-		}
-	}
-	b |= frame.header.OpCode
-	header = append(header, b)
-	if frame.header.MaskingKey != nil {
-		b = 0x80
-	} else {
-		b = 0
-	}
-	lengthFields := 0
-	length := len(msg)
-	switch {
-	case length <= 125:
-		b |= byte(length)
-	case length < 65536:
-		b |= 126
-		lengthFields = 2
-	default:
-		b |= 127
-		lengthFields = 8
-	}
-	header = append(header, b)
-	for i := 0; i < lengthFields; i++ {
-		j := uint((lengthFields - i - 1) * 8)
-		b = byte((length >> j) & 0xff)
-		header = append(header, b)
-	}
-	if frame.header.MaskingKey != nil {
-		if len(frame.header.MaskingKey) != 4 {
-			return 0, ErrBadMaskingKey
-		}
-		header = append(header, frame.header.MaskingKey...)
-		frame.writer.Write(header)
-		data := make([]byte, length)
-		for i := range data {
-			data[i] = msg[i] ^ frame.header.MaskingKey[i%4]
-		}
-		frame.writer.Write(data)
-		err = frame.writer.Flush()
-		return length, err
-	}
-	frame.writer.Write(header)
-	frame.writer.Write(msg)
-	err = frame.writer.Flush()
-	return length, err
-}
-
-func (frame *hybiFrameWriter) Close() error { return nil }
-
-type hybiFrameWriterFactory struct {
-	*bufio.Writer
-	needMaskingKey bool
-}
-
-func (buf hybiFrameWriterFactory) NewFrameWriter(payloadType byte) (frame frameWriter, err error) {
-	frameHeader := &hybiFrameHeader{Fin: true, OpCode: payloadType}
-	if buf.needMaskingKey {
-		frameHeader.MaskingKey, err = generateMaskingKey()
-		if err != nil {
-			return nil, err
-		}
-	}
-	return &hybiFrameWriter{writer: buf.Writer, header: frameHeader}, nil
-}
-
-type hybiFrameHandler struct {
-	conn        *Conn
-	payloadType byte
-}
-
-func (handler *hybiFrameHandler) HandleFrame(frame frameReader) (frameReader, error) {
-	if handler.conn.IsServerConn() {
-		// The client MUST mask all frames sent to the server.
-		if frame.(*hybiFrameReader).header.MaskingKey == nil {
-			handler.WriteClose(closeStatusProtocolError)
-			return nil, io.EOF
-		}
-	} else {
-		// The server MUST NOT mask all frames.
-		if frame.(*hybiFrameReader).header.MaskingKey != nil {
-			handler.WriteClose(closeStatusProtocolError)
-			return nil, io.EOF
-		}
-	}
-	if header := frame.HeaderReader(); header != nil {
-		io.Copy(io.Discard, header)
-	}
-	switch frame.PayloadType() {
-	case ContinuationFrame:
-		frame.(*hybiFrameReader).header.OpCode = handler.payloadType
-	case TextFrame, BinaryFrame:
-		handler.payloadType = frame.PayloadType()
-	case CloseFrame:
-		return nil, io.EOF
-	case PingFrame, PongFrame:
-		b := make([]byte, maxControlFramePayloadLength)
-		n, err := io.ReadFull(frame, b)
-		if err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {
-			return nil, err
-		}
-		io.Copy(io.Discard, frame)
-		if frame.PayloadType() == PingFrame {
-			if _, err := handler.WritePong(b[:n]); err != nil {
-				return nil, err
-			}
-		}
-		return nil, nil
-	}
-	return frame, nil
-}
-
-func (handler *hybiFrameHandler) WriteClose(status int) (err error) {
-	handler.conn.wio.Lock()
-	defer handler.conn.wio.Unlock()
-	w, err := handler.conn.frameWriterFactory.NewFrameWriter(CloseFrame)
-	if err != nil {
-		return err
-	}
-	msg := make([]byte, 2)
-	binary.BigEndian.PutUint16(msg, uint16(status))
-	_, err = w.Write(msg)
-	w.Close()
-	return err
-}
-
-func (handler *hybiFrameHandler) WritePong(msg []byte) (n int, err error) {
-	handler.conn.wio.Lock()
-	defer handler.conn.wio.Unlock()
-	w, err := handler.conn.frameWriterFactory.NewFrameWriter(PongFrame)
-	if err != nil {
-		return 0, err
-	}
-	n, err = w.Write(msg)
-	w.Close()
-	return n, err
-}
-
-// newHybiConn creates a new WebSocket connection speaking hybi draft protocol.
-func newHybiConn(config *Config, buf *bufio.ReadWriter, rwc io.ReadWriteCloser, request *http.Request) *Conn {
-	if buf == nil {
-		br := bufio.NewReader(rwc)
-		bw := bufio.NewWriter(rwc)
-		buf = bufio.NewReadWriter(br, bw)
-	}
-	ws := &Conn{config: config, request: request, buf: buf, rwc: rwc,
-		frameReaderFactory: hybiFrameReaderFactory{buf.Reader},
-		frameWriterFactory: hybiFrameWriterFactory{
-			buf.Writer, request == nil},
-		PayloadType:        TextFrame,
-		defaultCloseStatus: closeStatusNormal}
-	ws.frameHandler = &hybiFrameHandler{conn: ws}
-	return ws
-}
-
-// generateMaskingKey generates a masking key for a frame.
-func generateMaskingKey() (maskingKey []byte, err error) {
-	maskingKey = make([]byte, 4)
-	if _, err = io.ReadFull(rand.Reader, maskingKey); err != nil {
-		return
-	}
-	return
-}
-
-// generateNonce generates a nonce consisting of a randomly selected 16-byte
-// value that has been base64-encoded.
-func generateNonce() (nonce []byte) {
-	key := make([]byte, 16)
-	if _, err := io.ReadFull(rand.Reader, key); err != nil {
-		panic(err)
-	}
-	nonce = make([]byte, 24)
-	base64.StdEncoding.Encode(nonce, key)
-	return
-}
-
-// removeZone removes IPv6 zone identifier from host.
-// E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
-func removeZone(host string) string {
-	if !strings.HasPrefix(host, "[") {
-		return host
-	}
-	i := strings.LastIndex(host, "]")
-	if i < 0 {
-		return host
-	}
-	j := strings.LastIndex(host[:i], "%")
-	if j < 0 {
-		return host
-	}
-	return host[:j] + host[i:]
-}
-
-// getNonceAccept computes the base64-encoded SHA-1 of the concatenation of
-// the nonce ("Sec-WebSocket-Key" value) with the websocket GUID string.
-func getNonceAccept(nonce []byte) (expected []byte, err error) {
-	h := sha1.New()
-	if _, err = h.Write(nonce); err != nil {
-		return
-	}
-	if _, err = h.Write([]byte(websocketGUID)); err != nil {
-		return
-	}
-	expected = make([]byte, 28)
-	base64.StdEncoding.Encode(expected, h.Sum(nil))
-	return
-}
-
-// Client handshake described in draft-ietf-hybi-thewebsocket-protocol-17
-func hybiClientHandshake(config *Config, br *bufio.Reader, bw *bufio.Writer) (err error) {
-	bw.WriteString("GET " + config.Location.RequestURI() + " HTTP/1.1\r\n")
-
-	// According to RFC 6874, an HTTP client, proxy, or other
-	// intermediary must remove any IPv6 zone identifier attached
-	// to an outgoing URI.
-	bw.WriteString("Host: " + removeZone(config.Location.Host) + "\r\n")
-	bw.WriteString("Upgrade: websocket\r\n")
-	bw.WriteString("Connection: Upgrade\r\n")
-	nonce := generateNonce()
-	if config.handshakeData != nil {
-		nonce = []byte(config.handshakeData["key"])
-	}
-	bw.WriteString("Sec-WebSocket-Key: " + string(nonce) + "\r\n")
-	bw.WriteString("Origin: " + strings.ToLower(config.Origin.String()) + "\r\n")
-
-	if config.Version != ProtocolVersionHybi13 {
-		return ErrBadProtocolVersion
-	}
-
-	bw.WriteString("Sec-WebSocket-Version: " + fmt.Sprintf("%d", config.Version) + "\r\n")
-	if len(config.Protocol) > 0 {
-		bw.WriteString("Sec-WebSocket-Protocol: " + strings.Join(config.Protocol, ", ") + "\r\n")
-	}
-	// TODO(ukai): send Sec-WebSocket-Extensions.
-	err = config.Header.WriteSubset(bw, handshakeHeader)
-	if err != nil {
-		return err
-	}
-
-	bw.WriteString("\r\n")
-	if err = bw.Flush(); err != nil {
-		return err
-	}
-
-	resp, err := http.ReadResponse(br, &http.Request{Method: "GET"})
-	if err != nil {
-		return err
-	}
-	if resp.StatusCode != 101 {
-		return ErrBadStatus
-	}
-	if strings.ToLower(resp.Header.Get("Upgrade")) != "websocket" ||
-		strings.ToLower(resp.Header.Get("Connection")) != "upgrade" {
-		return ErrBadUpgrade
-	}
-	expectedAccept, err := getNonceAccept(nonce)
-	if err != nil {
-		return err
-	}
-	if resp.Header.Get("Sec-WebSocket-Accept") != string(expectedAccept) {
-		return ErrChallengeResponse
-	}
-	if resp.Header.Get("Sec-WebSocket-Extensions") != "" {
-		return ErrUnsupportedExtensions
-	}
-	offeredProtocol := resp.Header.Get("Sec-WebSocket-Protocol")
-	if offeredProtocol != "" {
-		protocolMatched := false
-		for i := 0; i < len(config.Protocol); i++ {
-			if config.Protocol[i] == offeredProtocol {
-				protocolMatched = true
-				break
-			}
-		}
-		if !protocolMatched {
-			return ErrBadWebSocketProtocol
-		}
-		config.Protocol = []string{offeredProtocol}
-	}
-
-	return nil
-}
-
-// newHybiClientConn creates a client WebSocket connection after handshake.
-func newHybiClientConn(config *Config, buf *bufio.ReadWriter, rwc io.ReadWriteCloser) *Conn {
-	return newHybiConn(config, buf, rwc, nil)
-}
-
-// A HybiServerHandshaker performs a server handshake using hybi draft protocol.
-type hybiServerHandshaker struct {
-	*Config
-	accept []byte
-}
-
-func (c *hybiServerHandshaker) ReadHandshake(buf *bufio.Reader, req *http.Request) (code int, err error) {
-	c.Version = ProtocolVersionHybi13
-	if req.Method != "GET" {
-		return http.StatusMethodNotAllowed, ErrBadRequestMethod
-	}
-	// HTTP version can be safely ignored.
-
-	if strings.ToLower(req.Header.Get("Upgrade")) != "websocket" ||
-		!strings.Contains(strings.ToLower(req.Header.Get("Connection")), "upgrade") {
-		return http.StatusBadRequest, ErrNotWebSocket
-	}
-
-	key := req.Header.Get("Sec-Websocket-Key")
-	if key == "" {
-		return http.StatusBadRequest, ErrChallengeResponse
-	}
-	version := req.Header.Get("Sec-Websocket-Version")
-	switch version {
-	case "13":
-		c.Version = ProtocolVersionHybi13
-	default:
-		return http.StatusBadRequest, ErrBadWebSocketVersion
-	}
-	var scheme string
-	if req.TLS != nil {
-		scheme = "wss"
-	} else {
-		scheme = "ws"
-	}
-	c.Location, err = url.ParseRequestURI(scheme + "://" + req.Host + req.URL.RequestURI())
-	if err != nil {
-		return http.StatusBadRequest, err
-	}
-	protocol := strings.TrimSpace(req.Header.Get("Sec-Websocket-Protocol"))
-	if protocol != "" {
-		protocols := strings.Split(protocol, ",")
-		for i := 0; i < len(protocols); i++ {
-			c.Protocol = append(c.Protocol, strings.TrimSpace(protocols[i]))
-		}
-	}
-	c.accept, err = getNonceAccept([]byte(key))
-	if err != nil {
-		return http.StatusInternalServerError, err
-	}
-	return http.StatusSwitchingProtocols, nil
-}
-
-// Origin parses the Origin header in req.
-// If the Origin header is not set, it returns nil and nil.
-func Origin(config *Config, req *http.Request) (*url.URL, error) {
-	var origin string
-	switch config.Version {
-	case ProtocolVersionHybi13:
-		origin = req.Header.Get("Origin")
-	}
-	if origin == "" {
-		return nil, nil
-	}
-	return url.ParseRequestURI(origin)
-}
-
-func (c *hybiServerHandshaker) AcceptHandshake(buf *bufio.Writer) (err error) {
-	if len(c.Protocol) > 0 {
-		if len(c.Protocol) != 1 {
-			// You need choose a Protocol in Handshake func in Server.
-			return ErrBadWebSocketProtocol
-		}
-	}
-	buf.WriteString("HTTP/1.1 101 Switching Protocols\r\n")
-	buf.WriteString("Upgrade: websocket\r\n")
-	buf.WriteString("Connection: Upgrade\r\n")
-	buf.WriteString("Sec-WebSocket-Accept: " + string(c.accept) + "\r\n")
-	if len(c.Protocol) > 0 {
-		buf.WriteString("Sec-WebSocket-Protocol: " + c.Protocol[0] + "\r\n")
-	}
-	// TODO(ukai): send Sec-WebSocket-Extensions.
-	if c.Header != nil {
-		err := c.Header.WriteSubset(buf, handshakeHeader)
-		if err != nil {
-			return err
-		}
-	}
-	buf.WriteString("\r\n")
-	return buf.Flush()
-}
-
-func (c *hybiServerHandshaker) NewServerConn(buf *bufio.ReadWriter, rwc io.ReadWriteCloser, request *http.Request) *Conn {
-	return newHybiServerConn(c.Config, buf, rwc, request)
-}
-
-// newHybiServerConn returns a new WebSocket connection speaking hybi draft protocol.
-func newHybiServerConn(config *Config, buf *bufio.ReadWriter, rwc io.ReadWriteCloser, request *http.Request) *Conn {
-	return newHybiConn(config, buf, rwc, request)
-}
diff --git a/vendor/golang.org/x/net/websocket/server.go b/vendor/golang.org/x/net/websocket/server.go
deleted file mode 100644
index 0895dea19..000000000
--- a/vendor/golang.org/x/net/websocket/server.go
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package websocket
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"net/http"
-)
-
-func newServerConn(rwc io.ReadWriteCloser, buf *bufio.ReadWriter, req *http.Request, config *Config, handshake func(*Config, *http.Request) error) (conn *Conn, err error) {
-	var hs serverHandshaker = &hybiServerHandshaker{Config: config}
-	code, err := hs.ReadHandshake(buf.Reader, req)
-	if err == ErrBadWebSocketVersion {
-		fmt.Fprintf(buf, "HTTP/1.1 %03d %s\r\n", code, http.StatusText(code))
-		fmt.Fprintf(buf, "Sec-WebSocket-Version: %s\r\n", SupportedProtocolVersion)
-		buf.WriteString("\r\n")
-		buf.WriteString(err.Error())
-		buf.Flush()
-		return
-	}
-	if err != nil {
-		fmt.Fprintf(buf, "HTTP/1.1 %03d %s\r\n", code, http.StatusText(code))
-		buf.WriteString("\r\n")
-		buf.WriteString(err.Error())
-		buf.Flush()
-		return
-	}
-	if handshake != nil {
-		err = handshake(config, req)
-		if err != nil {
-			code = http.StatusForbidden
-			fmt.Fprintf(buf, "HTTP/1.1 %03d %s\r\n", code, http.StatusText(code))
-			buf.WriteString("\r\n")
-			buf.Flush()
-			return
-		}
-	}
-	err = hs.AcceptHandshake(buf.Writer)
-	if err != nil {
-		code = http.StatusBadRequest
-		fmt.Fprintf(buf, "HTTP/1.1 %03d %s\r\n", code, http.StatusText(code))
-		buf.WriteString("\r\n")
-		buf.Flush()
-		return
-	}
-	conn = hs.NewServerConn(buf, rwc, req)
-	return
-}
-
-// Server represents a server of a WebSocket.
-type Server struct {
-	// Config is a WebSocket configuration for new WebSocket connection.
-	Config
-
-	// Handshake is an optional function in WebSocket handshake.
-	// For example, you can check, or don't check Origin header.
-	// Another example, you can select config.Protocol.
-	Handshake func(*Config, *http.Request) error
-
-	// Handler handles a WebSocket connection.
-	Handler
-}
-
-// ServeHTTP implements the http.Handler interface for a WebSocket
-func (s Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	s.serveWebSocket(w, req)
-}
-
-func (s Server) serveWebSocket(w http.ResponseWriter, req *http.Request) {
-	rwc, buf, err := w.(http.Hijacker).Hijack()
-	if err != nil {
-		panic("Hijack failed: " + err.Error())
-	}
-	// The server should abort the WebSocket connection if it finds
-	// the client did not send a handshake that matches with protocol
-	// specification.
-	defer rwc.Close()
-	conn, err := newServerConn(rwc, buf, req, &s.Config, s.Handshake)
-	if err != nil {
-		return
-	}
-	if conn == nil {
-		panic("unexpected nil conn")
-	}
-	s.Handler(conn)
-}
-
-// Handler is a simple interface to a WebSocket browser client.
-// It checks if Origin header is valid URL by default.
-// You might want to verify websocket.Conn.Config().Origin in the func.
-// If you use Server instead of Handler, you could call websocket.Origin and
-// check the origin in your Handshake func. So, if you want to accept
-// non-browser clients, which do not send an Origin header, set a
-// Server.Handshake that does not check the origin.
-type Handler func(*Conn)
-
-func checkOrigin(config *Config, req *http.Request) (err error) {
-	config.Origin, err = Origin(config, req)
-	if err == nil && config.Origin == nil {
-		return fmt.Errorf("null origin")
-	}
-	return err
-}
-
-// ServeHTTP implements the http.Handler interface for a WebSocket
-func (h Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	s := Server{Handler: h, Handshake: checkOrigin}
-	s.serveWebSocket(w, req)
-}
diff --git a/vendor/golang.org/x/net/websocket/websocket.go b/vendor/golang.org/x/net/websocket/websocket.go
deleted file mode 100644
index 3448d2039..000000000
--- a/vendor/golang.org/x/net/websocket/websocket.go
+++ /dev/null
@@ -1,449 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package websocket implements a client and server for the WebSocket protocol
-// as specified in RFC 6455.
-//
-// This package currently lacks some features found in an alternative
-// and more actively maintained WebSocket packages:
-//
-//   - [github.com/gorilla/websocket]
-//   - [github.com/coder/websocket]
-package websocket // import "golang.org/x/net/websocket"
-
-import (
-	"bufio"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"sync"
-	"time"
-)
-
-const (
-	ProtocolVersionHybi13    = 13
-	ProtocolVersionHybi      = ProtocolVersionHybi13
-	SupportedProtocolVersion = "13"
-
-	ContinuationFrame = 0
-	TextFrame         = 1
-	BinaryFrame       = 2
-	CloseFrame        = 8
-	PingFrame         = 9
-	PongFrame         = 10
-	UnknownFrame      = 255
-
-	DefaultMaxPayloadBytes = 32 << 20 // 32MB
-)
-
-// ProtocolError represents WebSocket protocol errors.
-type ProtocolError struct {
-	ErrorString string
-}
-
-func (err *ProtocolError) Error() string { return err.ErrorString }
-
-var (
-	ErrBadProtocolVersion   = &ProtocolError{"bad protocol version"}
-	ErrBadScheme            = &ProtocolError{"bad scheme"}
-	ErrBadStatus            = &ProtocolError{"bad status"}
-	ErrBadUpgrade           = &ProtocolError{"missing or bad upgrade"}
-	ErrBadWebSocketOrigin   = &ProtocolError{"missing or bad WebSocket-Origin"}
-	ErrBadWebSocketLocation = &ProtocolError{"missing or bad WebSocket-Location"}
-	ErrBadWebSocketProtocol = &ProtocolError{"missing or bad WebSocket-Protocol"}
-	ErrBadWebSocketVersion  = &ProtocolError{"missing or bad WebSocket Version"}
-	ErrChallengeResponse    = &ProtocolError{"mismatch challenge/response"}
-	ErrBadFrame             = &ProtocolError{"bad frame"}
-	ErrBadFrameBoundary     = &ProtocolError{"not on frame boundary"}
-	ErrNotWebSocket         = &ProtocolError{"not websocket protocol"}
-	ErrBadRequestMethod     = &ProtocolError{"bad method"}
-	ErrNotSupported         = &ProtocolError{"not supported"}
-)
-
-// ErrFrameTooLarge is returned by Codec's Receive method if payload size
-// exceeds limit set by Conn.MaxPayloadBytes
-var ErrFrameTooLarge = errors.New("websocket: frame payload size exceeds limit")
-
-// Addr is an implementation of net.Addr for WebSocket.
-type Addr struct {
-	*url.URL
-}
-
-// Network returns the network type for a WebSocket, "websocket".
-func (addr *Addr) Network() string { return "websocket" }
-
-// Config is a WebSocket configuration
-type Config struct {
-	// A WebSocket server address.
-	Location *url.URL
-
-	// A Websocket client origin.
-	Origin *url.URL
-
-	// WebSocket subprotocols.
-	Protocol []string
-
-	// WebSocket protocol version.
-	Version int
-
-	// TLS config for secure WebSocket (wss).
-	TlsConfig *tls.Config
-
-	// Additional header fields to be sent in WebSocket opening handshake.
-	Header http.Header
-
-	// Dialer used when opening websocket connections.
-	Dialer *net.Dialer
-
-	handshakeData map[string]string
-}
-
-// serverHandshaker is an interface to handle WebSocket server side handshake.
-type serverHandshaker interface {
-	// ReadHandshake reads handshake request message from client.
-	// Returns http response code and error if any.
-	ReadHandshake(buf *bufio.Reader, req *http.Request) (code int, err error)
-
-	// AcceptHandshake accepts the client handshake request and sends
-	// handshake response back to client.
-	AcceptHandshake(buf *bufio.Writer) (err error)
-
-	// NewServerConn creates a new WebSocket connection.
-	NewServerConn(buf *bufio.ReadWriter, rwc io.ReadWriteCloser, request *http.Request) (conn *Conn)
-}
-
-// frameReader is an interface to read a WebSocket frame.
-type frameReader interface {
-	// Reader is to read payload of the frame.
-	io.Reader
-
-	// PayloadType returns payload type.
-	PayloadType() byte
-
-	// HeaderReader returns a reader to read header of the frame.
-	HeaderReader() io.Reader
-
-	// TrailerReader returns a reader to read trailer of the frame.
-	// If it returns nil, there is no trailer in the frame.
-	TrailerReader() io.Reader
-
-	// Len returns total length of the frame, including header and trailer.
-	Len() int
-}
-
-// frameReaderFactory is an interface to creates new frame reader.
-type frameReaderFactory interface {
-	NewFrameReader() (r frameReader, err error)
-}
-
-// frameWriter is an interface to write a WebSocket frame.
-type frameWriter interface {
-	// Writer is to write payload of the frame.
-	io.WriteCloser
-}
-
-// frameWriterFactory is an interface to create new frame writer.
-type frameWriterFactory interface {
-	NewFrameWriter(payloadType byte) (w frameWriter, err error)
-}
-
-type frameHandler interface {
-	HandleFrame(frame frameReader) (r frameReader, err error)
-	WriteClose(status int) (err error)
-}
-
-// Conn represents a WebSocket connection.
-//
-// Multiple goroutines may invoke methods on a Conn simultaneously.
-type Conn struct {
-	config  *Config
-	request *http.Request
-
-	buf *bufio.ReadWriter
-	rwc io.ReadWriteCloser
-
-	rio sync.Mutex
-	frameReaderFactory
-	frameReader
-
-	wio sync.Mutex
-	frameWriterFactory
-
-	frameHandler
-	PayloadType        byte
-	defaultCloseStatus int
-
-	// MaxPayloadBytes limits the size of frame payload received over Conn
-	// by Codec's Receive method. If zero, DefaultMaxPayloadBytes is used.
-	MaxPayloadBytes int
-}
-
-// Read implements the io.Reader interface:
-// it reads data of a frame from the WebSocket connection.
-// if msg is not large enough for the frame data, it fills the msg and next Read
-// will read the rest of the frame data.
-// it reads Text frame or Binary frame.
-func (ws *Conn) Read(msg []byte) (n int, err error) {
-	ws.rio.Lock()
-	defer ws.rio.Unlock()
-again:
-	if ws.frameReader == nil {
-		frame, err := ws.frameReaderFactory.NewFrameReader()
-		if err != nil {
-			return 0, err
-		}
-		ws.frameReader, err = ws.frameHandler.HandleFrame(frame)
-		if err != nil {
-			return 0, err
-		}
-		if ws.frameReader == nil {
-			goto again
-		}
-	}
-	n, err = ws.frameReader.Read(msg)
-	if err == io.EOF {
-		if trailer := ws.frameReader.TrailerReader(); trailer != nil {
-			io.Copy(io.Discard, trailer)
-		}
-		ws.frameReader = nil
-		goto again
-	}
-	return n, err
-}
-
-// Write implements the io.Writer interface:
-// it writes data as a frame to the WebSocket connection.
-func (ws *Conn) Write(msg []byte) (n int, err error) {
-	ws.wio.Lock()
-	defer ws.wio.Unlock()
-	w, err := ws.frameWriterFactory.NewFrameWriter(ws.PayloadType)
-	if err != nil {
-		return 0, err
-	}
-	n, err = w.Write(msg)
-	w.Close()
-	return n, err
-}
-
-// Close implements the io.Closer interface.
-func (ws *Conn) Close() error {
-	err := ws.frameHandler.WriteClose(ws.defaultCloseStatus)
-	err1 := ws.rwc.Close()
-	if err != nil {
-		return err
-	}
-	return err1
-}
-
-// IsClientConn reports whether ws is a client-side connection.
-func (ws *Conn) IsClientConn() bool { return ws.request == nil }
-
-// IsServerConn reports whether ws is a server-side connection.
-func (ws *Conn) IsServerConn() bool { return ws.request != nil }
-
-// LocalAddr returns the WebSocket Origin for the connection for client, or
-// the WebSocket location for server.
-func (ws *Conn) LocalAddr() net.Addr {
-	if ws.IsClientConn() {
-		return &Addr{ws.config.Origin}
-	}
-	return &Addr{ws.config.Location}
-}
-
-// RemoteAddr returns the WebSocket location for the connection for client, or
-// the Websocket Origin for server.
-func (ws *Conn) RemoteAddr() net.Addr {
-	if ws.IsClientConn() {
-		return &Addr{ws.config.Location}
-	}
-	return &Addr{ws.config.Origin}
-}
-
-var errSetDeadline = errors.New("websocket: cannot set deadline: not using a net.Conn")
-
-// SetDeadline sets the connection's network read & write deadlines.
-func (ws *Conn) SetDeadline(t time.Time) error {
-	if conn, ok := ws.rwc.(net.Conn); ok {
-		return conn.SetDeadline(t)
-	}
-	return errSetDeadline
-}
-
-// SetReadDeadline sets the connection's network read deadline.
-func (ws *Conn) SetReadDeadline(t time.Time) error {
-	if conn, ok := ws.rwc.(net.Conn); ok {
-		return conn.SetReadDeadline(t)
-	}
-	return errSetDeadline
-}
-
-// SetWriteDeadline sets the connection's network write deadline.
-func (ws *Conn) SetWriteDeadline(t time.Time) error {
-	if conn, ok := ws.rwc.(net.Conn); ok {
-		return conn.SetWriteDeadline(t)
-	}
-	return errSetDeadline
-}
-
-// Config returns the WebSocket config.
-func (ws *Conn) Config() *Config { return ws.config }
-
-// Request returns the http request upgraded to the WebSocket.
-// It is nil for client side.
-func (ws *Conn) Request() *http.Request { return ws.request }
-
-// Codec represents a symmetric pair of functions that implement a codec.
-type Codec struct {
-	Marshal   func(v interface{}) (data []byte, payloadType byte, err error)
-	Unmarshal func(data []byte, payloadType byte, v interface{}) (err error)
-}
-
-// Send sends v marshaled by cd.Marshal as single frame to ws.
-func (cd Codec) Send(ws *Conn, v interface{}) (err error) {
-	data, payloadType, err := cd.Marshal(v)
-	if err != nil {
-		return err
-	}
-	ws.wio.Lock()
-	defer ws.wio.Unlock()
-	w, err := ws.frameWriterFactory.NewFrameWriter(payloadType)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(data)
-	w.Close()
-	return err
-}
-
-// Receive receives single frame from ws, unmarshaled by cd.Unmarshal and stores
-// in v. The whole frame payload is read to an in-memory buffer; max size of
-// payload is defined by ws.MaxPayloadBytes. If frame payload size exceeds
-// limit, ErrFrameTooLarge is returned; in this case frame is not read off wire
-// completely. The next call to Receive would read and discard leftover data of
-// previous oversized frame before processing next frame.
-func (cd Codec) Receive(ws *Conn, v interface{}) (err error) {
-	ws.rio.Lock()
-	defer ws.rio.Unlock()
-	if ws.frameReader != nil {
-		_, err = io.Copy(io.Discard, ws.frameReader)
-		if err != nil {
-			return err
-		}
-		ws.frameReader = nil
-	}
-again:
-	frame, err := ws.frameReaderFactory.NewFrameReader()
-	if err != nil {
-		return err
-	}
-	frame, err = ws.frameHandler.HandleFrame(frame)
-	if err != nil {
-		return err
-	}
-	if frame == nil {
-		goto again
-	}
-	maxPayloadBytes := ws.MaxPayloadBytes
-	if maxPayloadBytes == 0 {
-		maxPayloadBytes = DefaultMaxPayloadBytes
-	}
-	if hf, ok := frame.(*hybiFrameReader); ok && hf.header.Length > int64(maxPayloadBytes) {
-		// payload size exceeds limit, no need to call Unmarshal
-		//
-		// set frameReader to current oversized frame so that
-		// the next call to this function can drain leftover
-		// data before processing the next frame
-		ws.frameReader = frame
-		return ErrFrameTooLarge
-	}
-	payloadType := frame.PayloadType()
-	data, err := io.ReadAll(frame)
-	if err != nil {
-		return err
-	}
-	return cd.Unmarshal(data, payloadType, v)
-}
-
-func marshal(v interface{}) (msg []byte, payloadType byte, err error) {
-	switch data := v.(type) {
-	case string:
-		return []byte(data), TextFrame, nil
-	case []byte:
-		return data, BinaryFrame, nil
-	}
-	return nil, UnknownFrame, ErrNotSupported
-}
-
-func unmarshal(msg []byte, payloadType byte, v interface{}) (err error) {
-	switch data := v.(type) {
-	case *string:
-		*data = string(msg)
-		return nil
-	case *[]byte:
-		*data = msg
-		return nil
-	}
-	return ErrNotSupported
-}
-
-/*
-Message is a codec to send/receive text/binary data in a frame on WebSocket connection.
-To send/receive text frame, use string type.
-To send/receive binary frame, use []byte type.
-
-Trivial usage:
-
-	import "websocket"
-
-	// receive text frame
-	var message string
-	websocket.Message.Receive(ws, &message)
-
-	// send text frame
-	message = "hello"
-	websocket.Message.Send(ws, message)
-
-	// receive binary frame
-	var data []byte
-	websocket.Message.Receive(ws, &data)
-
-	// send binary frame
-	data = []byte{0, 1, 2}
-	websocket.Message.Send(ws, data)
-*/
-var Message = Codec{marshal, unmarshal}
-
-func jsonMarshal(v interface{}) (msg []byte, payloadType byte, err error) {
-	msg, err = json.Marshal(v)
-	return msg, TextFrame, err
-}
-
-func jsonUnmarshal(msg []byte, payloadType byte, v interface{}) (err error) {
-	return json.Unmarshal(msg, v)
-}
-
-/*
-JSON is a codec to send/receive JSON data in a frame from a WebSocket connection.
-
-Trivial usage:
-
-	import "websocket"
-
-	type T struct {
-		Msg string
-		Count int
-	}
-
-	// receive JSON type T
-	var data T
-	websocket.JSON.Receive(ws, &data)
-
-	// send JSON type T
-	websocket.JSON.Send(ws, data)
-*/
-var JSON = Codec{jsonMarshal, jsonUnmarshal}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/doc.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/doc.go
deleted file mode 100644
index 1da83f14b..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/doc.go
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package httpstream adds multiplexed streaming support to HTTP requests and
-// responses via connection upgrades.
-package httpstream
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go
deleted file mode 100644
index 8054b9867..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package httpstream
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"time"
-)
-
-const (
-	HeaderConnection               = "Connection"
-	HeaderUpgrade                  = "Upgrade"
-	HeaderProtocolVersion          = "X-Stream-Protocol-Version"
-	HeaderAcceptedProtocolVersions = "X-Accepted-Stream-Protocol-Versions"
-)
-
-// NewStreamHandler defines a function that is called when a new Stream is
-// received. If no error is returned, the Stream is accepted; otherwise,
-// the stream is rejected. After the reply frame has been sent, replySent is closed.
-type NewStreamHandler func(stream Stream, replySent <-chan struct{}) error
-
-// NoOpNewStreamHandler is a stream handler that accepts a new stream and
-// performs no other logic.
-func NoOpNewStreamHandler(stream Stream, replySent <-chan struct{}) error { return nil }
-
-// Dialer knows how to open a streaming connection to a server.
-type Dialer interface {
-
-	// Dial opens a streaming connection to a server using one of the protocols
-	// specified (in order of most preferred to least preferred).
-	Dial(protocols ...string) (Connection, string, error)
-}
-
-// UpgradeRoundTripper is a type of http.RoundTripper that is able to upgrade
-// HTTP requests to support multiplexed bidirectional streams. After RoundTrip()
-// is invoked, if the upgrade is successful, clients may retrieve the upgraded
-// connection by calling UpgradeRoundTripper.Connection().
-type UpgradeRoundTripper interface {
-	http.RoundTripper
-	// NewConnection validates the response and creates a new Connection.
-	NewConnection(resp *http.Response) (Connection, error)
-}
-
-// ResponseUpgrader knows how to upgrade HTTP requests and responses to
-// add streaming support to them.
-type ResponseUpgrader interface {
-	// UpgradeResponse upgrades an HTTP response to one that supports multiplexed
-	// streams. newStreamHandler will be called asynchronously whenever the
-	// other end of the upgraded connection creates a new stream.
-	UpgradeResponse(w http.ResponseWriter, req *http.Request, newStreamHandler NewStreamHandler) Connection
-}
-
-// Connection represents an upgraded HTTP connection.
-type Connection interface {
-	// CreateStream creates a new Stream with the supplied headers.
-	CreateStream(headers http.Header) (Stream, error)
-	// Close resets all streams and closes the connection.
-	Close() error
-	// CloseChan returns a channel that is closed when the underlying connection is closed.
-	CloseChan() <-chan bool
-	// SetIdleTimeout sets the amount of time the connection may remain idle before
-	// it is automatically closed.
-	SetIdleTimeout(timeout time.Duration)
-	// RemoveStreams can be used to remove a set of streams from the Connection.
-	RemoveStreams(streams ...Stream)
-}
-
-// Stream represents a bidirectional communications channel that is part of an
-// upgraded connection.
-type Stream interface {
-	io.ReadWriteCloser
-	// Reset closes both directions of the stream, indicating that neither client
-	// or server can use it any more.
-	Reset() error
-	// Headers returns the headers used to create the stream.
-	Headers() http.Header
-	// Identifier returns the stream's ID.
-	Identifier() uint32
-}
-
-// UpgradeFailureError encapsulates the cause for why the streaming
-// upgrade request failed. Implements error interface.
-type UpgradeFailureError struct {
-	Cause error
-}
-
-func (u *UpgradeFailureError) Error() string {
-	return fmt.Sprintf("unable to upgrade streaming request: %s", u.Cause)
-}
-
-// IsUpgradeFailure returns true if the passed error is (or wrapped error contains)
-// the UpgradeFailureError.
-func IsUpgradeFailure(err error) bool {
-	if err == nil {
-		return false
-	}
-	var upgradeErr *UpgradeFailureError
-	return errors.As(err, &upgradeErr)
-}
-
-// isHTTPSProxyError returns true if error is Gorilla/Websockets HTTPS Proxy dial error;
-// false otherwise (see https://github.com/kubernetes/kubernetes/issues/126134).
-func IsHTTPSProxyError(err error) bool {
-	if err == nil {
-		return false
-	}
-	return strings.Contains(err.Error(), "proxy: unknown scheme: https")
-}
-
-// IsUpgradeRequest returns true if the given request is a connection upgrade request
-func IsUpgradeRequest(req *http.Request) bool {
-	for _, h := range req.Header[http.CanonicalHeaderKey(HeaderConnection)] {
-		if strings.Contains(strings.ToLower(h), strings.ToLower(HeaderUpgrade)) {
-			return true
-		}
-	}
-	return false
-}
-
-func negotiateProtocol(clientProtocols, serverProtocols []string) string {
-	for i := range clientProtocols {
-		for j := range serverProtocols {
-			if clientProtocols[i] == serverProtocols[j] {
-				return clientProtocols[i]
-			}
-		}
-	}
-	return ""
-}
-
-func commaSeparatedHeaderValues(header []string) []string {
-	var parsedClientProtocols []string
-	for i := range header {
-		for _, clientProtocol := range strings.Split(header[i], ",") {
-			if proto := strings.Trim(clientProtocol, " "); len(proto) > 0 {
-				parsedClientProtocols = append(parsedClientProtocols, proto)
-			}
-		}
-	}
-	return parsedClientProtocols
-}
-
-// Handshake performs a subprotocol negotiation. If the client did request a
-// subprotocol, Handshake will select the first common value found in
-// serverProtocols. If a match is found, Handshake adds a response header
-// indicating the chosen subprotocol. If no match is found, HTTP forbidden is
-// returned, along with a response header containing the list of protocols the
-// server can accept.
-func Handshake(req *http.Request, w http.ResponseWriter, serverProtocols []string) (string, error) {
-	clientProtocols := commaSeparatedHeaderValues(req.Header[http.CanonicalHeaderKey(HeaderProtocolVersion)])
-	if len(clientProtocols) == 0 {
-		return "", fmt.Errorf("unable to upgrade: %s is required", HeaderProtocolVersion)
-	}
-
-	if len(serverProtocols) == 0 {
-		panic(fmt.Errorf("unable to upgrade: serverProtocols is required"))
-	}
-
-	negotiatedProtocol := negotiateProtocol(clientProtocols, serverProtocols)
-	if len(negotiatedProtocol) == 0 {
-		for i := range serverProtocols {
-			w.Header().Add(HeaderAcceptedProtocolVersions, serverProtocols[i])
-		}
-		err := fmt.Errorf("unable to upgrade: unable to negotiate protocol: client supports %v, server accepts %v", clientProtocols, serverProtocols)
-		http.Error(w, err.Error(), http.StatusForbidden)
-		return "", err
-	}
-
-	w.Header().Add(HeaderProtocolVersion, negotiatedProtocol)
-	return negotiatedProtocol, nil
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/connection.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/connection.go
deleted file mode 100644
index d4ceab84f..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/connection.go
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package spdy
-
-import (
-	"net"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/moby/spdystream"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/klog/v2"
-)
-
-// connection maintains state about a spdystream.Connection and its associated
-// streams.
-type connection struct {
-	conn             *spdystream.Connection
-	streams          map[uint32]httpstream.Stream
-	streamLock       sync.Mutex
-	newStreamHandler httpstream.NewStreamHandler
-	ping             func() (time.Duration, error)
-}
-
-// NewClientConnection creates a new SPDY client connection.
-func NewClientConnection(conn net.Conn) (httpstream.Connection, error) {
-	return NewClientConnectionWithPings(conn, 0)
-}
-
-// NewClientConnectionWithPings creates a new SPDY client connection.
-//
-// If pingPeriod is non-zero, a background goroutine will send periodic Ping
-// frames to the server. Use this to keep idle connections through certain load
-// balancers alive longer.
-func NewClientConnectionWithPings(conn net.Conn, pingPeriod time.Duration) (httpstream.Connection, error) {
-	spdyConn, err := spdystream.NewConnection(conn, false)
-	if err != nil {
-		defer conn.Close()
-		return nil, err
-	}
-
-	return newConnection(spdyConn, httpstream.NoOpNewStreamHandler, pingPeriod, spdyConn.Ping), nil
-}
-
-// NewServerConnection creates a new SPDY server connection. newStreamHandler
-// will be invoked when the server receives a newly created stream from the
-// client.
-func NewServerConnection(conn net.Conn, newStreamHandler httpstream.NewStreamHandler) (httpstream.Connection, error) {
-	return NewServerConnectionWithPings(conn, newStreamHandler, 0)
-}
-
-// NewServerConnectionWithPings creates a new SPDY server connection.
-// newStreamHandler will be invoked when the server receives a newly created
-// stream from the client.
-//
-// If pingPeriod is non-zero, a background goroutine will send periodic Ping
-// frames to the server. Use this to keep idle connections through certain load
-// balancers alive longer.
-func NewServerConnectionWithPings(conn net.Conn, newStreamHandler httpstream.NewStreamHandler, pingPeriod time.Duration) (httpstream.Connection, error) {
-	spdyConn, err := spdystream.NewConnection(conn, true)
-	if err != nil {
-		defer conn.Close()
-		return nil, err
-	}
-
-	return newConnection(spdyConn, newStreamHandler, pingPeriod, spdyConn.Ping), nil
-}
-
-// newConnection returns a new connection wrapping conn. newStreamHandler
-// will be invoked when the server receives a newly created stream from the
-// client.
-func newConnection(conn *spdystream.Connection, newStreamHandler httpstream.NewStreamHandler, pingPeriod time.Duration, pingFn func() (time.Duration, error)) httpstream.Connection {
-	c := &connection{
-		conn:             conn,
-		newStreamHandler: newStreamHandler,
-		ping:             pingFn,
-		streams:          make(map[uint32]httpstream.Stream),
-	}
-	go conn.Serve(c.newSpdyStream)
-	if pingPeriod > 0 && pingFn != nil {
-		go c.sendPings(pingPeriod)
-	}
-	return c
-}
-
-// createStreamResponseTimeout indicates how long to wait for the other side to
-// acknowledge the new stream before timing out.
-const createStreamResponseTimeout = 30 * time.Second
-
-// Close first sends a reset for all of the connection's streams, and then
-// closes the underlying spdystream.Connection.
-func (c *connection) Close() error {
-	c.streamLock.Lock()
-	for _, s := range c.streams {
-		// calling Reset instead of Close ensures that all streams are fully torn down
-		s.Reset()
-	}
-	c.streams = make(map[uint32]httpstream.Stream, 0)
-	c.streamLock.Unlock()
-
-	// now that all streams are fully torn down, it's safe to call close on the underlying connection,
-	// which should be able to terminate immediately at this point, instead of waiting for any
-	// remaining graceful stream termination.
-	return c.conn.Close()
-}
-
-// RemoveStreams can be used to removes a set of streams from the Connection.
-func (c *connection) RemoveStreams(streams ...httpstream.Stream) {
-	c.streamLock.Lock()
-	for _, stream := range streams {
-		// It may be possible that the provided stream is nil if timed out.
-		if stream != nil {
-			delete(c.streams, stream.Identifier())
-		}
-	}
-	c.streamLock.Unlock()
-}
-
-// CreateStream creates a new stream with the specified headers and registers
-// it with the connection.
-func (c *connection) CreateStream(headers http.Header) (httpstream.Stream, error) {
-	stream, err := c.conn.CreateStream(headers, nil, false)
-	if err != nil {
-		return nil, err
-	}
-	if err = stream.WaitTimeout(createStreamResponseTimeout); err != nil {
-		return nil, err
-	}
-
-	c.registerStream(stream)
-	return stream, nil
-}
-
-// registerStream adds the stream s to the connection's list of streams that
-// it owns.
-func (c *connection) registerStream(s httpstream.Stream) {
-	c.streamLock.Lock()
-	c.streams[s.Identifier()] = s
-	c.streamLock.Unlock()
-}
-
-// CloseChan returns a channel that, when closed, indicates that the underlying
-// spdystream.Connection has been closed.
-func (c *connection) CloseChan() <-chan bool {
-	return c.conn.CloseChan()
-}
-
-// newSpdyStream is the internal new stream handler used by spdystream.Connection.Serve.
-// It calls connection's newStreamHandler, giving it the opportunity to accept or reject
-// the stream. If newStreamHandler returns an error, the stream is rejected. If not, the
-// stream is accepted and registered with the connection.
-func (c *connection) newSpdyStream(stream *spdystream.Stream) {
-	replySent := make(chan struct{})
-	err := c.newStreamHandler(stream, replySent)
-	rejectStream := (err != nil)
-	if rejectStream {
-		klog.Warningf("Stream rejected: %v", err)
-		stream.Reset()
-		return
-	}
-
-	c.registerStream(stream)
-	stream.SendReply(http.Header{}, rejectStream)
-	close(replySent)
-}
-
-// SetIdleTimeout sets the amount of time the connection may remain idle before
-// it is automatically closed.
-func (c *connection) SetIdleTimeout(timeout time.Duration) {
-	c.conn.SetIdleTimeout(timeout)
-}
-
-func (c *connection) sendPings(period time.Duration) {
-	t := time.NewTicker(period)
-	defer t.Stop()
-	for {
-		select {
-		case <-c.conn.CloseChan():
-			return
-		case <-t.C:
-		}
-		if _, err := c.ping(); err != nil {
-			klog.V(3).Infof("SPDY Ping failed: %v", err)
-			// Continue, in case this is a transient failure.
-			// c.conn.CloseChan above will tell us when the connection is
-			// actually closed.
-		}
-	}
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
deleted file mode 100644
index ed131d112..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
+++ /dev/null
@@ -1,399 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package spdy
-
-import (
-	"bufio"
-	"context"
-	"crypto/tls"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strings"
-	"time"
-
-	"golang.org/x/net/proxy"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	utilnet "k8s.io/apimachinery/pkg/util/net"
-	apiproxy "k8s.io/apimachinery/pkg/util/proxy"
-	"k8s.io/apimachinery/third_party/forked/golang/netutil"
-)
-
-// SpdyRoundTripper knows how to upgrade an HTTP request to one that supports
-// multiplexed streams. After RoundTrip() is invoked, Conn will be set
-// and usable. SpdyRoundTripper implements the UpgradeRoundTripper interface.
-type SpdyRoundTripper struct {
-	//tlsConfig holds the TLS configuration settings to use when connecting
-	//to the remote server.
-	tlsConfig *tls.Config
-
-	/* TODO according to http://golang.org/pkg/net/http/#RoundTripper, a RoundTripper
-	   must be safe for use by multiple concurrent goroutines. If this is absolutely
-	   necessary, we could keep a map from http.Request to net.Conn. In practice,
-	   a client will create an http.Client, set the transport to a new insteace of
-	   SpdyRoundTripper, and use it a single time, so this hopefully won't be an issue.
-	*/
-	// conn is the underlying network connection to the remote server.
-	conn net.Conn
-
-	// Dialer is the dialer used to connect.  Used if non-nil.
-	Dialer *net.Dialer
-
-	// proxier knows which proxy to use given a request, defaults to http.ProxyFromEnvironment
-	// Used primarily for mocking the proxy discovery in tests.
-	proxier func(req *http.Request) (*url.URL, error)
-
-	// pingPeriod is a period for sending Ping frames over established
-	// connections.
-	pingPeriod time.Duration
-
-	// upgradeTransport is an optional substitute for dialing if present. This field is
-	// mutually exclusive with the "tlsConfig", "Dialer", and "proxier".
-	upgradeTransport http.RoundTripper
-}
-
-var _ utilnet.TLSClientConfigHolder = &SpdyRoundTripper{}
-var _ httpstream.UpgradeRoundTripper = &SpdyRoundTripper{}
-var _ utilnet.Dialer = &SpdyRoundTripper{}
-
-// NewRoundTripper creates a new SpdyRoundTripper that will use the specified
-// tlsConfig.
-func NewRoundTripper(tlsConfig *tls.Config) (*SpdyRoundTripper, error) {
-	return NewRoundTripperWithConfig(RoundTripperConfig{
-		TLS:              tlsConfig,
-		UpgradeTransport: nil,
-	})
-}
-
-// NewRoundTripperWithProxy creates a new SpdyRoundTripper that will use the
-// specified tlsConfig and proxy func.
-func NewRoundTripperWithProxy(tlsConfig *tls.Config, proxier func(*http.Request) (*url.URL, error)) (*SpdyRoundTripper, error) {
-	return NewRoundTripperWithConfig(RoundTripperConfig{
-		TLS:              tlsConfig,
-		Proxier:          proxier,
-		UpgradeTransport: nil,
-	})
-}
-
-// NewRoundTripperWithConfig creates a new SpdyRoundTripper with the specified
-// configuration. Returns an error if the SpdyRoundTripper is misconfigured.
-func NewRoundTripperWithConfig(cfg RoundTripperConfig) (*SpdyRoundTripper, error) {
-	// Process UpgradeTransport, which is mutually exclusive to TLSConfig and Proxier.
-	if cfg.UpgradeTransport != nil {
-		if cfg.TLS != nil || cfg.Proxier != nil {
-			return nil, fmt.Errorf("SpdyRoundTripper: UpgradeTransport is mutually exclusive to TLSConfig or Proxier")
-		}
-		tlsConfig, err := utilnet.TLSClientConfig(cfg.UpgradeTransport)
-		if err != nil {
-			return nil, fmt.Errorf("SpdyRoundTripper: Unable to retrieve TLSConfig from  UpgradeTransport: %v", err)
-		}
-		cfg.TLS = tlsConfig
-	}
-	if cfg.Proxier == nil {
-		cfg.Proxier = utilnet.NewProxierWithNoProxyCIDR(http.ProxyFromEnvironment)
-	}
-	return &SpdyRoundTripper{
-		tlsConfig:        cfg.TLS,
-		proxier:          cfg.Proxier,
-		pingPeriod:       cfg.PingPeriod,
-		upgradeTransport: cfg.UpgradeTransport,
-	}, nil
-}
-
-// RoundTripperConfig is a set of options for an SpdyRoundTripper.
-type RoundTripperConfig struct {
-	// TLS configuration used by the round tripper if UpgradeTransport not present.
-	TLS *tls.Config
-	// Proxier is a proxy function invoked on each request. Optional.
-	Proxier func(*http.Request) (*url.URL, error)
-	// PingPeriod is a period for sending SPDY Pings on the connection.
-	// Optional.
-	PingPeriod time.Duration
-	// UpgradeTransport is a subtitute transport used for dialing. If set,
-	// this field will be used instead of "TLS" and "Proxier" for connection creation.
-	// Optional.
-	UpgradeTransport http.RoundTripper
-}
-
-// TLSClientConfig implements pkg/util/net.TLSClientConfigHolder for proper TLS checking during
-// proxying with a spdy roundtripper.
-func (s *SpdyRoundTripper) TLSClientConfig() *tls.Config {
-	return s.tlsConfig
-}
-
-// Dial implements k8s.io/apimachinery/pkg/util/net.Dialer.
-func (s *SpdyRoundTripper) Dial(req *http.Request) (net.Conn, error) {
-	var conn net.Conn
-	var err error
-	if s.upgradeTransport != nil {
-		conn, err = apiproxy.DialURL(req.Context(), req.URL, s.upgradeTransport)
-	} else {
-		conn, err = s.dial(req)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	if err := req.Write(conn); err != nil {
-		conn.Close()
-		return nil, err
-	}
-
-	return conn, nil
-}
-
-// dial dials the host specified by req, using TLS if appropriate, optionally
-// using a proxy server if one is configured via environment variables.
-func (s *SpdyRoundTripper) dial(req *http.Request) (net.Conn, error) {
-	proxyURL, err := s.proxier(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if proxyURL == nil {
-		return s.dialWithoutProxy(req.Context(), req.URL)
-	}
-
-	switch proxyURL.Scheme {
-	case "socks5":
-		return s.dialWithSocks5Proxy(req, proxyURL)
-	case "https", "http", "":
-		return s.dialWithHttpProxy(req, proxyURL)
-	}
-
-	return nil, fmt.Errorf("proxy URL scheme not supported: %s", proxyURL.Scheme)
-}
-
-// dialWithHttpProxy dials the host specified by url through an http or an https proxy.
-func (s *SpdyRoundTripper) dialWithHttpProxy(req *http.Request, proxyURL *url.URL) (net.Conn, error) {
-	// ensure we use a canonical host with proxyReq
-	targetHost := netutil.CanonicalAddr(req.URL)
-
-	// proxying logic adapted from http://blog.h6t.eu/post/74098062923/golang-websocket-with-http-proxy-support
-	proxyReq := http.Request{
-		Method: http.MethodConnect,
-		URL:    &url.URL{},
-		Host:   targetHost,
-	}
-
-	proxyReq = *proxyReq.WithContext(req.Context())
-
-	if pa := s.proxyAuth(proxyURL); pa != "" {
-		proxyReq.Header = http.Header{}
-		proxyReq.Header.Set("Proxy-Authorization", pa)
-	}
-
-	proxyDialConn, err := s.dialWithoutProxy(proxyReq.Context(), proxyURL)
-	if err != nil {
-		return nil, err
-	}
-
-	//nolint:staticcheck // SA1019 ignore deprecated httputil.NewProxyClientConn
-	proxyClientConn := httputil.NewProxyClientConn(proxyDialConn, nil)
-	response, err := proxyClientConn.Do(&proxyReq)
-	//nolint:staticcheck // SA1019 ignore deprecated httputil.ErrPersistEOF: it might be
-	// returned from the invocation of proxyClientConn.Do
-	if err != nil && err != httputil.ErrPersistEOF {
-		return nil, err
-	}
-	if response != nil && response.StatusCode >= 300 || response.StatusCode < 200 {
-		return nil, fmt.Errorf("CONNECT request to %s returned response: %s", proxyURL.Redacted(), response.Status)
-	}
-
-	rwc, _ := proxyClientConn.Hijack()
-
-	if req.URL.Scheme == "https" {
-		return s.tlsConn(proxyReq.Context(), rwc, targetHost)
-	}
-	return rwc, nil
-}
-
-// dialWithSocks5Proxy dials the host specified by url through a socks5 proxy.
-func (s *SpdyRoundTripper) dialWithSocks5Proxy(req *http.Request, proxyURL *url.URL) (net.Conn, error) {
-	// ensure we use a canonical host with proxyReq
-	targetHost := netutil.CanonicalAddr(req.URL)
-	proxyDialAddr := netutil.CanonicalAddr(proxyURL)
-
-	var auth *proxy.Auth
-	if proxyURL.User != nil {
-		pass, _ := proxyURL.User.Password()
-		auth = &proxy.Auth{
-			User:     proxyURL.User.Username(),
-			Password: pass,
-		}
-	}
-
-	dialer := s.Dialer
-	if dialer == nil {
-		dialer = &net.Dialer{
-			Timeout: 30 * time.Second,
-		}
-	}
-
-	proxyDialer, err := proxy.SOCKS5("tcp", proxyDialAddr, auth, dialer)
-	if err != nil {
-		return nil, err
-	}
-
-	// According to the implementation of proxy.SOCKS5, the type assertion will always succeed
-	contextDialer, ok := proxyDialer.(proxy.ContextDialer)
-	if !ok {
-		return nil, errors.New("SOCKS5 Dialer must implement ContextDialer")
-	}
-
-	proxyDialConn, err := contextDialer.DialContext(req.Context(), "tcp", targetHost)
-	if err != nil {
-		return nil, err
-	}
-
-	if req.URL.Scheme == "https" {
-		return s.tlsConn(req.Context(), proxyDialConn, targetHost)
-	}
-	return proxyDialConn, nil
-}
-
-// tlsConn returns a TLS client side connection using rwc as the underlying transport.
-func (s *SpdyRoundTripper) tlsConn(ctx context.Context, rwc net.Conn, targetHost string) (net.Conn, error) {
-
-	host, _, err := net.SplitHostPort(targetHost)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig := s.tlsConfig
-	switch {
-	case tlsConfig == nil:
-		tlsConfig = &tls.Config{ServerName: host}
-	case len(tlsConfig.ServerName) == 0:
-		tlsConfig = tlsConfig.Clone()
-		tlsConfig.ServerName = host
-	}
-
-	tlsConn := tls.Client(rwc, tlsConfig)
-
-	if err := tlsConn.HandshakeContext(ctx); err != nil {
-		tlsConn.Close()
-		return nil, err
-	}
-
-	return tlsConn, nil
-}
-
-// dialWithoutProxy dials the host specified by url, using TLS if appropriate.
-func (s *SpdyRoundTripper) dialWithoutProxy(ctx context.Context, url *url.URL) (net.Conn, error) {
-	dialAddr := netutil.CanonicalAddr(url)
-	dialer := s.Dialer
-	if dialer == nil {
-		dialer = &net.Dialer{}
-	}
-
-	if url.Scheme == "http" {
-		return dialer.DialContext(ctx, "tcp", dialAddr)
-	}
-
-	tlsDialer := tls.Dialer{
-		NetDialer: dialer,
-		Config:    s.tlsConfig,
-	}
-	return tlsDialer.DialContext(ctx, "tcp", dialAddr)
-}
-
-// proxyAuth returns, for a given proxy URL, the value to be used for the Proxy-Authorization header
-func (s *SpdyRoundTripper) proxyAuth(proxyURL *url.URL) string {
-	if proxyURL == nil || proxyURL.User == nil {
-		return ""
-	}
-	username := proxyURL.User.Username()
-	password, _ := proxyURL.User.Password()
-	auth := username + ":" + password
-	return "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
-}
-
-// RoundTrip executes the Request and upgrades it. After a successful upgrade,
-// clients may call SpdyRoundTripper.Connection() to retrieve the upgraded
-// connection.
-func (s *SpdyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	req = utilnet.CloneRequest(req)
-	req.Header.Add(httpstream.HeaderConnection, httpstream.HeaderUpgrade)
-	req.Header.Add(httpstream.HeaderUpgrade, HeaderSpdy31)
-
-	conn, err := s.Dial(req)
-	if err != nil {
-		return nil, err
-	}
-
-	responseReader := bufio.NewReader(conn)
-
-	resp, err := http.ReadResponse(responseReader, nil)
-	if err != nil {
-		conn.Close()
-		return nil, err
-	}
-
-	s.conn = conn
-
-	return resp, nil
-}
-
-// NewConnection validates the upgrade response, creating and returning a new
-// httpstream.Connection if there were no errors.
-func (s *SpdyRoundTripper) NewConnection(resp *http.Response) (httpstream.Connection, error) {
-	connectionHeader := strings.ToLower(resp.Header.Get(httpstream.HeaderConnection))
-	upgradeHeader := strings.ToLower(resp.Header.Get(httpstream.HeaderUpgrade))
-	if (resp.StatusCode != http.StatusSwitchingProtocols) || !strings.Contains(connectionHeader, strings.ToLower(httpstream.HeaderUpgrade)) || !strings.Contains(upgradeHeader, strings.ToLower(HeaderSpdy31)) {
-		defer resp.Body.Close()
-		responseError := ""
-		responseErrorBytes, err := io.ReadAll(resp.Body)
-		if err != nil {
-			responseError = "unable to read error from server response"
-		} else {
-			// TODO: I don't belong here, I should be abstracted from this class
-			if obj, _, err := statusCodecs.UniversalDecoder().Decode(responseErrorBytes, nil, &metav1.Status{}); err == nil {
-				if status, ok := obj.(*metav1.Status); ok {
-					return nil, &apierrors.StatusError{ErrStatus: *status}
-				}
-			}
-			responseError = string(responseErrorBytes)
-			responseError = strings.TrimSpace(responseError)
-		}
-
-		return nil, fmt.Errorf("unable to upgrade connection: %s", responseError)
-	}
-
-	return NewClientConnectionWithPings(s.conn, s.pingPeriod)
-}
-
-// statusScheme is private scheme for the decoding here until someone fixes the TODO in NewConnection
-var statusScheme = runtime.NewScheme()
-
-// ParameterCodec knows about query parameters used with the meta v1 API spec.
-var statusCodecs = serializer.NewCodecFactory(statusScheme)
-
-func init() {
-	statusScheme.AddUnversionedTypes(metav1.SchemeGroupVersion,
-		&metav1.Status{},
-	)
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/upgrade.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/upgrade.go
deleted file mode 100644
index d30ae2fa3..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy/upgrade.go
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package spdy
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-	"sync/atomic"
-	"time"
-
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/runtime"
-)
-
-const HeaderSpdy31 = "SPDY/3.1"
-
-// responseUpgrader knows how to upgrade HTTP responses. It
-// implements the httpstream.ResponseUpgrader interface.
-type responseUpgrader struct {
-	pingPeriod time.Duration
-}
-
-// connWrapper is used to wrap a hijacked connection and its bufio.Reader. All
-// calls will be handled directly by the underlying net.Conn with the exception
-// of Read and Close calls, which will consider data in the bufio.Reader. This
-// ensures that data already inside the used bufio.Reader instance is also
-// read.
-type connWrapper struct {
-	net.Conn
-	closed    int32
-	bufReader *bufio.Reader
-}
-
-func (w *connWrapper) Read(b []byte) (n int, err error) {
-	if atomic.LoadInt32(&w.closed) == 1 {
-		return 0, io.EOF
-	}
-	return w.bufReader.Read(b)
-}
-
-func (w *connWrapper) Close() error {
-	err := w.Conn.Close()
-	atomic.StoreInt32(&w.closed, 1)
-	return err
-}
-
-// NewResponseUpgrader returns a new httpstream.ResponseUpgrader that is
-// capable of upgrading HTTP responses using SPDY/3.1 via the
-// spdystream package.
-func NewResponseUpgrader() httpstream.ResponseUpgrader {
-	return NewResponseUpgraderWithPings(0)
-}
-
-// NewResponseUpgraderWithPings returns a new httpstream.ResponseUpgrader that
-// is capable of upgrading HTTP responses using SPDY/3.1 via the spdystream
-// package.
-//
-// If pingPeriod is non-zero, for each incoming connection a background
-// goroutine will send periodic Ping frames to the server. Use this to keep
-// idle connections through certain load balancers alive longer.
-func NewResponseUpgraderWithPings(pingPeriod time.Duration) httpstream.ResponseUpgrader {
-	return responseUpgrader{pingPeriod: pingPeriod}
-}
-
-// UpgradeResponse upgrades an HTTP response to one that supports multiplexed
-// streams. newStreamHandler will be called synchronously whenever the
-// other end of the upgraded connection creates a new stream.
-func (u responseUpgrader) UpgradeResponse(w http.ResponseWriter, req *http.Request, newStreamHandler httpstream.NewStreamHandler) httpstream.Connection {
-	connectionHeader := strings.ToLower(req.Header.Get(httpstream.HeaderConnection))
-	upgradeHeader := strings.ToLower(req.Header.Get(httpstream.HeaderUpgrade))
-	if !strings.Contains(connectionHeader, strings.ToLower(httpstream.HeaderUpgrade)) || !strings.Contains(upgradeHeader, strings.ToLower(HeaderSpdy31)) {
-		errorMsg := fmt.Sprintf("unable to upgrade: missing upgrade headers in request: %#v", req.Header)
-		http.Error(w, errorMsg, http.StatusBadRequest)
-		return nil
-	}
-
-	hijacker, ok := w.(http.Hijacker)
-	if !ok {
-		errorMsg := "unable to upgrade: unable to hijack response"
-		http.Error(w, errorMsg, http.StatusInternalServerError)
-		return nil
-	}
-
-	w.Header().Add(httpstream.HeaderConnection, httpstream.HeaderUpgrade)
-	w.Header().Add(httpstream.HeaderUpgrade, HeaderSpdy31)
-	w.WriteHeader(http.StatusSwitchingProtocols)
-
-	conn, bufrw, err := hijacker.Hijack()
-	if err != nil {
-		runtime.HandleError(fmt.Errorf("unable to upgrade: error hijacking response: %v", err))
-		return nil
-	}
-
-	connWithBuf := &connWrapper{Conn: conn, bufReader: bufrw.Reader}
-	spdyConn, err := NewServerConnectionWithPings(connWithBuf, newStreamHandler, u.pingPeriod)
-	if err != nil {
-		runtime.HandleError(fmt.Errorf("unable to upgrade: error creating SPDY server connection: %v", err))
-		return nil
-	}
-
-	return spdyConn
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/conn.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/conn.go
deleted file mode 100644
index 2e477fee2..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/conn.go
+++ /dev/null
@@ -1,452 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package wsstream
-
-import (
-	"encoding/base64"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"time"
-
-	"golang.org/x/net/websocket"
-
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/portforward"
-	"k8s.io/apimachinery/pkg/util/remotecommand"
-	"k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/klog/v2"
-)
-
-const WebSocketProtocolHeader = "Sec-Websocket-Protocol"
-
-// The Websocket subprotocol "channel.k8s.io" prepends each binary message with a byte indicating
-// the channel number (zero indexed) the message was sent on. Messages in both directions should
-// prefix their messages with this channel byte. When used for remote execution, the channel numbers
-// are by convention defined to match the POSIX file-descriptors assigned to STDIN, STDOUT, and STDERR
-// (0, 1, and 2). No other conversion is performed on the raw subprotocol - writes are sent as they
-// are received by the server.
-//
-// Example client session:
-//
-//	CONNECT http://server.com with subprotocol "channel.k8s.io"
-//	WRITE []byte{0, 102, 111, 111, 10} # send "foo\n" on channel 0 (STDIN)
-//	READ  []byte{1, 10}                # receive "\n" on channel 1 (STDOUT)
-//	CLOSE
-const ChannelWebSocketProtocol = "channel.k8s.io"
-
-// The Websocket subprotocol "base64.channel.k8s.io" base64 encodes each message with a character
-// indicating the channel number (zero indexed) the message was sent on. Messages in both directions
-// should prefix their messages with this channel char. When used for remote execution, the channel
-// numbers are by convention defined to match the POSIX file-descriptors assigned to STDIN, STDOUT,
-// and STDERR ('0', '1', and '2'). The data received on the server is base64 decoded (and must be
-// be valid) and data written by the server to the client is base64 encoded.
-//
-// Example client session:
-//
-//	CONNECT http://server.com with subprotocol "base64.channel.k8s.io"
-//	WRITE []byte{48, 90, 109, 57, 118, 67, 103, 111, 61} # send "foo\n" (base64: "Zm9vCgo=") on channel '0' (STDIN)
-//	READ  []byte{49, 67, 103, 61, 61} # receive "\n" (base64: "Cg==") on channel '1' (STDOUT)
-//	CLOSE
-const Base64ChannelWebSocketProtocol = "base64.channel.k8s.io"
-
-type codecType int
-
-const (
-	rawCodec codecType = iota
-	base64Codec
-)
-
-type ChannelType int
-
-const (
-	IgnoreChannel ChannelType = iota
-	ReadChannel
-	WriteChannel
-	ReadWriteChannel
-)
-
-// IsWebSocketRequest returns true if the incoming request contains connection upgrade headers
-// for WebSockets.
-func IsWebSocketRequest(req *http.Request) bool {
-	if !strings.EqualFold(req.Header.Get("Upgrade"), "websocket") {
-		return false
-	}
-	return httpstream.IsUpgradeRequest(req)
-}
-
-// IsWebSocketRequestWithStreamCloseProtocol returns true if the request contains headers
-// identifying that it is requesting a websocket upgrade with a remotecommand protocol
-// version that supports the "CLOSE" signal; false otherwise.
-func IsWebSocketRequestWithStreamCloseProtocol(req *http.Request) bool {
-	if !IsWebSocketRequest(req) {
-		return false
-	}
-	requestedProtocols := strings.TrimSpace(req.Header.Get(WebSocketProtocolHeader))
-	for _, requestedProtocol := range strings.Split(requestedProtocols, ",") {
-		if protocolSupportsStreamClose(strings.TrimSpace(requestedProtocol)) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// IsWebSocketRequestWithTunnelingProtocol returns true if the request contains headers
-// identifying that it is requesting a websocket upgrade with a tunneling protocol;
-// false otherwise.
-func IsWebSocketRequestWithTunnelingProtocol(req *http.Request) bool {
-	if !IsWebSocketRequest(req) {
-		return false
-	}
-	requestedProtocols := strings.TrimSpace(req.Header.Get(WebSocketProtocolHeader))
-	for _, requestedProtocol := range strings.Split(requestedProtocols, ",") {
-		if protocolSupportsWebsocketTunneling(strings.TrimSpace(requestedProtocol)) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// IgnoreReceives reads from a WebSocket until it is closed, then returns. If timeout is set, the
-// read and write deadlines are pushed every time a new message is received.
-func IgnoreReceives(ws *websocket.Conn, timeout time.Duration) {
-	defer runtime.HandleCrash()
-	var data []byte
-	for {
-		resetTimeout(ws, timeout)
-		if err := websocket.Message.Receive(ws, &data); err != nil {
-			return
-		}
-	}
-}
-
-// handshake ensures the provided user protocol matches one of the allowed protocols. It returns
-// no error if no protocol is specified.
-func handshake(config *websocket.Config, req *http.Request, allowed []string) error {
-	protocols := config.Protocol
-	if len(protocols) == 0 {
-		protocols = []string{""}
-	}
-
-	for _, protocol := range protocols {
-		for _, allow := range allowed {
-			if allow == protocol {
-				config.Protocol = []string{protocol}
-				return nil
-			}
-		}
-	}
-
-	return fmt.Errorf("requested protocol(s) are not supported: %v; supports %v", config.Protocol, allowed)
-}
-
-// ChannelProtocolConfig describes a websocket subprotocol with channels.
-type ChannelProtocolConfig struct {
-	Binary   bool
-	Channels []ChannelType
-}
-
-// NewDefaultChannelProtocols returns a channel protocol map with the
-// subprotocols "", "channel.k8s.io", "base64.channel.k8s.io" and the given
-// channels.
-func NewDefaultChannelProtocols(channels []ChannelType) map[string]ChannelProtocolConfig {
-	return map[string]ChannelProtocolConfig{
-		"":                             {Binary: true, Channels: channels},
-		ChannelWebSocketProtocol:       {Binary: true, Channels: channels},
-		Base64ChannelWebSocketProtocol: {Binary: false, Channels: channels},
-	}
-}
-
-// Conn supports sending multiple binary channels over a websocket connection.
-type Conn struct {
-	protocols        map[string]ChannelProtocolConfig
-	selectedProtocol string
-	channels         []*websocketChannel
-	codec            codecType
-	ready            chan struct{}
-	ws               *websocket.Conn
-	timeout          time.Duration
-}
-
-// NewConn creates a WebSocket connection that supports a set of channels. Channels begin each
-// web socket message with a single byte indicating the channel number (0-N). 255 is reserved for
-// future use. The channel types for each channel are passed as an array, supporting the different
-// duplex modes. Read and Write refer to whether the channel can be used as a Reader or Writer.
-//
-// The protocols parameter maps subprotocol names to ChannelProtocols. The empty string subprotocol
-// name is used if websocket.Config.Protocol is empty.
-func NewConn(protocols map[string]ChannelProtocolConfig) *Conn {
-	return &Conn{
-		ready:     make(chan struct{}),
-		protocols: protocols,
-	}
-}
-
-// SetIdleTimeout sets the interval for both reads and writes before timeout. If not specified,
-// there is no timeout on the connection.
-func (conn *Conn) SetIdleTimeout(duration time.Duration) {
-	conn.timeout = duration
-}
-
-// SetWriteDeadline sets a timeout on writing to the websocket connection. The
-// passed "duration" identifies how far into the future the write must complete
-// by before the timeout fires.
-func (conn *Conn) SetWriteDeadline(duration time.Duration) {
-	conn.ws.SetWriteDeadline(time.Now().Add(duration)) //nolint:errcheck
-}
-
-// Open the connection and create channels for reading and writing. It returns
-// the selected subprotocol, a slice of channels and an error.
-func (conn *Conn) Open(w http.ResponseWriter, req *http.Request) (string, []io.ReadWriteCloser, error) {
-	// serveHTTPComplete is channel that is closed/selected when "websocket#ServeHTTP" finishes.
-	serveHTTPComplete := make(chan struct{})
-	// Ensure panic in spawned goroutine is propagated into the parent goroutine.
-	panicChan := make(chan any, 1)
-	go func() {
-		// If websocket server returns, propagate panic if necessary. Otherwise,
-		// signal HTTPServe finished by closing "serveHTTPComplete".
-		defer func() {
-			if p := recover(); p != nil {
-				panicChan <- p
-			} else {
-				close(serveHTTPComplete)
-			}
-		}()
-		websocket.Server{Handshake: conn.handshake, Handler: conn.handle}.ServeHTTP(w, req)
-	}()
-
-	// In normal circumstances, "websocket.Server#ServeHTTP" calls "initialize" which closes
-	// "conn.ready" and then blocks until serving is complete.
-	select {
-	case <-conn.ready:
-		klog.V(8).Infof("websocket server initialized--serving")
-	case <-serveHTTPComplete:
-		// websocket server returned before completing initialization; cleanup and return error.
-		conn.closeNonThreadSafe() //nolint:errcheck
-		return "", nil, fmt.Errorf("websocket server finished before becoming ready")
-	case p := <-panicChan:
-		panic(p)
-	}
-
-	rwc := make([]io.ReadWriteCloser, len(conn.channels))
-	for i := range conn.channels {
-		rwc[i] = conn.channels[i]
-	}
-	return conn.selectedProtocol, rwc, nil
-}
-
-func (conn *Conn) initialize(ws *websocket.Conn) {
-	negotiated := ws.Config().Protocol
-	conn.selectedProtocol = negotiated[0]
-	p := conn.protocols[conn.selectedProtocol]
-	if p.Binary {
-		conn.codec = rawCodec
-	} else {
-		conn.codec = base64Codec
-	}
-	conn.ws = ws
-	conn.channels = make([]*websocketChannel, len(p.Channels))
-	for i, t := range p.Channels {
-		switch t {
-		case ReadChannel:
-			conn.channels[i] = newWebsocketChannel(conn, byte(i), true, false)
-		case WriteChannel:
-			conn.channels[i] = newWebsocketChannel(conn, byte(i), false, true)
-		case ReadWriteChannel:
-			conn.channels[i] = newWebsocketChannel(conn, byte(i), true, true)
-		case IgnoreChannel:
-			conn.channels[i] = newWebsocketChannel(conn, byte(i), false, false)
-		}
-	}
-
-	close(conn.ready)
-}
-
-func (conn *Conn) handshake(config *websocket.Config, req *http.Request) error {
-	supportedProtocols := make([]string, 0, len(conn.protocols))
-	for p := range conn.protocols {
-		supportedProtocols = append(supportedProtocols, p)
-	}
-	return handshake(config, req, supportedProtocols)
-}
-
-func (conn *Conn) resetTimeout() {
-	if conn.timeout > 0 {
-		conn.ws.SetDeadline(time.Now().Add(conn.timeout))
-	}
-}
-
-// closeNonThreadSafe cleans up by closing streams and the websocket
-// connection *without* waiting for the "ready" channel.
-func (conn *Conn) closeNonThreadSafe() error {
-	for _, s := range conn.channels {
-		s.Close()
-	}
-	var err error
-	if conn.ws != nil {
-		err = conn.ws.Close()
-	}
-	return err
-}
-
-// Close is only valid after Open has been called
-func (conn *Conn) Close() error {
-	<-conn.ready
-	return conn.closeNonThreadSafe()
-}
-
-// protocolSupportsStreamClose returns true if the passed protocol
-// supports the stream close signal (currently only V5 remotecommand);
-// false otherwise.
-func protocolSupportsStreamClose(protocol string) bool {
-	return protocol == remotecommand.StreamProtocolV5Name
-}
-
-// protocolSupportsWebsocketTunneling returns true if the passed protocol
-// is a tunneled Kubernetes spdy protocol; false otherwise.
-func protocolSupportsWebsocketTunneling(protocol string) bool {
-	return strings.HasPrefix(protocol, portforward.WebsocketsSPDYTunnelingPrefix) && strings.HasSuffix(protocol, portforward.KubernetesSuffix)
-}
-
-// handle implements a websocket handler.
-func (conn *Conn) handle(ws *websocket.Conn) {
-	conn.initialize(ws)
-	defer conn.Close()
-	supportsStreamClose := protocolSupportsStreamClose(conn.selectedProtocol)
-
-	for {
-		conn.resetTimeout()
-		var data []byte
-		if err := websocket.Message.Receive(ws, &data); err != nil {
-			if err != io.EOF {
-				klog.Errorf("Error on socket receive: %v", err)
-			}
-			break
-		}
-		if len(data) == 0 {
-			continue
-		}
-		if supportsStreamClose && data[0] == remotecommand.StreamClose {
-			if len(data) != 2 {
-				klog.Errorf("Single channel byte should follow stream close signal. Got %d bytes", len(data)-1)
-				break
-			} else {
-				channel := data[1]
-				if int(channel) >= len(conn.channels) {
-					klog.Errorf("Close is targeted for a channel %d that is not valid, possible protocol error", channel)
-					break
-				}
-				klog.V(4).Infof("Received half-close signal from client; close %d stream", channel)
-				conn.channels[channel].Close() // After first Close, other closes are noop.
-			}
-			continue
-		}
-		channel := data[0]
-		if conn.codec == base64Codec {
-			channel = channel - '0'
-		}
-		data = data[1:]
-		if int(channel) >= len(conn.channels) {
-			klog.V(6).Infof("Frame is targeted for a reader %d that is not valid, possible protocol error", channel)
-			continue
-		}
-		if _, err := conn.channels[channel].DataFromSocket(data); err != nil {
-			klog.Errorf("Unable to write frame (%d bytes) to %d: %v", len(data), channel, err)
-			continue
-		}
-	}
-}
-
-// write multiplexes the specified channel onto the websocket
-func (conn *Conn) write(num byte, data []byte) (int, error) {
-	conn.resetTimeout()
-	switch conn.codec {
-	case rawCodec:
-		frame := make([]byte, len(data)+1)
-		frame[0] = num
-		copy(frame[1:], data)
-		if err := websocket.Message.Send(conn.ws, frame); err != nil {
-			return 0, err
-		}
-	case base64Codec:
-		frame := string('0'+num) + base64.StdEncoding.EncodeToString(data)
-		if err := websocket.Message.Send(conn.ws, frame); err != nil {
-			return 0, err
-		}
-	}
-	return len(data), nil
-}
-
-// websocketChannel represents a channel in a connection
-type websocketChannel struct {
-	conn *Conn
-	num  byte
-	r    io.Reader
-	w    io.WriteCloser
-
-	read, write bool
-}
-
-// newWebsocketChannel creates a pipe for writing to a websocket. Do not write to this pipe
-// prior to the connection being opened. It may be no, half, or full duplex depending on
-// read and write.
-func newWebsocketChannel(conn *Conn, num byte, read, write bool) *websocketChannel {
-	r, w := io.Pipe()
-	return &websocketChannel{conn, num, r, w, read, write}
-}
-
-func (p *websocketChannel) Write(data []byte) (int, error) {
-	if !p.write {
-		return len(data), nil
-	}
-	return p.conn.write(p.num, data)
-}
-
-// DataFromSocket is invoked by the connection receiver to move data from the connection
-// into a specific channel.
-func (p *websocketChannel) DataFromSocket(data []byte) (int, error) {
-	if !p.read {
-		return len(data), nil
-	}
-
-	switch p.conn.codec {
-	case rawCodec:
-		return p.w.Write(data)
-	case base64Codec:
-		dst := make([]byte, len(data))
-		n, err := base64.StdEncoding.Decode(dst, data)
-		if err != nil {
-			return 0, err
-		}
-		return p.w.Write(dst[:n])
-	}
-	return 0, nil
-}
-
-func (p *websocketChannel) Read(data []byte) (int, error) {
-	if !p.read {
-		return 0, io.EOF
-	}
-	return p.r.Read(data)
-}
-
-func (p *websocketChannel) Close() error {
-	return p.w.Close()
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/doc.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/doc.go
deleted file mode 100644
index a57e8df60..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/doc.go
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package wsstream contains utilities for streaming content over WebSockets.
-// The Conn type allows callers to multiplex multiple read/write channels over
-// a single websocket.
-//
-// "channel.k8s.io"
-//
-// The Websocket RemoteCommand subprotocol "channel.k8s.io" prepends each binary message with a
-// byte indicating the channel number (zero indexed) the message was sent on. Messages in both
-// directions should prefix their messages with this channel byte. Used for remote execution,
-// the channel numbers are by convention defined to match the POSIX file-descriptors assigned
-// to STDIN, STDOUT, and STDERR (0, 1, and 2). No other conversion is performed on the raw
-// subprotocol - writes are sent as they are received by the server.
-//
-// Example client session:
-//
-//	CONNECT http://server.com with subprotocol "channel.k8s.io"
-//	WRITE []byte{0, 102, 111, 111, 10} # send "foo\n" on channel 0 (STDIN)
-//	READ  []byte{1, 10}                # receive "\n" on channel 1 (STDOUT)
-//	CLOSE
-//
-// "v2.channel.k8s.io"
-//
-// The second Websocket subprotocol version "v2.channel.k8s.io" is the same as version 1,
-// but it is the first "versioned" subprotocol.
-//
-// "v3.channel.k8s.io"
-//
-// The third version of the Websocket RemoteCommand subprotocol adds another channel
-// for terminal resizing events. This channel is prepended with the byte '3', and it
-// transmits two window sizes (encoding TerminalSize struct) with integers in the range
-// (0,65536].
-//
-// "v4.channel.k8s.io"
-//
-// The fourth version of the Websocket RemoteCommand subprotocol adds a channel for
-// errors. This channel returns structured errors containing process exit codes. The
-// error is "apierrors.StatusError{}".
-//
-// "v5.channel.k8s.io"
-//
-// The fifth version of the Websocket RemoteCommand subprotocol adds a CLOSE signal,
-// which is sent as the first byte of the message. The second byte is the channel
-// id. This CLOSE signal is handled by the websocket server by closing the stream,
-// allowing the other streams to complete transmission if necessary, and gracefully
-// shutdown the connection.
-//
-// Example client session:
-//
-//	CONNECT http://server.com with subprotocol "v5.channel.k8s.io"
-//	WRITE []byte{0, 102, 111, 111, 10} # send "foo\n" on channel 0 (STDIN)
-//	WRITE []byte{255, 0}               # send CLOSE signal (STDIN)
-//	CLOSE
-package wsstream
diff --git a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/stream.go b/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/stream.go
deleted file mode 100644
index ba7e6a519..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/httpstream/wsstream/stream.go
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package wsstream
-
-import (
-	"encoding/base64"
-	"io"
-	"net/http"
-	"sync"
-	"time"
-
-	"golang.org/x/net/websocket"
-
-	"k8s.io/apimachinery/pkg/util/runtime"
-)
-
-// The WebSocket subprotocol "binary.k8s.io" will only send messages to the
-// client and ignore messages sent to the server. The received messages are
-// the exact bytes written to the stream. Zero byte messages are possible.
-const binaryWebSocketProtocol = "binary.k8s.io"
-
-// The WebSocket subprotocol "base64.binary.k8s.io" will only send messages to the
-// client and ignore messages sent to the server. The received messages are
-// a base64 version of the bytes written to the stream. Zero byte messages are
-// possible.
-const base64BinaryWebSocketProtocol = "base64.binary.k8s.io"
-
-// ReaderProtocolConfig describes a websocket subprotocol with one stream.
-type ReaderProtocolConfig struct {
-	Binary bool
-}
-
-// NewDefaultReaderProtocols returns a stream protocol map with the
-// subprotocols "", "channel.k8s.io", "base64.channel.k8s.io".
-func NewDefaultReaderProtocols() map[string]ReaderProtocolConfig {
-	return map[string]ReaderProtocolConfig{
-		"":                            {Binary: true},
-		binaryWebSocketProtocol:       {Binary: true},
-		base64BinaryWebSocketProtocol: {Binary: false},
-	}
-}
-
-// Reader supports returning an arbitrary byte stream over a websocket channel.
-type Reader struct {
-	err              chan error
-	r                io.Reader
-	ping             bool
-	timeout          time.Duration
-	protocols        map[string]ReaderProtocolConfig
-	selectedProtocol string
-
-	handleCrash func(additionalHandlers ...func(interface{})) // overridable for testing
-}
-
-// NewReader creates a WebSocket pipe that will copy the contents of r to a provided
-// WebSocket connection. If ping is true, a zero length message will be sent to the client
-// before the stream begins reading.
-//
-// The protocols parameter maps subprotocol names to StreamProtocols. The empty string
-// subprotocol name is used if websocket.Config.Protocol is empty.
-func NewReader(r io.Reader, ping bool, protocols map[string]ReaderProtocolConfig) *Reader {
-	return &Reader{
-		r:           r,
-		err:         make(chan error),
-		ping:        ping,
-		protocols:   protocols,
-		handleCrash: runtime.HandleCrash,
-	}
-}
-
-// SetIdleTimeout sets the interval for both reads and writes before timeout. If not specified,
-// there is no timeout on the reader.
-func (r *Reader) SetIdleTimeout(duration time.Duration) {
-	r.timeout = duration
-}
-
-func (r *Reader) handshake(config *websocket.Config, req *http.Request) error {
-	supportedProtocols := make([]string, 0, len(r.protocols))
-	for p := range r.protocols {
-		supportedProtocols = append(supportedProtocols, p)
-	}
-	return handshake(config, req, supportedProtocols)
-}
-
-// Copy the reader to the response. The created WebSocket is closed after this
-// method completes.
-func (r *Reader) Copy(w http.ResponseWriter, req *http.Request) error {
-	go func() {
-		defer r.handleCrash()
-		websocket.Server{Handshake: r.handshake, Handler: r.handle}.ServeHTTP(w, req)
-	}()
-	return <-r.err
-}
-
-// handle implements a WebSocket handler.
-func (r *Reader) handle(ws *websocket.Conn) {
-	// Close the connection when the client requests it, or when we finish streaming, whichever happens first
-	closeConnOnce := &sync.Once{}
-	closeConn := func() {
-		closeConnOnce.Do(func() {
-			ws.Close()
-		})
-	}
-
-	negotiated := ws.Config().Protocol
-	r.selectedProtocol = negotiated[0]
-	defer close(r.err)
-	defer closeConn()
-
-	go func() {
-		defer runtime.HandleCrash()
-		// This blocks until the connection is closed.
-		// Client should not send anything.
-		IgnoreReceives(ws, r.timeout)
-		// Once the client closes, we should also close
-		closeConn()
-	}()
-
-	r.err <- messageCopy(ws, r.r, !r.protocols[r.selectedProtocol].Binary, r.ping, r.timeout)
-}
-
-func resetTimeout(ws *websocket.Conn, timeout time.Duration) {
-	if timeout > 0 {
-		ws.SetDeadline(time.Now().Add(timeout))
-	}
-}
-
-func messageCopy(ws *websocket.Conn, r io.Reader, base64Encode, ping bool, timeout time.Duration) error {
-	buf := make([]byte, 2048)
-	if ping {
-		resetTimeout(ws, timeout)
-		if base64Encode {
-			if err := websocket.Message.Send(ws, ""); err != nil {
-				return err
-			}
-		} else {
-			if err := websocket.Message.Send(ws, []byte{}); err != nil {
-				return err
-			}
-		}
-	}
-	for {
-		resetTimeout(ws, timeout)
-		n, err := r.Read(buf)
-		if err != nil {
-			if err == io.EOF {
-				return nil
-			}
-			return err
-		}
-		if n > 0 {
-			if base64Encode {
-				if err := websocket.Message.Send(ws, base64.StdEncoding.EncodeToString(buf[:n])); err != nil {
-					return err
-				}
-			} else {
-				if err := websocket.Message.Send(ws, buf[:n]); err != nil {
-					return err
-				}
-			}
-		}
-	}
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/portforward/constants.go b/vendor/k8s.io/apimachinery/pkg/util/portforward/constants.go
deleted file mode 100644
index 685328815..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/portforward/constants.go
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package portforward
-
-const (
-	PortForwardV1Name                    = "portforward.k8s.io"
-	WebsocketsSPDYTunnelingPrefix        = "SPDY/3.1+"
-	KubernetesSuffix                     = ".k8s.io"
-	WebsocketsSPDYTunnelingPortForwardV1 = WebsocketsSPDYTunnelingPrefix + PortForwardV1Name
-)
diff --git a/vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go b/vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go
deleted file mode 100644
index e5196d1ee..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"net"
-	"net/http"
-	"net/url"
-
-	utilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apimachinery/third_party/forked/golang/netutil"
-	"k8s.io/klog/v2"
-)
-
-// DialURL will dial the specified URL using the underlying dialer held by the passed
-// RoundTripper. The primary use of this method is to support proxying upgradable connections.
-// For this reason this method will prefer to negotiate http/1.1 if the URL scheme is https.
-// If you wish to ensure ALPN negotiates http2 then set NextProto=[]string{"http2"} in the
-// TLSConfig of the http.Transport
-func DialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (net.Conn, error) {
-	dialAddr := netutil.CanonicalAddr(url)
-
-	dialer, err := utilnet.DialerFor(transport)
-	if err != nil {
-		klog.V(5).Infof("Unable to unwrap transport %T to get dialer: %v", transport, err)
-	}
-
-	switch url.Scheme {
-	case "http":
-		if dialer != nil {
-			return dialer(ctx, "tcp", dialAddr)
-		}
-		var d net.Dialer
-		return d.DialContext(ctx, "tcp", dialAddr)
-	case "https":
-		// Get the tls config from the transport if we recognize it
-		tlsConfig, err := utilnet.TLSClientConfig(transport)
-		if err != nil {
-			klog.V(5).Infof("Unable to unwrap transport %T to get at TLS config: %v", transport, err)
-		}
-
-		if dialer != nil {
-			// We have a dialer; use it to open the connection, then
-			// create a tls client using the connection.
-			netConn, err := dialer(ctx, "tcp", dialAddr)
-			if err != nil {
-				return nil, err
-			}
-			if tlsConfig == nil {
-				// tls.Client requires non-nil config
-				klog.Warning("using custom dialer with no TLSClientConfig. Defaulting to InsecureSkipVerify")
-				// tls.Handshake() requires ServerName or InsecureSkipVerify
-				tlsConfig = &tls.Config{
-					InsecureSkipVerify: true,
-				}
-			} else if len(tlsConfig.ServerName) == 0 && !tlsConfig.InsecureSkipVerify {
-				// tls.HandshakeContext() requires ServerName or InsecureSkipVerify
-				// infer the ServerName from the hostname we're connecting to.
-				inferredHost := dialAddr
-				if host, _, err := net.SplitHostPort(dialAddr); err == nil {
-					inferredHost = host
-				}
-				// Make a copy to avoid polluting the provided config
-				tlsConfigCopy := tlsConfig.Clone()
-				tlsConfigCopy.ServerName = inferredHost
-				tlsConfig = tlsConfigCopy
-			}
-
-			// Since this method is primarily used within a "Connection: Upgrade" call we assume the caller is
-			// going to write HTTP/1.1 request to the wire. http2 should not be allowed in the TLSConfig.NextProtos,
-			// so we explicitly set that here. We only do this check if the TLSConfig support http/1.1.
-			if supportsHTTP11(tlsConfig.NextProtos) {
-				tlsConfig = tlsConfig.Clone()
-				tlsConfig.NextProtos = []string{"http/1.1"}
-			}
-
-			tlsConn := tls.Client(netConn, tlsConfig)
-			if err := tlsConn.HandshakeContext(ctx); err != nil {
-				netConn.Close()
-				return nil, err
-			}
-			return tlsConn, nil
-		} else {
-			// Dial.
-			tlsDialer := tls.Dialer{
-				Config: tlsConfig,
-			}
-			return tlsDialer.DialContext(ctx, "tcp", dialAddr)
-		}
-	default:
-		return nil, fmt.Errorf("unknown scheme: %s", url.Scheme)
-	}
-}
-
-func supportsHTTP11(nextProtos []string) bool {
-	if len(nextProtos) == 0 {
-		return true
-	}
-	for _, proto := range nextProtos {
-		if proto == "http/1.1" {
-			return true
-		}
-	}
-	return false
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/proxy/doc.go b/vendor/k8s.io/apimachinery/pkg/util/proxy/doc.go
deleted file mode 100644
index ea710f6b1..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/doc.go
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package proxy provides transport and upgrade support for proxies.
-package proxy
diff --git a/vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go b/vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
deleted file mode 100644
index 5a2dd6e14..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy
-
-import (
-	"bytes"
-	"compress/flate"
-	"compress/gzip"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"path"
-	"strings"
-
-	"golang.org/x/net/html"
-	"golang.org/x/net/html/atom"
-	"k8s.io/klog/v2"
-
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apimachinery/pkg/util/sets"
-)
-
-// atomsToAttrs states which attributes of which tags require URL substitution.
-// Sources: http://www.w3.org/TR/REC-html40/index/attributes.html
-//
-//	http://www.w3.org/html/wg/drafts/html/master/index.html#attributes-1
-var atomsToAttrs = map[atom.Atom]sets.String{
-	atom.A:          sets.NewString("href"),
-	atom.Applet:     sets.NewString("codebase"),
-	atom.Area:       sets.NewString("href"),
-	atom.Audio:      sets.NewString("src"),
-	atom.Base:       sets.NewString("href"),
-	atom.Blockquote: sets.NewString("cite"),
-	atom.Body:       sets.NewString("background"),
-	atom.Button:     sets.NewString("formaction"),
-	atom.Command:    sets.NewString("icon"),
-	atom.Del:        sets.NewString("cite"),
-	atom.Embed:      sets.NewString("src"),
-	atom.Form:       sets.NewString("action"),
-	atom.Frame:      sets.NewString("longdesc", "src"),
-	atom.Head:       sets.NewString("profile"),
-	atom.Html:       sets.NewString("manifest"),
-	atom.Iframe:     sets.NewString("longdesc", "src"),
-	atom.Img:        sets.NewString("longdesc", "src", "usemap"),
-	atom.Input:      sets.NewString("src", "usemap", "formaction"),
-	atom.Ins:        sets.NewString("cite"),
-	atom.Link:       sets.NewString("href"),
-	atom.Object:     sets.NewString("classid", "codebase", "data", "usemap"),
-	atom.Q:          sets.NewString("cite"),
-	atom.Script:     sets.NewString("src"),
-	atom.Source:     sets.NewString("src"),
-	atom.Video:      sets.NewString("poster", "src"),
-
-	// TODO: css URLs hidden in style elements.
-}
-
-// Transport is a transport for text/html content that replaces URLs in html
-// content with the prefix of the proxy server
-type Transport struct {
-	Scheme      string
-	Host        string
-	PathPrepend string
-
-	http.RoundTripper
-}
-
-// RoundTrip implements the http.RoundTripper interface
-func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
-	// Add reverse proxy headers.
-	forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
-	if strings.HasSuffix(req.URL.Path, "/") {
-		forwardedURI = forwardedURI + "/"
-	}
-	req.Header.Set("X-Forwarded-Uri", forwardedURI)
-	if len(t.Host) > 0 {
-		req.Header.Set("X-Forwarded-Host", t.Host)
-	}
-	if len(t.Scheme) > 0 {
-		req.Header.Set("X-Forwarded-Proto", t.Scheme)
-	}
-
-	rt := t.RoundTripper
-	if rt == nil {
-		rt = http.DefaultTransport
-	}
-	resp, err := rt.RoundTrip(req)
-
-	if err != nil {
-		return nil, errors.NewServiceUnavailable(fmt.Sprintf("error trying to reach service: %v", err))
-	}
-
-	if redirect := resp.Header.Get("Location"); redirect != "" {
-		targetURL, err := url.Parse(redirect)
-		if err != nil {
-			return nil, errors.NewInternalError(fmt.Errorf("error trying to parse Location header: %v", err))
-		}
-		resp.Header.Set("Location", t.rewriteURL(targetURL, req.URL, req.Host))
-		return resp, nil
-	}
-
-	cType := resp.Header.Get("Content-Type")
-	cType = strings.TrimSpace(strings.SplitN(cType, ";", 2)[0])
-	if cType != "text/html" {
-		// Do nothing, simply pass through
-		return resp, nil
-	}
-
-	return t.rewriteResponse(req, resp)
-}
-
-var _ = net.RoundTripperWrapper(&Transport{})
-
-func (rt *Transport) WrappedRoundTripper() http.RoundTripper {
-	return rt.RoundTripper
-}
-
-// rewriteURL rewrites a single URL to go through the proxy, if the URL refers
-// to the same host as sourceURL, which is the page on which the target URL
-// occurred, or if the URL matches the sourceRequestHost.
-func (t *Transport) rewriteURL(url *url.URL, sourceURL *url.URL, sourceRequestHost string) string {
-	// Example:
-	//      When API server processes a proxy request to a service (e.g. /api/v1/namespace/foo/service/bar/proxy/),
-	//      the sourceURL.Host (i.e. req.URL.Host) is the endpoint IP address of the service. The
-	//      sourceRequestHost (i.e. req.Host) is the Host header that specifies the host on which the
-	//      URL is sought, which can be different from sourceURL.Host. For example, if user sends the
-	//      request through "kubectl proxy" locally (i.e. localhost:8001/api/v1/namespace/foo/service/bar/proxy/),
-	//      sourceRequestHost is "localhost:8001".
-	//
-	//      If the service's response URL contains non-empty host, and url.Host is equal to either sourceURL.Host
-	//      or sourceRequestHost, we should not consider the returned URL to be a completely different host.
-	//      It's the API server's responsibility to rewrite a same-host-and-absolute-path URL and append the
-	//      necessary URL prefix (i.e. /api/v1/namespace/foo/service/bar/proxy/).
-	isDifferentHost := url.Host != "" && url.Host != sourceURL.Host && url.Host != sourceRequestHost
-	isRelative := !strings.HasPrefix(url.Path, "/")
-	if isDifferentHost || isRelative {
-		return url.String()
-	}
-
-	// Do not rewrite scheme and host if the Transport has empty scheme and host
-	// when targetURL already contains the sourceRequestHost
-	if !(url.Host == sourceRequestHost && t.Scheme == "" && t.Host == "") {
-		url.Scheme = t.Scheme
-		url.Host = t.Host
-	}
-
-	origPath := url.Path
-	// Do not rewrite URL if the sourceURL already contains the necessary prefix.
-	if strings.HasPrefix(url.Path, t.PathPrepend) {
-		return url.String()
-	}
-	url.Path = path.Join(t.PathPrepend, url.Path)
-	if strings.HasSuffix(origPath, "/") {
-		// Add back the trailing slash, which was stripped by path.Join().
-		url.Path += "/"
-	}
-
-	return url.String()
-}
-
-// rewriteHTML scans the HTML for tags with url-valued attributes, and updates
-// those values with the urlRewriter function. The updated HTML is output to the
-// writer.
-func rewriteHTML(reader io.Reader, writer io.Writer, urlRewriter func(*url.URL) string) error {
-	// Note: This assumes the content is UTF-8.
-	tokenizer := html.NewTokenizer(reader)
-
-	var err error
-	for err == nil {
-		tokenType := tokenizer.Next()
-		switch tokenType {
-		case html.ErrorToken:
-			err = tokenizer.Err()
-		case html.StartTagToken, html.SelfClosingTagToken:
-			token := tokenizer.Token()
-			if urlAttrs, ok := atomsToAttrs[token.DataAtom]; ok {
-				for i, attr := range token.Attr {
-					if urlAttrs.Has(attr.Key) {
-						url, err := url.Parse(attr.Val)
-						if err != nil {
-							// Do not rewrite the URL if it isn't valid.  It is intended not
-							// to error here to prevent the inability to understand the
-							// content of the body to cause a fatal error.
-							continue
-						}
-						token.Attr[i].Val = urlRewriter(url)
-					}
-				}
-			}
-			_, err = writer.Write([]byte(token.String()))
-		default:
-			_, err = writer.Write(tokenizer.Raw())
-		}
-	}
-	if err != io.EOF {
-		return err
-	}
-	return nil
-}
-
-// rewriteResponse modifies an HTML response by updating absolute links referring
-// to the original host to instead refer to the proxy transport.
-func (t *Transport) rewriteResponse(req *http.Request, resp *http.Response) (*http.Response, error) {
-	origBody := resp.Body
-	defer origBody.Close()
-
-	newContent := &bytes.Buffer{}
-	var reader io.Reader = origBody
-	var writer io.Writer = newContent
-	encoding := resp.Header.Get("Content-Encoding")
-	switch encoding {
-	case "gzip":
-		var err error
-		reader, err = gzip.NewReader(reader)
-		if err != nil {
-			return nil, fmt.Errorf("errorf making gzip reader: %v", err)
-		}
-		gzw := gzip.NewWriter(writer)
-		defer gzw.Close()
-		writer = gzw
-	case "deflate":
-		var err error
-		reader = flate.NewReader(reader)
-		flw, err := flate.NewWriter(writer, flate.BestCompression)
-		if err != nil {
-			return nil, fmt.Errorf("errorf making flate writer: %v", err)
-		}
-		defer func() {
-			flw.Close()
-			flw.Flush()
-		}()
-		writer = flw
-	case "":
-		// This is fine
-	default:
-		// Some encoding we don't understand-- don't try to parse this
-		klog.Errorf("Proxy encountered encoding %v for text/html; can't understand this so not fixing links.", encoding)
-		return resp, nil
-	}
-
-	urlRewriter := func(targetUrl *url.URL) string {
-		return t.rewriteURL(targetUrl, req.URL, req.Host)
-	}
-	err := rewriteHTML(reader, writer, urlRewriter)
-	if err != nil {
-		klog.Errorf("Failed to rewrite URLs: %v", err)
-		return resp, err
-	}
-
-	resp.Body = io.NopCloser(newContent)
-	// Update header node with new content-length
-	// TODO: Remove any hash/signature headers here?
-	resp.Header.Del("Content-Length")
-	resp.ContentLength = int64(newContent.Len())
-
-	return resp, err
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
deleted file mode 100644
index 8c30a366d..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+++ /dev/null
@@ -1,558 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package proxy
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"strings"
-	"time"
-
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	utilnet "k8s.io/apimachinery/pkg/util/net"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-
-	"github.com/mxk/go-flowrate/flowrate"
-
-	"k8s.io/klog/v2"
-)
-
-// UpgradeRequestRoundTripper provides an additional method to decorate a request
-// with any authentication or other protocol level information prior to performing
-// an upgrade on the server. Any response will be handled by the intercepting
-// proxy.
-type UpgradeRequestRoundTripper interface {
-	http.RoundTripper
-	// WrapRequest takes a valid HTTP request and returns a suitably altered version
-	// of request with any HTTP level values required to complete the request half of
-	// an upgrade on the server. It does not get a chance to see the response and
-	// should bypass any request side logic that expects to see the response.
-	WrapRequest(*http.Request) (*http.Request, error)
-}
-
-// UpgradeAwareHandler is a handler for proxy requests that may require an upgrade
-type UpgradeAwareHandler struct {
-	// UpgradeRequired will reject non-upgrade connections if true.
-	UpgradeRequired bool
-	// Location is the location of the upstream proxy. It is used as the location to Dial on the upstream server
-	// for upgrade requests unless UseRequestLocationOnUpgrade is true.
-	Location *url.URL
-	// AppendLocationPath determines if the original path of the Location should be appended to the upstream proxy request path
-	AppendLocationPath bool
-	// Transport provides an optional round tripper to use to proxy. If nil, the default proxy transport is used
-	Transport http.RoundTripper
-	// UpgradeTransport, if specified, will be used as the backend transport when upgrade requests are provided.
-	// This allows clients to disable HTTP/2.
-	UpgradeTransport UpgradeRequestRoundTripper
-	// WrapTransport indicates whether the provided Transport should be wrapped with default proxy transport behavior (URL rewriting, X-Forwarded-* header setting)
-	WrapTransport bool
-	// UseRequestLocation will use the incoming request URL when talking to the backend server.
-	UseRequestLocation bool
-	// UseLocationHost overrides the HTTP host header in requests to the backend server to use the Host from Location.
-	// This will override the req.Host field of a request, while UseRequestLocation will override the req.URL field
-	// of a request. The req.URL.Host specifies the server to connect to, while the req.Host field
-	// specifies the Host header value to send in the HTTP request. If this is false, the incoming req.Host header will
-	// just be forwarded to the backend server.
-	UseLocationHost bool
-	// FlushInterval controls how often the standard HTTP proxy will flush content from the upstream.
-	FlushInterval time.Duration
-	// MaxBytesPerSec controls the maximum rate for an upstream connection. No rate is imposed if the value is zero.
-	MaxBytesPerSec int64
-	// Responder is passed errors that occur while setting up proxying.
-	Responder ErrorResponder
-	// Reject to forward redirect response
-	RejectForwardingRedirects bool
-}
-
-const defaultFlushInterval = 200 * time.Millisecond
-
-// ErrorResponder abstracts error reporting to the proxy handler to remove the need to hardcode a particular
-// error format.
-type ErrorResponder interface {
-	Error(w http.ResponseWriter, req *http.Request, err error)
-}
-
-// SimpleErrorResponder is the legacy implementation of ErrorResponder for callers that only
-// service a single request/response per proxy.
-type SimpleErrorResponder interface {
-	Error(err error)
-}
-
-func NewErrorResponder(r SimpleErrorResponder) ErrorResponder {
-	return simpleResponder{r}
-}
-
-type simpleResponder struct {
-	responder SimpleErrorResponder
-}
-
-func (r simpleResponder) Error(w http.ResponseWriter, req *http.Request, err error) {
-	r.responder.Error(err)
-}
-
-// upgradeRequestRoundTripper implements proxy.UpgradeRequestRoundTripper.
-type upgradeRequestRoundTripper struct {
-	http.RoundTripper
-	upgrader http.RoundTripper
-}
-
-var (
-	_ UpgradeRequestRoundTripper  = &upgradeRequestRoundTripper{}
-	_ utilnet.RoundTripperWrapper = &upgradeRequestRoundTripper{}
-)
-
-// WrappedRoundTripper returns the round tripper that a caller would use.
-func (rt *upgradeRequestRoundTripper) WrappedRoundTripper() http.RoundTripper {
-	return rt.RoundTripper
-}
-
-// WriteToRequest calls the nested upgrader and then copies the returned request
-// fields onto the passed request.
-func (rt *upgradeRequestRoundTripper) WrapRequest(req *http.Request) (*http.Request, error) {
-	resp, err := rt.upgrader.RoundTrip(req)
-	if err != nil {
-		return nil, err
-	}
-	return resp.Request, nil
-}
-
-// onewayRoundTripper captures the provided request - which is assumed to have
-// been modified by other round trippers - and then returns a fake response.
-type onewayRoundTripper struct{}
-
-// RoundTrip returns a simple 200 OK response that captures the provided request.
-func (onewayRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	return &http.Response{
-		Status:     "200 OK",
-		StatusCode: http.StatusOK,
-		Body:       io.NopCloser(&bytes.Buffer{}),
-		Request:    req,
-	}, nil
-}
-
-// MirrorRequest is a round tripper that can be called to get back the calling request as
-// the core round tripper in a chain.
-var MirrorRequest http.RoundTripper = onewayRoundTripper{}
-
-// NewUpgradeRequestRoundTripper takes two round trippers - one for the underlying TCP connection, and
-// one that is able to write headers to an HTTP request. The request rt is used to set the request headers
-// and that is written to the underlying connection rt.
-func NewUpgradeRequestRoundTripper(connection, request http.RoundTripper) UpgradeRequestRoundTripper {
-	return &upgradeRequestRoundTripper{
-		RoundTripper: connection,
-		upgrader:     request,
-	}
-}
-
-// normalizeLocation returns the result of parsing the full URL, with scheme set to http if missing
-func normalizeLocation(location *url.URL) *url.URL {
-	normalized, _ := url.Parse(location.String())
-	if len(normalized.Scheme) == 0 {
-		normalized.Scheme = "http"
-	}
-	return normalized
-}
-
-// NewUpgradeAwareHandler creates a new proxy handler with a default flush interval. Responder is required for returning
-// errors to the caller.
-func NewUpgradeAwareHandler(location *url.URL, transport http.RoundTripper, wrapTransport, upgradeRequired bool, responder ErrorResponder) *UpgradeAwareHandler {
-	return &UpgradeAwareHandler{
-		Location:        normalizeLocation(location),
-		Transport:       transport,
-		WrapTransport:   wrapTransport,
-		UpgradeRequired: upgradeRequired,
-		FlushInterval:   defaultFlushInterval,
-		Responder:       responder,
-	}
-}
-
-func proxyRedirectsforRootPath(path string, w http.ResponseWriter, req *http.Request) bool {
-	redirect := false
-	method := req.Method
-
-	// From pkg/genericapiserver/endpoints/handlers/proxy.go#ServeHTTP:
-	// Redirect requests with an empty path to a location that ends with a '/'
-	// This is essentially a hack for https://issue.k8s.io/4958.
-	// Note: Keep this code after tryUpgrade to not break that flow.
-	if len(path) == 0 && (method == http.MethodGet || method == http.MethodHead) {
-		var queryPart string
-		if len(req.URL.RawQuery) > 0 {
-			queryPart = "?" + req.URL.RawQuery
-		}
-		w.Header().Set("Location", req.URL.Path+"/"+queryPart)
-		w.WriteHeader(http.StatusMovedPermanently)
-		redirect = true
-	}
-	return redirect
-}
-
-// ServeHTTP handles the proxy request
-func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	if h.tryUpgrade(w, req) {
-		return
-	}
-	if h.UpgradeRequired {
-		h.Responder.Error(w, req, errors.NewBadRequest("Upgrade request required"))
-		return
-	}
-
-	loc := *h.Location
-	loc.RawQuery = req.URL.RawQuery
-
-	// If original request URL ended in '/', append a '/' at the end of the
-	// of the proxy URL
-	if !strings.HasSuffix(loc.Path, "/") && strings.HasSuffix(req.URL.Path, "/") {
-		loc.Path += "/"
-	}
-
-	proxyRedirect := proxyRedirectsforRootPath(loc.Path, w, req)
-	if proxyRedirect {
-		return
-	}
-
-	if h.Transport == nil || h.WrapTransport {
-		h.Transport = h.defaultProxyTransport(req.URL, h.Transport)
-	}
-
-	// WithContext creates a shallow clone of the request with the same context.
-	newReq := req.WithContext(req.Context())
-	newReq.Header = utilnet.CloneHeader(req.Header)
-	if !h.UseRequestLocation {
-		newReq.URL = &loc
-	}
-	if h.UseLocationHost {
-		// exchanging req.Host with the backend location is necessary for backends that act on the HTTP host header (e.g. API gateways),
-		// because req.Host has preference over req.URL.Host in filling this header field
-		newReq.Host = h.Location.Host
-	}
-
-	// create the target location to use for the reverse proxy
-	reverseProxyLocation := &url.URL{Scheme: h.Location.Scheme, Host: h.Location.Host}
-	if h.AppendLocationPath {
-		reverseProxyLocation.Path = h.Location.Path
-	}
-
-	proxy := httputil.NewSingleHostReverseProxy(reverseProxyLocation)
-	proxy.Transport = h.Transport
-	proxy.FlushInterval = h.FlushInterval
-	proxy.ErrorLog = log.New(noSuppressPanicError{}, "", log.LstdFlags)
-	if h.RejectForwardingRedirects {
-		oldModifyResponse := proxy.ModifyResponse
-		proxy.ModifyResponse = func(response *http.Response) error {
-			code := response.StatusCode
-			if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
-				// close the original response
-				response.Body.Close()
-				msg := "the backend attempted to redirect this request, which is not permitted"
-				// replace the response
-				*response = http.Response{
-					StatusCode:    http.StatusBadGateway,
-					Status:        fmt.Sprintf("%d %s", response.StatusCode, http.StatusText(response.StatusCode)),
-					Body:          io.NopCloser(strings.NewReader(msg)),
-					ContentLength: int64(len(msg)),
-				}
-			} else {
-				if oldModifyResponse != nil {
-					if err := oldModifyResponse(response); err != nil {
-						return err
-					}
-				}
-			}
-			return nil
-		}
-	}
-	if h.Responder != nil {
-		// if an optional error interceptor/responder was provided wire it
-		// the custom responder might be used for providing a unified error reporting
-		// or supporting retry mechanisms by not sending non-fatal errors to the clients
-		proxy.ErrorHandler = h.Responder.Error
-	}
-	proxy.ServeHTTP(w, newReq)
-}
-
-type noSuppressPanicError struct{}
-
-func (noSuppressPanicError) Write(p []byte) (n int, err error) {
-	// skip "suppressing panic for copyResponse error in test; copy error" error message
-	// that ends up in CI tests on each kube-apiserver termination as noise and
-	// everybody thinks this is fatal.
-	if strings.Contains(string(p), "suppressing panic") {
-		return len(p), nil
-	}
-	return os.Stderr.Write(p)
-}
-
-// tryUpgrade returns true if the request was handled.
-func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Request) bool {
-	if !httpstream.IsUpgradeRequest(req) {
-		klog.V(6).Infof("Request was not an upgrade")
-		return false
-	}
-
-	var (
-		backendConn net.Conn
-		rawResponse []byte
-		err         error
-	)
-
-	location := *h.Location
-	if h.UseRequestLocation {
-		location = *req.URL
-		location.Scheme = h.Location.Scheme
-		location.Host = h.Location.Host
-		if h.AppendLocationPath {
-			location.Path = singleJoiningSlash(h.Location.Path, location.Path)
-		}
-	}
-
-	clone := utilnet.CloneRequest(req)
-	// Only append X-Forwarded-For in the upgrade path, since httputil.NewSingleHostReverseProxy
-	// handles this in the non-upgrade path.
-	utilnet.AppendForwardedForHeader(clone)
-	klog.V(6).Infof("Connecting to backend proxy (direct dial) %s\n  Headers: %v", &location, clone.Header)
-	if h.UseLocationHost {
-		clone.Host = h.Location.Host
-	}
-	clone.URL = &location
-	klog.V(6).Infof("UpgradeAwareProxy: dialing for SPDY upgrade with headers: %v", clone.Header)
-	backendConn, err = h.DialForUpgrade(clone)
-	if err != nil {
-		klog.V(6).Infof("Proxy connection error: %v", err)
-		h.Responder.Error(w, req, err)
-		return true
-	}
-	defer backendConn.Close()
-
-	// determine the http response code from the backend by reading from rawResponse+backendConn
-	backendHTTPResponse, headerBytes, err := getResponse(io.MultiReader(bytes.NewReader(rawResponse), backendConn))
-	if err != nil {
-		klog.V(6).Infof("Proxy connection error: %v", err)
-		h.Responder.Error(w, req, err)
-		return true
-	}
-	if len(headerBytes) > len(rawResponse) {
-		// we read beyond the bytes stored in rawResponse, update rawResponse to the full set of bytes read from the backend
-		rawResponse = headerBytes
-	}
-
-	// If the backend did not upgrade the request, return an error to the client. If the response was
-	// an error, the error is forwarded directly after the connection is hijacked. Otherwise, just
-	// return a generic error here.
-	if backendHTTPResponse.StatusCode != http.StatusSwitchingProtocols && backendHTTPResponse.StatusCode < 400 {
-		err := fmt.Errorf("invalid upgrade response: status code %d", backendHTTPResponse.StatusCode)
-		klog.Errorf("Proxy upgrade error: %v", err)
-		h.Responder.Error(w, req, err)
-		return true
-	}
-
-	// Once the connection is hijacked, the ErrorResponder will no longer work, so
-	// hijacking should be the last step in the upgrade.
-	requestHijacker, ok := w.(http.Hijacker)
-	if !ok {
-		klog.Errorf("Unable to hijack response writer: %T", w)
-		h.Responder.Error(w, req, fmt.Errorf("request connection cannot be hijacked: %T", w))
-		return true
-	}
-	requestHijackedConn, _, err := requestHijacker.Hijack()
-	if err != nil {
-		klog.Errorf("Unable to hijack response: %v", err)
-		h.Responder.Error(w, req, fmt.Errorf("error hijacking connection: %v", err))
-		return true
-	}
-	defer requestHijackedConn.Close()
-
-	if backendHTTPResponse.StatusCode != http.StatusSwitchingProtocols {
-		// If the backend did not upgrade the request, echo the response from the backend to the client and return, closing the connection.
-		klog.V(6).Infof("Proxy upgrade error, status code %d", backendHTTPResponse.StatusCode)
-		// set read/write deadlines
-		deadline := time.Now().Add(10 * time.Second)
-		backendConn.SetReadDeadline(deadline)
-		requestHijackedConn.SetWriteDeadline(deadline)
-		// write the response to the client
-		err := backendHTTPResponse.Write(requestHijackedConn)
-		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
-			klog.Errorf("Error proxying data from backend to client: %v", err)
-		}
-		// Indicate we handled the request
-		return true
-	}
-
-	// Forward raw response bytes back to client.
-	if len(rawResponse) > 0 {
-		klog.V(6).Infof("Writing %d bytes to hijacked connection", len(rawResponse))
-		if _, err = requestHijackedConn.Write(rawResponse); err != nil {
-			utilruntime.HandleError(fmt.Errorf("Error proxying response from backend to client: %v", err))
-		}
-	}
-
-	// Proxy the connection. This is bidirectional, so we need a goroutine
-	// to copy in each direction. Once one side of the connection exits, we
-	// exit the function which performs cleanup and in the process closes
-	// the other half of the connection in the defer.
-	writerComplete := make(chan struct{})
-	readerComplete := make(chan struct{})
-
-	go func() {
-		var writer io.WriteCloser
-		if h.MaxBytesPerSec > 0 {
-			writer = flowrate.NewWriter(backendConn, h.MaxBytesPerSec)
-		} else {
-			writer = backendConn
-		}
-		_, err := io.Copy(writer, requestHijackedConn)
-		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
-			klog.Errorf("Error proxying data from client to backend: %v", err)
-		}
-		close(writerComplete)
-	}()
-
-	go func() {
-		var reader io.ReadCloser
-		if h.MaxBytesPerSec > 0 {
-			reader = flowrate.NewReader(backendConn, h.MaxBytesPerSec)
-		} else {
-			reader = backendConn
-		}
-		_, err := io.Copy(requestHijackedConn, reader)
-		if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
-			klog.Errorf("Error proxying data from backend to client: %v", err)
-		}
-		close(readerComplete)
-	}()
-
-	// Wait for one half the connection to exit. Once it does the defer will
-	// clean up the other half of the connection.
-	select {
-	case <-writerComplete:
-	case <-readerComplete:
-	}
-	klog.V(6).Infof("Disconnecting from backend proxy %s\n  Headers: %v", &location, clone.Header)
-
-	return true
-}
-
-// FIXME: Taken from net/http/httputil/reverseproxy.go as singleJoiningSlash is not exported to be re-used.
-// See-also: https://github.com/golang/go/issues/44290
-func singleJoiningSlash(a, b string) string {
-	aslash := strings.HasSuffix(a, "/")
-	bslash := strings.HasPrefix(b, "/")
-	switch {
-	case aslash && bslash:
-		return a + b[1:]
-	case !aslash && !bslash:
-		return a + "/" + b
-	}
-	return a + b
-}
-
-func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error) {
-	if h.UpgradeTransport == nil {
-		return dial(req, h.Transport)
-	}
-	updatedReq, err := h.UpgradeTransport.WrapRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	return dial(updatedReq, h.UpgradeTransport)
-}
-
-// getResponseCode reads a http response from the given reader, returns the response,
-// the bytes read from the reader, and any error encountered
-func getResponse(r io.Reader) (*http.Response, []byte, error) {
-	rawResponse := bytes.NewBuffer(make([]byte, 0, 256))
-	// Save the bytes read while reading the response headers into the rawResponse buffer
-	resp, err := http.ReadResponse(bufio.NewReader(io.TeeReader(r, rawResponse)), nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// return the http response and the raw bytes consumed from the reader in the process
-	return resp, rawResponse.Bytes(), nil
-}
-
-// dial dials the backend at req.URL and writes req to it.
-func dial(req *http.Request, transport http.RoundTripper) (net.Conn, error) {
-	conn, err := DialURL(req.Context(), req.URL, transport)
-	if err != nil {
-		return nil, fmt.Errorf("error dialing backend: %v", err)
-	}
-
-	if err = req.Write(conn); err != nil {
-		conn.Close()
-		return nil, fmt.Errorf("error sending request: %v", err)
-	}
-
-	return conn, err
-}
-
-func (h *UpgradeAwareHandler) defaultProxyTransport(url *url.URL, internalTransport http.RoundTripper) http.RoundTripper {
-	scheme := url.Scheme
-	host := url.Host
-	suffix := h.Location.Path
-	if strings.HasSuffix(url.Path, "/") && !strings.HasSuffix(suffix, "/") {
-		suffix += "/"
-	}
-	pathPrepend := strings.TrimSuffix(url.Path, suffix)
-	rewritingTransport := &Transport{
-		Scheme:       scheme,
-		Host:         host,
-		PathPrepend:  pathPrepend,
-		RoundTripper: internalTransport,
-	}
-	return &corsRemovingTransport{
-		RoundTripper: rewritingTransport,
-	}
-}
-
-// corsRemovingTransport is a wrapper for an internal transport. It removes CORS headers
-// from the internal response.
-// Implements pkg/util/net.RoundTripperWrapper
-type corsRemovingTransport struct {
-	http.RoundTripper
-}
-
-var _ = utilnet.RoundTripperWrapper(&corsRemovingTransport{})
-
-func (rt *corsRemovingTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	resp, err := rt.RoundTripper.RoundTrip(req)
-	if err != nil {
-		return nil, err
-	}
-	removeCORSHeaders(resp)
-	return resp, nil
-}
-
-func (rt *corsRemovingTransport) WrappedRoundTripper() http.RoundTripper {
-	return rt.RoundTripper
-}
-
-// removeCORSHeaders strip CORS headers sent from the backend
-// This should be called on all responses before returning
-func removeCORSHeaders(resp *http.Response) {
-	resp.Header.Del("Access-Control-Allow-Credentials")
-	resp.Header.Del("Access-Control-Allow-Headers")
-	resp.Header.Del("Access-Control-Allow-Methods")
-	resp.Header.Del("Access-Control-Allow-Origin")
-}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/remotecommand/constants.go b/vendor/k8s.io/apimachinery/pkg/util/remotecommand/constants.go
deleted file mode 100644
index ba153ee24..000000000
--- a/vendor/k8s.io/apimachinery/pkg/util/remotecommand/constants.go
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"time"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-const (
-	DefaultStreamCreationTimeout = 30 * time.Second
-
-	// The SPDY subprotocol "channel.k8s.io" is used for remote command
-	// attachment/execution. This represents the initial unversioned subprotocol,
-	// which has the known bugs https://issues.k8s.io/13394 and
-	// https://issues.k8s.io/13395.
-	StreamProtocolV1Name = "channel.k8s.io"
-
-	// The SPDY subprotocol "v2.channel.k8s.io" is used for remote command
-	// attachment/execution. It is the second version of the subprotocol and
-	// resolves the issues present in the first version.
-	StreamProtocolV2Name = "v2.channel.k8s.io"
-
-	// The SPDY subprotocol "v3.channel.k8s.io" is used for remote command
-	// attachment/execution. It is the third version of the subprotocol and
-	// adds support for resizing container terminals.
-	StreamProtocolV3Name = "v3.channel.k8s.io"
-
-	// The SPDY subprotocol "v4.channel.k8s.io" is used for remote command
-	// attachment/execution. It is the 4th version of the subprotocol and
-	// adds support for exit codes.
-	StreamProtocolV4Name = "v4.channel.k8s.io"
-
-	// The subprotocol "v5.channel.k8s.io" is used for remote command
-	// attachment/execution. It is the 5th version of the subprotocol and
-	// adds support for a CLOSE signal.
-	StreamProtocolV5Name = "v5.channel.k8s.io"
-
-	NonZeroExitCodeReason = metav1.StatusReason("NonZeroExitCode")
-	ExitCodeCauseType     = metav1.CauseType("ExitCode")
-
-	// RemoteCommand stream identifiers. The first three identifiers (for STDIN,
-	// STDOUT, STDERR) are the same as their file descriptors.
-	StreamStdIn  = 0
-	StreamStdOut = 1
-	StreamStdErr = 2
-	StreamErr    = 3
-	StreamResize = 4
-	StreamClose  = 255
-)
-
-var SupportedStreamingProtocols = []string{StreamProtocolV4Name, StreamProtocolV3Name, StreamProtocolV2Name, StreamProtocolV1Name}
diff --git a/vendor/k8s.io/apimachinery/third_party/forked/golang/netutil/addr.go b/vendor/k8s.io/apimachinery/third_party/forked/golang/netutil/addr.go
deleted file mode 100644
index bd26f427e..000000000
--- a/vendor/k8s.io/apimachinery/third_party/forked/golang/netutil/addr.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package netutil
-
-import (
-	"net/url"
-	"strings"
-)
-
-// FROM: http://golang.org/src/net/http/client.go
-// Given a string of the form "host", "host:port", or "[ipv6::address]:port",
-// return true if the string includes a port.
-func hasPort(s string) bool { return strings.LastIndex(s, ":") > strings.LastIndex(s, "]") }
-
-// FROM: http://golang.org/src/net/http/transport.go
-var portMap = map[string]string{
-	"http":   "80",
-	"https":  "443",
-	"socks5": "1080",
-}
-
-// FROM: http://golang.org/src/net/http/transport.go
-// canonicalAddr returns url.Host but always with a ":port" suffix
-func CanonicalAddr(url *url.URL) string {
-	addr := url.Host
-	if !hasPort(addr) {
-		return addr + ":" + portMap[url.Scheme]
-	}
-	return addr
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/OWNERS b/vendor/k8s.io/client-go/tools/remotecommand/OWNERS
deleted file mode 100644
index 307848307..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/OWNERS
+++ /dev/null
@@ -1,10 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-approvers:
-  - aojea
-  - liggitt
-  - seans3
-reviewers:
-  - aojea
-  - liggitt
-  - seans3
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/doc.go b/vendor/k8s.io/client-go/tools/remotecommand/doc.go
deleted file mode 100644
index b9f0db2d9..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/doc.go
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package remotecommand adds support for executing commands in containers,
-// with support for separate stdin, stdout, and stderr streams, as well as
-// TTY.
-package remotecommand
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/errorstream.go b/vendor/k8s.io/client-go/tools/remotecommand/errorstream.go
deleted file mode 100644
index 90bb39b4a..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/errorstream.go
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"fmt"
-	"io"
-
-	"k8s.io/apimachinery/pkg/util/runtime"
-)
-
-// errorStreamDecoder interprets the data on the error channel and creates a go error object from it.
-type errorStreamDecoder interface {
-	decode(message []byte) error
-}
-
-// watchErrorStream watches the errorStream for remote command error data,
-// decodes it with the given errorStreamDecoder, sends the decoded error (or nil if the remote
-// command exited successfully) to the returned error channel, and closes it.
-// This function returns immediately.
-func watchErrorStream(errorStream io.Reader, d errorStreamDecoder) chan error {
-	errorChan := make(chan error)
-
-	go func() {
-		defer runtime.HandleCrash()
-
-		message, err := io.ReadAll(errorStream)
-		switch {
-		case err != nil && err != io.EOF:
-			errorChan <- fmt.Errorf("error reading from error stream: %w", err)
-		case len(message) > 0:
-			errorChan <- d.decode(message)
-		default:
-			errorChan <- nil
-		}
-		close(errorChan)
-	}()
-
-	return errorChan
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/fallback.go b/vendor/k8s.io/client-go/tools/remotecommand/fallback.go
deleted file mode 100644
index 503323080..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/fallback.go
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"context"
-
-	"k8s.io/klog/v2"
-)
-
-var _ Executor = &FallbackExecutor{}
-
-type FallbackExecutor struct {
-	primary        Executor
-	secondary      Executor
-	shouldFallback func(error) bool
-}
-
-// NewFallbackExecutor creates an Executor that first attempts to use the
-// WebSocketExecutor, falling back to the legacy SPDYExecutor if the initial
-// websocket "StreamWithContext" call fails.
-// func NewFallbackExecutor(config *restclient.Config, method string, url *url.URL) (Executor, error) {
-func NewFallbackExecutor(primary, secondary Executor, shouldFallback func(error) bool) (Executor, error) {
-	return &FallbackExecutor{
-		primary:        primary,
-		secondary:      secondary,
-		shouldFallback: shouldFallback,
-	}, nil
-}
-
-// Stream is deprecated. Please use "StreamWithContext".
-func (f *FallbackExecutor) Stream(options StreamOptions) error {
-	return f.StreamWithContext(context.Background(), options)
-}
-
-// StreamWithContext initially attempts to call "StreamWithContext" using the
-// primary executor, falling back to calling the secondary executor if the
-// initial primary call to upgrade to a websocket connection fails.
-func (f *FallbackExecutor) StreamWithContext(ctx context.Context, options StreamOptions) error {
-	err := f.primary.StreamWithContext(ctx, options)
-	if err != nil && f.shouldFallback(err) {
-		klog.V(4).Infof("RemoteCommand fallback: %v", err)
-		return f.secondary.StreamWithContext(ctx, options)
-	}
-	return err
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/reader.go b/vendor/k8s.io/client-go/tools/remotecommand/reader.go
deleted file mode 100644
index d1f1be34c..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/reader.go
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"io"
-)
-
-// readerWrapper delegates to an io.Reader so that only the io.Reader interface is implemented,
-// to keep io.Copy from doing things we don't want when copying from the reader to the data stream.
-//
-// If the Stdin io.Reader provided to remotecommand implements a WriteTo function (like bytes.Buffer does[1]),
-// io.Copy calls that method[2] to attempt to write the entire buffer to the stream in one call.
-// That results in an oversized call to spdystream.Stream#Write [3],
-// which results in a single oversized data frame[4] that is too large.
-//
-// [1] https://golang.org/pkg/bytes/#Buffer.WriteTo
-// [2] https://golang.org/pkg/io/#Copy
-// [3] https://github.com/kubernetes/kubernetes/blob/90295640ef87db9daa0144c5617afe889e7992b2/vendor/github.com/docker/spdystream/stream.go#L66-L73
-// [4] https://github.com/kubernetes/kubernetes/blob/90295640ef87db9daa0144c5617afe889e7992b2/vendor/github.com/docker/spdystream/spdy/write.go#L302-L304
-type readerWrapper struct {
-	reader io.Reader
-}
-
-func (r readerWrapper) Read(p []byte) (int, error) {
-	return r.reader.Read(p)
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/remotecommand.go b/vendor/k8s.io/client-go/tools/remotecommand/remotecommand.go
deleted file mode 100644
index 4cff05cd8..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/remotecommand.go
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"context"
-	"io"
-	"net/http"
-
-	"k8s.io/apimachinery/pkg/util/httpstream"
-)
-
-// StreamOptions holds information pertaining to the current streaming session:
-// input/output streams, if the client is requesting a TTY, and a terminal size queue to
-// support terminal resizing.
-type StreamOptions struct {
-	Stdin             io.Reader
-	Stdout            io.Writer
-	Stderr            io.Writer
-	Tty               bool
-	TerminalSizeQueue TerminalSizeQueue
-}
-
-// Executor is an interface for transporting shell-style streams.
-type Executor interface {
-	// Deprecated: use StreamWithContext instead to avoid possible resource leaks.
-	// See https://github.com/kubernetes/kubernetes/pull/103177 for details.
-	Stream(options StreamOptions) error
-
-	// StreamWithContext initiates the transport of the standard shell streams. It will
-	// transport any non-nil stream to a remote system, and return an error if a problem
-	// occurs. If tty is set, the stderr stream is not used (raw TTY manages stdout and
-	// stderr over the stdout stream).
-	// The context controls the entire lifetime of stream execution.
-	StreamWithContext(ctx context.Context, options StreamOptions) error
-}
-
-type streamCreator interface {
-	CreateStream(headers http.Header) (httpstream.Stream, error)
-}
-
-type streamProtocolHandler interface {
-	stream(conn streamCreator, ready chan<- struct{}) error
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/resize.go b/vendor/k8s.io/client-go/tools/remotecommand/resize.go
deleted file mode 100644
index c838f21ba..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/resize.go
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-// TerminalSize and TerminalSizeQueue was a part of k8s.io/kubernetes/pkg/util/term
-// and were moved in order to decouple client from other term dependencies
-
-// TerminalSize represents the width and height of a terminal.
-type TerminalSize struct {
-	Width  uint16
-	Height uint16
-}
-
-// TerminalSizeQueue is capable of returning terminal resize events as they occur.
-type TerminalSizeQueue interface {
-	// Next returns the new terminal size after the terminal has been resized. It returns nil when
-	// monitoring has been stopped.
-	Next() *TerminalSize
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/spdy.go b/vendor/k8s.io/client-go/tools/remotecommand/spdy.go
deleted file mode 100644
index 34825771a..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/spdy.go
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/remotecommand"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/transport/spdy"
-	"k8s.io/klog/v2"
-)
-
-// spdyStreamExecutor handles transporting standard shell streams over an httpstream connection.
-type spdyStreamExecutor struct {
-	upgrader  spdy.Upgrader
-	transport http.RoundTripper
-
-	method          string
-	url             *url.URL
-	protocols       []string
-	rejectRedirects bool // if true, receiving redirect from upstream is an error
-}
-
-// NewSPDYExecutor connects to the provided server and upgrades the connection to
-// multiplexed bidirectional streams.
-func NewSPDYExecutor(config *restclient.Config, method string, url *url.URL) (Executor, error) {
-	wrapper, upgradeRoundTripper, err := spdy.RoundTripperFor(config)
-	if err != nil {
-		return nil, err
-	}
-	return NewSPDYExecutorForTransports(wrapper, upgradeRoundTripper, method, url)
-}
-
-// NewSPDYExecutorRejectRedirects returns an Executor that will upgrade the future
-// connection to a SPDY bi-directional streaming connection when calling "Stream" (deprecated)
-// or "StreamWithContext" (preferred). Additionally, if the upstream server returns a redirect
-// during the attempted upgrade in these "Stream" calls, an error is returned.
-func NewSPDYExecutorRejectRedirects(transport http.RoundTripper, upgrader spdy.Upgrader, method string, url *url.URL) (Executor, error) {
-	executor, err := NewSPDYExecutorForTransports(transport, upgrader, method, url)
-	if err != nil {
-		return nil, err
-	}
-	spdyExecutor := executor.(*spdyStreamExecutor)
-	spdyExecutor.rejectRedirects = true
-	return spdyExecutor, nil
-}
-
-// NewSPDYExecutorForTransports connects to the provided server using the given transport,
-// upgrades the response using the given upgrader to multiplexed bidirectional streams.
-func NewSPDYExecutorForTransports(transport http.RoundTripper, upgrader spdy.Upgrader, method string, url *url.URL) (Executor, error) {
-	return NewSPDYExecutorForProtocols(
-		transport, upgrader, method, url,
-		remotecommand.StreamProtocolV5Name,
-		remotecommand.StreamProtocolV4Name,
-		remotecommand.StreamProtocolV3Name,
-		remotecommand.StreamProtocolV2Name,
-		remotecommand.StreamProtocolV1Name,
-	)
-}
-
-// NewSPDYExecutorForProtocols connects to the provided server and upgrades the connection to
-// multiplexed bidirectional streams using only the provided protocols. Exposed for testing, most
-// callers should use NewSPDYExecutor or NewSPDYExecutorForTransports.
-func NewSPDYExecutorForProtocols(transport http.RoundTripper, upgrader spdy.Upgrader, method string, url *url.URL, protocols ...string) (Executor, error) {
-	return &spdyStreamExecutor{
-		upgrader:  upgrader,
-		transport: transport,
-		method:    method,
-		url:       url,
-		protocols: protocols,
-	}, nil
-}
-
-// Stream opens a protocol streamer to the server and streams until a client closes
-// the connection or the server disconnects.
-func (e *spdyStreamExecutor) Stream(options StreamOptions) error {
-	return e.StreamWithContext(context.Background(), options)
-}
-
-// newConnectionAndStream creates a new SPDY connection and a stream protocol handler upon it.
-func (e *spdyStreamExecutor) newConnectionAndStream(ctx context.Context, options StreamOptions) (httpstream.Connection, streamProtocolHandler, error) {
-	req, err := http.NewRequestWithContext(ctx, e.method, e.url.String(), nil)
-	if err != nil {
-		return nil, nil, fmt.Errorf("error creating request: %v", err)
-	}
-
-	client := http.Client{Transport: e.transport}
-	if e.rejectRedirects {
-		client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
-			return fmt.Errorf("redirect not allowed")
-		}
-	}
-	conn, protocol, err := spdy.Negotiate(
-		e.upgrader,
-		&client,
-		req,
-		e.protocols...,
-	)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var streamer streamProtocolHandler
-
-	switch protocol {
-	case remotecommand.StreamProtocolV5Name:
-		streamer = newStreamProtocolV5(options)
-	case remotecommand.StreamProtocolV4Name:
-		streamer = newStreamProtocolV4(options)
-	case remotecommand.StreamProtocolV3Name:
-		streamer = newStreamProtocolV3(options)
-	case remotecommand.StreamProtocolV2Name:
-		streamer = newStreamProtocolV2(options)
-	case "":
-		klog.V(4).Infof("The server did not negotiate a streaming protocol version. Falling back to %s", remotecommand.StreamProtocolV1Name)
-		fallthrough
-	case remotecommand.StreamProtocolV1Name:
-		streamer = newStreamProtocolV1(options)
-	}
-
-	return conn, streamer, nil
-}
-
-// StreamWithContext opens a protocol streamer to the server and streams until a client closes
-// the connection or the server disconnects or the context is done.
-func (e *spdyStreamExecutor) StreamWithContext(ctx context.Context, options StreamOptions) error {
-	conn, streamer, err := e.newConnectionAndStream(ctx, options)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	panicChan := make(chan any, 1)
-	errorChan := make(chan error, 1)
-	go func() {
-		defer func() {
-			if p := recover(); p != nil {
-				panicChan <- p
-			}
-		}()
-
-		// The SPDY executor does not need to synchronize stream creation, so we pass a nil
-		// ready channel. The underlying spdystream library handles stream multiplexing
-		// without a race condition.
-		errorChan <- streamer.stream(conn, nil)
-	}()
-
-	select {
-	case p := <-panicChan:
-		panic(p)
-	case err := <-errorChan:
-		return err
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/v1.go b/vendor/k8s.io/client-go/tools/remotecommand/v1.go
deleted file mode 100644
index 293d809dd..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/v1.go
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-
-	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/klog/v2"
-)
-
-// streamProtocolV1 implements the first version of the streaming exec & attach
-// protocol. This version has some bugs, such as not being able to detect when
-// non-interactive stdin data has ended. See https://issues.k8s.io/13394 and
-// https://issues.k8s.io/13395 for more details.
-type streamProtocolV1 struct {
-	StreamOptions
-
-	errorStream  httpstream.Stream
-	remoteStdin  httpstream.Stream
-	remoteStdout httpstream.Stream
-	remoteStderr httpstream.Stream
-}
-
-var _ streamProtocolHandler = &streamProtocolV1{}
-
-func newStreamProtocolV1(options StreamOptions) streamProtocolHandler {
-	return &streamProtocolV1{
-		StreamOptions: options,
-	}
-}
-
-func (p *streamProtocolV1) stream(conn streamCreator, ready chan<- struct{}) error {
-	doneChan := make(chan struct{}, 2)
-	errorChan := make(chan error)
-
-	cp := func(s string, dst io.Writer, src io.Reader) {
-		klog.V(6).Infof("Copying %s", s)
-		defer klog.V(6).Infof("Done copying %s", s)
-		if _, err := io.Copy(dst, src); err != nil && err != io.EOF {
-			klog.Errorf("Error copying %s: %v", s, err)
-		}
-		if s == v1.StreamTypeStdout || s == v1.StreamTypeStderr {
-			doneChan <- struct{}{}
-		}
-	}
-
-	// set up all the streams first
-	var err error
-	headers := http.Header{}
-	headers.Set(v1.StreamType, v1.StreamTypeError)
-	p.errorStream, err = conn.CreateStream(headers)
-	if err != nil {
-		return err
-	}
-	defer p.errorStream.Reset()
-
-	// Create all the streams first, then start the copy goroutines. The server doesn't start its copy
-	// goroutines until it's received all of the streams. If the client creates the stdin stream and
-	// immediately begins copying stdin data to the server, it's possible to overwhelm and wedge the
-	// spdy frame handler in the server so that it is full of unprocessed frames. The frames aren't
-	// getting processed because the server hasn't started its copying, and it won't do that until it
-	// gets all the streams. By creating all the streams first, we ensure that the server is ready to
-	// process data before the client starts sending any. See https://issues.k8s.io/16373 for more info.
-	if p.Stdin != nil {
-		headers.Set(v1.StreamType, v1.StreamTypeStdin)
-		p.remoteStdin, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-		defer p.remoteStdin.Reset()
-	}
-
-	if p.Stdout != nil {
-		headers.Set(v1.StreamType, v1.StreamTypeStdout)
-		p.remoteStdout, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-		defer p.remoteStdout.Reset()
-	}
-
-	if p.Stderr != nil && !p.Tty {
-		headers.Set(v1.StreamType, v1.StreamTypeStderr)
-		p.remoteStderr, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-		defer p.remoteStderr.Reset()
-	}
-
-	// Signal that all streams have been created.
-	if ready != nil {
-		close(ready)
-	}
-
-	// now that all the streams have been created, proceed with reading & copying
-
-	// always read from errorStream
-	go func() {
-		message, err := io.ReadAll(p.errorStream)
-		if err != nil && err != io.EOF {
-			errorChan <- fmt.Errorf("Error reading from error stream: %s", err)
-			return
-		}
-		if len(message) > 0 {
-			errorChan <- fmt.Errorf("Error executing remote command: %s", message)
-			return
-		}
-	}()
-
-	if p.Stdin != nil {
-		// TODO this goroutine will never exit cleanly (the io.Copy never unblocks)
-		// because stdin is not closed until the process exits. If we try to call
-		// stdin.Close(), it returns no error but doesn't unblock the copy. It will
-		// exit when the process exits, instead.
-		go cp(v1.StreamTypeStdin, p.remoteStdin, readerWrapper{p.Stdin})
-	}
-
-	waitCount := 0
-	completedStreams := 0
-
-	if p.Stdout != nil {
-		waitCount++
-		go cp(v1.StreamTypeStdout, p.Stdout, p.remoteStdout)
-	}
-
-	if p.Stderr != nil && !p.Tty {
-		waitCount++
-		go cp(v1.StreamTypeStderr, p.Stderr, p.remoteStderr)
-	}
-
-Loop:
-	for {
-		select {
-		case <-doneChan:
-			completedStreams++
-			if completedStreams == waitCount {
-				break Loop
-			}
-		case err := <-errorChan:
-			return err
-		}
-	}
-
-	return nil
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/v2.go b/vendor/k8s.io/client-go/tools/remotecommand/v2.go
deleted file mode 100644
index a81538a09..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/v2.go
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"sync"
-
-	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/runtime"
-)
-
-// streamProtocolV2 implements version 2 of the streaming protocol for attach
-// and exec. The original streaming protocol was metav1. As a result, this
-// version is referred to as version 2, even though it is the first actual
-// numbered version.
-type streamProtocolV2 struct {
-	StreamOptions
-
-	errorStream  io.Reader
-	remoteStdin  io.ReadWriteCloser
-	remoteStdout io.Reader
-	remoteStderr io.Reader
-}
-
-var _ streamProtocolHandler = &streamProtocolV2{}
-
-func newStreamProtocolV2(options StreamOptions) streamProtocolHandler {
-	return &streamProtocolV2{
-		StreamOptions: options,
-	}
-}
-
-func (p *streamProtocolV2) createStreams(conn streamCreator) error {
-	var err error
-	headers := http.Header{}
-
-	// set up error stream
-	headers.Set(v1.StreamType, v1.StreamTypeError)
-	p.errorStream, err = conn.CreateStream(headers)
-	if err != nil {
-		return err
-	}
-
-	// set up stdin stream
-	if p.Stdin != nil {
-		headers.Set(v1.StreamType, v1.StreamTypeStdin)
-		p.remoteStdin, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-	}
-
-	// set up stdout stream
-	if p.Stdout != nil {
-		headers.Set(v1.StreamType, v1.StreamTypeStdout)
-		p.remoteStdout, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-	}
-
-	// set up stderr stream
-	if p.Stderr != nil && !p.Tty {
-		headers.Set(v1.StreamType, v1.StreamTypeStderr)
-		p.remoteStderr, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (p *streamProtocolV2) copyStdin() {
-	if p.Stdin != nil {
-		var once sync.Once
-
-		// copy from client's stdin to container's stdin
-		go func() {
-			defer runtime.HandleCrash()
-
-			// if p.stdin is noninteractive, p.g. `echo abc | kubectl exec -i <pod> -- cat`, make sure
-			// we close remoteStdin as soon as the copy from p.stdin to remoteStdin finishes. Otherwise
-			// the executed command will remain running.
-			defer once.Do(func() { p.remoteStdin.Close() })
-
-			if _, err := io.Copy(p.remoteStdin, readerWrapper{p.Stdin}); err != nil {
-				runtime.HandleError(err)
-			}
-		}()
-
-		// read from remoteStdin until the stream is closed. this is essential to
-		// be able to exit interactive sessions cleanly and not leak goroutines or
-		// hang the client's terminal.
-		//
-		// TODO we aren't using go-dockerclient any more; revisit this to determine if it's still
-		// required by engine-api.
-		//
-		// go-dockerclient's current hijack implementation
-		// (https://github.com/fsouza/go-dockerclient/blob/89f3d56d93788dfe85f864a44f85d9738fca0670/client.go#L564)
-		// waits for all three streams (stdin/stdout/stderr) to finish copying
-		// before returning. When hijack finishes copying stdout/stderr, it calls
-		// Close() on its side of remoteStdin, which allows this copy to complete.
-		// When that happens, we must Close() on our side of remoteStdin, to
-		// allow the copy in hijack to complete, and hijack to return.
-		go func() {
-			defer runtime.HandleCrash()
-			defer once.Do(func() { p.remoteStdin.Close() })
-
-			// this "copy" doesn't actually read anything - it's just here to wait for
-			// the server to close remoteStdin.
-			if _, err := io.Copy(io.Discard, p.remoteStdin); err != nil {
-				runtime.HandleError(err)
-			}
-		}()
-	}
-}
-
-func (p *streamProtocolV2) copyStdout(wg *sync.WaitGroup) {
-	if p.Stdout == nil {
-		return
-	}
-
-	wg.Add(1)
-	go func() {
-		defer runtime.HandleCrash()
-		defer wg.Done()
-		// make sure, packet in queue can be consumed.
-		// block in queue may lead to deadlock in conn.server
-		// issue: https://github.com/kubernetes/kubernetes/issues/96339
-		defer io.Copy(io.Discard, p.remoteStdout)
-
-		if _, err := io.Copy(p.Stdout, p.remoteStdout); err != nil {
-			runtime.HandleError(err)
-		}
-	}()
-}
-
-func (p *streamProtocolV2) copyStderr(wg *sync.WaitGroup) {
-	if p.Stderr == nil || p.Tty {
-		return
-	}
-
-	wg.Add(1)
-	go func() {
-		defer runtime.HandleCrash()
-		defer wg.Done()
-		defer io.Copy(io.Discard, p.remoteStderr)
-
-		if _, err := io.Copy(p.Stderr, p.remoteStderr); err != nil {
-			runtime.HandleError(err)
-		}
-	}()
-}
-
-func (p *streamProtocolV2) stream(conn streamCreator, ready chan<- struct{}) error {
-	if err := p.createStreams(conn); err != nil {
-		return err
-	}
-
-	// Signal that all streams have been created.
-	if ready != nil {
-		close(ready)
-	}
-
-	// now that all the streams have been created, proceed with reading & copying
-
-	errorChan := watchErrorStream(p.errorStream, &errorDecoderV2{})
-
-	p.copyStdin()
-
-	var wg sync.WaitGroup
-	p.copyStdout(&wg)
-	p.copyStderr(&wg)
-
-	// we're waiting for stdout/stderr to finish copying
-	wg.Wait()
-
-	// waits for errorStream to finish reading with an error or nil
-	return <-errorChan
-}
-
-// errorDecoderV2 interprets the error channel data as plain text.
-type errorDecoderV2 struct{}
-
-func (d *errorDecoderV2) decode(message []byte) error {
-	return fmt.Errorf("error executing remote command: %s", message)
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/v3.go b/vendor/k8s.io/client-go/tools/remotecommand/v3.go
deleted file mode 100644
index ece4cfafe..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/v3.go
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"encoding/json"
-	"io"
-	"net/http"
-	"sync"
-
-	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/runtime"
-)
-
-// streamProtocolV3 implements version 3 of the streaming protocol for attach
-// and exec. This version adds support for resizing the container's terminal.
-type streamProtocolV3 struct {
-	*streamProtocolV2
-
-	resizeStream io.Writer
-}
-
-var _ streamProtocolHandler = &streamProtocolV3{}
-
-func newStreamProtocolV3(options StreamOptions) streamProtocolHandler {
-	return &streamProtocolV3{
-		streamProtocolV2: newStreamProtocolV2(options).(*streamProtocolV2),
-	}
-}
-
-func (p *streamProtocolV3) createStreams(conn streamCreator) error {
-	// set up the streams from v2
-	if err := p.streamProtocolV2.createStreams(conn); err != nil {
-		return err
-	}
-
-	// set up resize stream
-	if p.Tty {
-		headers := http.Header{}
-		headers.Set(v1.StreamType, v1.StreamTypeResize)
-		var err error
-		p.resizeStream, err = conn.CreateStream(headers)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (p *streamProtocolV3) handleResizes() {
-	if p.resizeStream == nil || p.TerminalSizeQueue == nil {
-		return
-	}
-	go func() {
-		defer runtime.HandleCrash()
-
-		encoder := json.NewEncoder(p.resizeStream)
-		for {
-			size := p.TerminalSizeQueue.Next()
-			if size == nil {
-				return
-			}
-			if err := encoder.Encode(&size); err != nil {
-				runtime.HandleError(err)
-			}
-		}
-	}()
-}
-
-func (p *streamProtocolV3) stream(conn streamCreator, ready chan<- struct{}) error {
-	if err := p.createStreams(conn); err != nil {
-		return err
-	}
-
-	// Signal that all streams have been created.
-	if ready != nil {
-		close(ready)
-	}
-
-	// now that all the streams have been created, proceed with reading & copying
-
-	errorChan := watchErrorStream(p.errorStream, &errorDecoderV3{})
-
-	p.handleResizes()
-
-	p.copyStdin()
-
-	var wg sync.WaitGroup
-	p.copyStdout(&wg)
-	p.copyStderr(&wg)
-
-	// we're waiting for stdout/stderr to finish copying
-	wg.Wait()
-
-	// waits for errorStream to finish reading with an error or nil
-	return <-errorChan
-}
-
-type errorDecoderV3 struct {
-	errorDecoderV2
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/v4.go b/vendor/k8s.io/client-go/tools/remotecommand/v4.go
deleted file mode 100644
index ecedad071..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/v4.go
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strconv"
-	"sync"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/remotecommand"
-	"k8s.io/client-go/util/exec"
-)
-
-// streamProtocolV4 implements version 4 of the streaming protocol for attach
-// and exec. This version adds support for exit codes on the error stream through
-// the use of metav1.Status instead of plain text messages.
-type streamProtocolV4 struct {
-	*streamProtocolV3
-}
-
-var _ streamProtocolHandler = &streamProtocolV4{}
-
-func newStreamProtocolV4(options StreamOptions) streamProtocolHandler {
-	return &streamProtocolV4{
-		streamProtocolV3: newStreamProtocolV3(options).(*streamProtocolV3),
-	}
-}
-
-func (p *streamProtocolV4) createStreams(conn streamCreator) error {
-	return p.streamProtocolV3.createStreams(conn)
-}
-
-func (p *streamProtocolV4) handleResizes() {
-	p.streamProtocolV3.handleResizes()
-}
-
-func (p *streamProtocolV4) stream(conn streamCreator, ready chan<- struct{}) error {
-	if err := p.createStreams(conn); err != nil {
-		return err
-	}
-
-	// Signal that all streams have been created.
-	if ready != nil {
-		close(ready)
-	}
-
-	// now that all the streams have been created, proceed with reading & copying
-
-	errorChan := watchErrorStream(p.errorStream, &errorDecoderV4{})
-
-	p.handleResizes()
-
-	p.copyStdin()
-
-	var wg sync.WaitGroup
-	p.copyStdout(&wg)
-	p.copyStderr(&wg)
-
-	// we're waiting for stdout/stderr to finish copying
-	wg.Wait()
-
-	// waits for errorStream to finish reading with an error or nil
-	return <-errorChan
-}
-
-// errorDecoderV4 interprets the json-marshaled metav1.Status on the error channel
-// and creates an exec.ExitError from it.
-type errorDecoderV4 struct{}
-
-func (d *errorDecoderV4) decode(message []byte) error {
-	status := metav1.Status{}
-	err := json.Unmarshal(message, &status)
-	if err != nil {
-		return fmt.Errorf("error stream protocol error: %v in %q", err, string(message))
-	}
-	switch status.Status {
-	case metav1.StatusSuccess:
-		return nil
-	case metav1.StatusFailure:
-		if status.Reason == remotecommand.NonZeroExitCodeReason {
-			if status.Details == nil {
-				return errors.New("error stream protocol error: details must be set")
-			}
-			for i := range status.Details.Causes {
-				c := &status.Details.Causes[i]
-				if c.Type != remotecommand.ExitCodeCauseType {
-					continue
-				}
-
-				rc, err := strconv.ParseUint(c.Message, 10, 8)
-				if err != nil {
-					return fmt.Errorf("error stream protocol error: invalid exit code value %q", c.Message)
-				}
-				return exec.CodeExitError{
-					Err:  fmt.Errorf("command terminated with exit code %d", rc),
-					Code: int(rc),
-				}
-			}
-
-			return fmt.Errorf("error stream protocol error: no %s cause given", remotecommand.ExitCodeCauseType)
-		}
-	default:
-		return errors.New("error stream protocol error: unknown error")
-	}
-
-	return errors.New(status.Message)
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/v5.go b/vendor/k8s.io/client-go/tools/remotecommand/v5.go
deleted file mode 100644
index edfd3ccb2..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/v5.go
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-// streamProtocolV5 add support for V5 of the remote command subprotocol.
-// For the streamProtocolHandler, this version is the same as V4.
-type streamProtocolV5 struct {
-	*streamProtocolV4
-}
-
-var _ streamProtocolHandler = &streamProtocolV5{}
-
-func newStreamProtocolV5(options StreamOptions) streamProtocolHandler {
-	return &streamProtocolV5{
-		streamProtocolV4: newStreamProtocolV4(options).(*streamProtocolV4),
-	}
-}
-
-func (p *streamProtocolV5) stream(conn streamCreator, ready chan<- struct{}) error {
-	return p.streamProtocolV4.stream(conn, ready)
-}
diff --git a/vendor/k8s.io/client-go/tools/remotecommand/websocket.go b/vendor/k8s.io/client-go/tools/remotecommand/websocket.go
deleted file mode 100644
index e0433198f..000000000
--- a/vendor/k8s.io/client-go/tools/remotecommand/websocket.go
+++ /dev/null
@@ -1,530 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package remotecommand
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"sync"
-	"time"
-
-	gwebsocket "github.com/gorilla/websocket"
-
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/remotecommand"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/transport/websocket"
-	"k8s.io/klog/v2"
-)
-
-// writeDeadline defines the time that a client-side write to the websocket
-// connection must complete before an i/o timeout occurs.
-const writeDeadline = 60 * time.Second
-
-var (
-	_ Executor          = &wsStreamExecutor{}
-	_ streamCreator     = &wsStreamCreator{}
-	_ httpstream.Stream = &stream{}
-
-	streamType2streamID = map[string]byte{
-		v1.StreamTypeStdin:  remotecommand.StreamStdIn,
-		v1.StreamTypeStdout: remotecommand.StreamStdOut,
-		v1.StreamTypeStderr: remotecommand.StreamStdErr,
-		v1.StreamTypeError:  remotecommand.StreamErr,
-		v1.StreamTypeResize: remotecommand.StreamResize,
-	}
-)
-
-const (
-	// pingPeriod defines how often a heartbeat "ping" message is sent.
-	pingPeriod = 5 * time.Second
-	// pingReadDeadline defines the time waiting for a response heartbeat
-	// "pong" message before a timeout error occurs for websocket reading.
-	// This duration must always be greater than the "pingPeriod". By defining
-	// this deadline in terms of the ping period, we are essentially saying
-	// we can drop "X" (e.g. 12) pings before firing the timeout.
-	pingReadDeadline = (pingPeriod * 12) + (1 * time.Second)
-)
-
-// wsStreamExecutor handles transporting standard shell streams over an httpstream connection.
-type wsStreamExecutor struct {
-	transport http.RoundTripper
-	upgrader  websocket.ConnectionHolder
-	method    string
-	url       string
-	// requested protocols in priority order (e.g. v5.channel.k8s.io before v4.channel.k8s.io).
-	protocols []string
-	// selected protocol from the handshake process; could be empty string if handshake fails.
-	negotiated string
-	// period defines how often a "ping" heartbeat message is sent to the other endpoint.
-	heartbeatPeriod time.Duration
-	// deadline defines the amount of time before "pong" response must be received.
-	heartbeatDeadline time.Duration
-}
-
-func NewWebSocketExecutor(config *restclient.Config, method, url string) (Executor, error) {
-	// Only supports V5 protocol for correct version skew functionality.
-	// Previous api servers will proxy upgrade requests to legacy websocket
-	// servers on container runtimes which support V1-V4. These legacy
-	// websocket servers will not handle the new CLOSE signal.
-	return NewWebSocketExecutorForProtocols(config, method, url, remotecommand.StreamProtocolV5Name)
-}
-
-// NewWebSocketExecutorForProtocols allows to execute commands via a WebSocket connection.
-func NewWebSocketExecutorForProtocols(config *restclient.Config, method, url string, protocols ...string) (Executor, error) {
-	transport, upgrader, err := websocket.RoundTripperFor(config)
-	if err != nil {
-		return nil, fmt.Errorf("error creating websocket transports: %v", err)
-	}
-	return &wsStreamExecutor{
-		transport:         transport,
-		upgrader:          upgrader,
-		method:            method,
-		url:               url,
-		protocols:         protocols,
-		heartbeatPeriod:   pingPeriod,
-		heartbeatDeadline: pingReadDeadline,
-	}, nil
-}
-
-// Deprecated: use StreamWithContext instead to avoid possible resource leaks.
-// See https://github.com/kubernetes/kubernetes/pull/103177 for details.
-func (e *wsStreamExecutor) Stream(options StreamOptions) error {
-	return e.StreamWithContext(context.Background(), options)
-}
-
-// StreamWithContext upgrades an HTTPRequest to a WebSocket connection, and starts the various
-// goroutines to implement the necessary streams over the connection. The "options" parameter
-// defines which streams are requested. Returns an error if one occurred. This method is NOT
-// safe to run concurrently with the same executor (because of the state stored in the upgrader).
-func (e *wsStreamExecutor) StreamWithContext(ctx context.Context, options StreamOptions) error {
-	req, err := http.NewRequestWithContext(ctx, e.method, e.url, nil)
-	if err != nil {
-		return err
-	}
-	conn, err := websocket.Negotiate(e.transport, e.upgrader, req, e.protocols...)
-	if err != nil {
-		return err
-	}
-	if conn == nil {
-		panic(fmt.Errorf("websocket connection is nil"))
-	}
-	defer conn.Close()
-	e.negotiated = conn.Subprotocol()
-	klog.V(4).Infof("The subprotocol is %s", e.negotiated)
-
-	var streamer streamProtocolHandler
-	switch e.negotiated {
-	case remotecommand.StreamProtocolV5Name:
-		streamer = newStreamProtocolV5(options)
-	case remotecommand.StreamProtocolV4Name:
-		streamer = newStreamProtocolV4(options)
-	case remotecommand.StreamProtocolV3Name:
-		streamer = newStreamProtocolV3(options)
-	case remotecommand.StreamProtocolV2Name:
-		streamer = newStreamProtocolV2(options)
-	case "":
-		klog.V(4).Infof("The server did not negotiate a streaming protocol version. Falling back to %s", remotecommand.StreamProtocolV1Name)
-		fallthrough
-	case remotecommand.StreamProtocolV1Name:
-		streamer = newStreamProtocolV1(options)
-	}
-
-	panicChan := make(chan any, 1)
-	errorChan := make(chan error, 1)
-	go func() {
-		defer func() {
-			if p := recover(); p != nil {
-				panicChan <- p
-			}
-		}()
-
-		readyChan := make(chan struct{})
-		creator := newWSStreamCreator(conn)
-		go func() {
-			select {
-			// Wait until all streams have been created before starting the readDemuxLoop.
-			// This is to avoid a race condition where the readDemuxLoop receives a message
-			// for a stream that has not yet been created.
-			case <-readyChan:
-			case <-ctx.Done():
-				creator.closeAllStreamReaders(ctx.Err())
-				return
-			}
-
-			creator.readDemuxLoop(
-				e.upgrader.DataBufferSize(),
-				e.heartbeatPeriod,
-				e.heartbeatDeadline,
-			)
-		}()
-		errorChan <- streamer.stream(creator, readyChan)
-	}()
-
-	select {
-	case p := <-panicChan:
-		panic(p)
-	case err := <-errorChan:
-		return err
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
-type wsStreamCreator struct {
-	conn *gwebsocket.Conn
-	// Protects writing to websocket connection; reading is lock-free
-	connWriteLock sync.Mutex
-	// map of stream id to stream; multiple streams read/write the connection
-	streams   map[byte]*stream
-	streamsMu sync.Mutex
-	// setStreamErr holds the error to return to anyone calling setStreams.
-	// this is populated in closeAllStreamReaders
-	setStreamErr error
-}
-
-func newWSStreamCreator(conn *gwebsocket.Conn) *wsStreamCreator {
-	return &wsStreamCreator{
-		conn:    conn,
-		streams: map[byte]*stream{},
-	}
-}
-
-func (c *wsStreamCreator) getStream(id byte) *stream {
-	c.streamsMu.Lock()
-	defer c.streamsMu.Unlock()
-	return c.streams[id]
-}
-
-func (c *wsStreamCreator) setStream(id byte, s *stream) error {
-	c.streamsMu.Lock()
-	defer c.streamsMu.Unlock()
-	if c.setStreamErr != nil {
-		return c.setStreamErr
-	}
-	c.streams[id] = s
-	return nil
-}
-
-// CreateStream uses id from passed headers to create a stream over "c.conn" connection.
-// Returns a Stream structure or nil and an error if one occurred.
-func (c *wsStreamCreator) CreateStream(headers http.Header) (httpstream.Stream, error) {
-	streamType := headers.Get(v1.StreamType)
-	id, ok := streamType2streamID[streamType]
-	if !ok {
-		return nil, fmt.Errorf("unknown stream type: %s", streamType)
-	}
-	if s := c.getStream(id); s != nil {
-		return nil, fmt.Errorf("duplicate stream for type %s", streamType)
-	}
-	reader, writer := io.Pipe()
-	s := &stream{
-		headers:       headers,
-		readPipe:      reader,
-		writePipe:     writer,
-		conn:          c.conn,
-		connWriteLock: &c.connWriteLock,
-		id:            id,
-	}
-	if err := c.setStream(id, s); err != nil {
-		_ = s.writePipe.Close()
-		_ = s.readPipe.Close()
-		return nil, err
-	}
-	return s, nil
-}
-
-// readDemuxLoop is the lock-free reading processor for this endpoint of the websocket
-// connection. This loop reads the connection, and demultiplexes the data
-// into one of the individual stream pipes (by checking the stream id). This
-// loop can *not* be run concurrently, because there can only be one websocket
-// connection reader at a time (a read mutex would provide no benefit).
-func (c *wsStreamCreator) readDemuxLoop(bufferSize int, period time.Duration, deadline time.Duration) {
-	// Initialize and start the ping/pong heartbeat.
-	h := newHeartbeat(c.conn, period, deadline)
-	// Set initial timeout for websocket connection reading.
-	klog.V(5).Infof("Websocket initial read deadline: %s", deadline)
-	if err := c.conn.SetReadDeadline(time.Now().Add(deadline)); err != nil {
-		klog.Errorf("Websocket initial setting read deadline failed %v", err)
-		return
-	}
-	go h.start()
-	// Buffer size must correspond to the same size allocated
-	// for the read buffer during websocket client creation. A
-	// difference can cause incomplete connection reads.
-	readBuffer := make([]byte, bufferSize)
-	for {
-		// NextReader() only returns data messages (BinaryMessage or Text
-		// Message). Even though this call will never return control frames
-		// such as ping, pong, or close, this call is necessary for these
-		// message types to be processed. There can only be one reader
-		// at a time, so this reader loop must *not* be run concurrently;
-		// there is no lock for reading. Calling "NextReader()" before the
-		// current reader has been processed will close the current reader.
-		// If the heartbeat read deadline times out, this "NextReader()" will
-		// return an i/o error, and error handling will clean up.
-		messageType, r, err := c.conn.NextReader()
-		if err != nil {
-			websocketErr, ok := err.(*gwebsocket.CloseError)
-			if ok && websocketErr.Code == gwebsocket.CloseNormalClosure {
-				err = nil // readers will get io.EOF as it's a normal closure
-			} else {
-				err = fmt.Errorf("next reader: %w", err)
-			}
-			c.closeAllStreamReaders(err)
-			return
-		}
-		// All remote command protocols send/receive only binary data messages.
-		if messageType != gwebsocket.BinaryMessage {
-			c.closeAllStreamReaders(fmt.Errorf("unexpected message type: %d", messageType))
-			return
-		}
-		// It's ok to read just a single byte because the underlying library wraps the actual
-		// connection with a buffered reader anyway.
-		_, err = io.ReadFull(r, readBuffer[:1])
-		if err != nil {
-			c.closeAllStreamReaders(fmt.Errorf("read stream id: %w", err))
-			return
-		}
-		streamID := readBuffer[0]
-		s := c.getStream(streamID)
-		if s == nil {
-			klog.Errorf("Unknown stream id %d, discarding message", streamID)
-			continue
-		}
-		for {
-			nr, errRead := r.Read(readBuffer)
-			if nr > 0 {
-				// Write the data to the stream's pipe. This can block.
-				_, errWrite := s.writePipe.Write(readBuffer[:nr])
-				if errWrite != nil {
-					// Pipe must have been closed by the stream user.
-					// Nothing to do, discard the message.
-					break
-				}
-			}
-			if errRead != nil {
-				if errRead == io.EOF {
-					break
-				}
-				c.closeAllStreamReaders(fmt.Errorf("read message: %w", errRead))
-				return
-			}
-		}
-	}
-}
-
-// closeAllStreamReaders closes readers in all streams.
-// This unblocks all stream.Read() calls, and keeps any future streams from being created.
-func (c *wsStreamCreator) closeAllStreamReaders(err error) {
-	c.streamsMu.Lock()
-	defer c.streamsMu.Unlock()
-	for _, s := range c.streams {
-		// Closing writePipe unblocks all readPipe.Read() callers and prevents any future writes.
-		_ = s.writePipe.CloseWithError(err)
-	}
-	// ensure callers to setStreams receive an error after this point
-	if err != nil {
-		c.setStreamErr = err
-	} else {
-		c.setStreamErr = fmt.Errorf("closed all streams")
-	}
-}
-
-type stream struct {
-	headers   http.Header
-	readPipe  *io.PipeReader
-	writePipe *io.PipeWriter
-	// conn is used for writing directly into the connection.
-	// Is nil after Close() / Reset() to prevent future writes.
-	conn *gwebsocket.Conn
-	// connWriteLock protects conn against concurrent write operations. There must be a single writer and a single reader only.
-	// The mutex is shared across all streams because the underlying connection is shared.
-	connWriteLock *sync.Mutex
-	id            byte
-}
-
-func (s *stream) Read(p []byte) (n int, err error) {
-	return s.readPipe.Read(p)
-}
-
-// Write writes directly to the underlying WebSocket connection.
-func (s *stream) Write(p []byte) (n int, err error) {
-	klog.V(8).Infof("Write() on stream %d", s.id)
-	defer klog.V(8).Infof("Write() done on stream %d", s.id)
-	s.connWriteLock.Lock()
-	defer s.connWriteLock.Unlock()
-	if s.conn == nil {
-		return 0, fmt.Errorf("write on closed stream %d", s.id)
-	}
-	err = s.conn.SetWriteDeadline(time.Now().Add(writeDeadline))
-	if err != nil {
-		klog.V(4).Infof("Websocket setting write deadline failed %v", err)
-		return 0, err
-	}
-	// Message writer buffers the message data, so we don't need to do that ourselves.
-	// Just write id and the data as two separate writes to avoid allocating an intermediate buffer.
-	w, err := s.conn.NextWriter(gwebsocket.BinaryMessage)
-	if err != nil {
-		return 0, err
-	}
-	defer func() {
-		if w != nil {
-			w.Close()
-		}
-	}()
-	_, err = w.Write([]byte{s.id})
-	if err != nil {
-		return 0, err
-	}
-	n, err = w.Write(p)
-	if err != nil {
-		return n, err
-	}
-	err = w.Close()
-	w = nil
-	return n, err
-}
-
-// Close half-closes the stream, indicating this side is finished with the stream.
-func (s *stream) Close() error {
-	klog.V(6).Infof("Close() on stream %d", s.id)
-	defer klog.V(6).Infof("Close() done on stream %d", s.id)
-	s.connWriteLock.Lock()
-	defer s.connWriteLock.Unlock()
-	if s.conn == nil {
-		return fmt.Errorf("Close() on already closed stream %d", s.id)
-	}
-	// Communicate the CLOSE stream signal to the other websocket endpoint.
-	err := s.conn.WriteMessage(gwebsocket.BinaryMessage, []byte{remotecommand.StreamClose, s.id})
-	s.conn = nil
-	return err
-}
-
-func (s *stream) Reset() error {
-	klog.V(4).Infof("Reset() on stream %d", s.id)
-	defer klog.V(4).Infof("Reset() done on stream %d", s.id)
-	s.Close()
-	return s.writePipe.Close()
-}
-
-func (s *stream) Headers() http.Header {
-	return s.headers
-}
-
-func (s *stream) Identifier() uint32 {
-	return uint32(s.id)
-}
-
-// heartbeat encasulates data necessary for the websocket ping/pong heartbeat. This
-// heartbeat works by setting a read deadline on the websocket connection, then
-// pushing this deadline into the future for every successful heartbeat. If the
-// heartbeat "pong" fails to respond within the deadline, then the "NextReader()" call
-// inside the "readDemuxLoop" will return an i/o error prompting a connection close
-// and cleanup.
-type heartbeat struct {
-	conn *gwebsocket.Conn
-	// period defines how often a "ping" heartbeat message is sent to the other endpoint
-	period time.Duration
-	// closing the "closer" channel will clean up the heartbeat timers
-	closer chan struct{}
-	// optional data to send with "ping" message
-	message []byte
-	// optionally received data message with "pong" message, same as sent with ping
-	pongMessage []byte
-}
-
-// newHeartbeat creates heartbeat structure encapsulating fields necessary to
-// run the websocket connection ping/pong mechanism and sets up handlers on
-// the websocket connection.
-func newHeartbeat(conn *gwebsocket.Conn, period time.Duration, deadline time.Duration) *heartbeat {
-	h := &heartbeat{
-		conn:   conn,
-		period: period,
-		closer: make(chan struct{}),
-	}
-	// Set up handler for receiving returned "pong" message from other endpoint
-	// by pushing the read deadline into the future. The "msg" received could
-	// be empty.
-	h.conn.SetPongHandler(func(msg string) error {
-		// Push the read deadline into the future.
-		klog.V(6).Infof("Pong message received (%s)--resetting read deadline", msg)
-		err := h.conn.SetReadDeadline(time.Now().Add(deadline))
-		if err != nil {
-			klog.Errorf("Websocket setting read deadline failed %v", err)
-			return err
-		}
-		if len(msg) > 0 {
-			h.pongMessage = []byte(msg)
-		}
-		return nil
-	})
-	// Set up handler to cleanup timers when this endpoint receives "Close" message.
-	closeHandler := h.conn.CloseHandler()
-	h.conn.SetCloseHandler(func(code int, text string) error {
-		close(h.closer)
-		return closeHandler(code, text)
-	})
-	return h
-}
-
-// setMessage is optional data sent with "ping" heartbeat. According to the websocket RFC
-// this data sent with "ping" message should be returned in "pong" message.
-func (h *heartbeat) setMessage(msg string) {
-	h.message = []byte(msg)
-}
-
-// start the heartbeat by setting up necesssary handlers and looping by sending "ping"
-// message every "period" until the "closer" channel is closed.
-func (h *heartbeat) start() {
-	// Loop to continually send "ping" message through websocket connection every "period".
-	t := time.NewTicker(h.period)
-	defer t.Stop()
-	for {
-		select {
-		case <-h.closer:
-			klog.V(5).Infof("closed channel--returning")
-			return
-		case <-t.C:
-			// "WriteControl" does not need to be protected by a mutex. According to
-			// gorilla/websockets library docs: "The Close and WriteControl methods can
-			// be called concurrently with all other methods."
-			if err := h.conn.WriteControl(gwebsocket.PingMessage, h.message, time.Now().Add(pingReadDeadline)); err == nil {
-				klog.V(6).Infof("Websocket Ping succeeeded")
-			} else {
-				klog.Errorf("Websocket Ping failed: %v", err)
-				if errors.Is(err, gwebsocket.ErrCloseSent) {
-					// we continue because c.conn.CloseChan will manage closing the connection already
-					continue
-				} else if e, ok := err.(net.Error); ok && e.Timeout() {
-					// Continue, in case this is a transient failure.
-					// c.conn.CloseChan above will tell us when the connection is
-					// actually closed.
-					// If Temporary function hadn't been deprecated, we would have used it.
-					// But most of temporary errors are timeout errors anyway.
-					continue
-				}
-				return
-			}
-		}
-	}
-}
diff --git a/vendor/k8s.io/client-go/transport/spdy/spdy.go b/vendor/k8s.io/client-go/transport/spdy/spdy.go
deleted file mode 100644
index 9fddc6c5f..000000000
--- a/vendor/k8s.io/client-go/transport/spdy/spdy.go
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package spdy
-
-import (
-	"fmt"
-	"net/http"
-	"net/url"
-	"time"
-
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/httpstream/spdy"
-	restclient "k8s.io/client-go/rest"
-)
-
-// Upgrader validates a response from the server after a SPDY upgrade.
-type Upgrader interface {
-	// NewConnection validates the response and creates a new Connection.
-	NewConnection(resp *http.Response) (httpstream.Connection, error)
-}
-
-// RoundTripperFor returns a round tripper and upgrader to use with SPDY.
-func RoundTripperFor(config *restclient.Config) (http.RoundTripper, Upgrader, error) {
-	tlsConfig, err := restclient.TLSConfigFor(config)
-	if err != nil {
-		return nil, nil, err
-	}
-	proxy := http.ProxyFromEnvironment
-	if config.Proxy != nil {
-		proxy = config.Proxy
-	}
-	upgradeRoundTripper, err := spdy.NewRoundTripperWithConfig(spdy.RoundTripperConfig{
-		TLS:              tlsConfig,
-		Proxier:          proxy,
-		PingPeriod:       time.Second * 5,
-		UpgradeTransport: nil,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	wrapper, err := restclient.HTTPWrappersForConfig(config, upgradeRoundTripper)
-	if err != nil {
-		return nil, nil, err
-	}
-	return wrapper, upgradeRoundTripper, nil
-}
-
-// dialer implements the httpstream.Dialer interface.
-type dialer struct {
-	client   *http.Client
-	upgrader Upgrader
-	method   string
-	url      *url.URL
-}
-
-var _ httpstream.Dialer = &dialer{}
-
-// NewDialer will create a dialer that connects to the provided URL and upgrades the connection to SPDY.
-func NewDialer(upgrader Upgrader, client *http.Client, method string, url *url.URL) httpstream.Dialer {
-	return &dialer{
-		client:   client,
-		upgrader: upgrader,
-		method:   method,
-		url:      url,
-	}
-}
-
-func (d *dialer) Dial(protocols ...string) (httpstream.Connection, string, error) {
-	req, err := http.NewRequest(d.method, d.url.String(), nil)
-	if err != nil {
-		return nil, "", fmt.Errorf("error creating request: %v", err)
-	}
-	return Negotiate(d.upgrader, d.client, req, protocols...)
-}
-
-// Negotiate opens a connection to a remote server and attempts to negotiate
-// a SPDY connection. Upon success, it returns the connection and the protocol selected by
-// the server. The client transport must use the upgradeRoundTripper - see RoundTripperFor.
-func Negotiate(upgrader Upgrader, client *http.Client, req *http.Request, protocols ...string) (httpstream.Connection, string, error) {
-	for i := range protocols {
-		req.Header.Add(httpstream.HeaderProtocolVersion, protocols[i])
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, "", fmt.Errorf("error sending request: %v", err)
-	}
-	defer resp.Body.Close()
-	conn, err := upgrader.NewConnection(resp)
-	if err != nil {
-		return nil, "", err
-	}
-	return conn, resp.Header.Get(httpstream.HeaderProtocolVersion), nil
-}
diff --git a/vendor/k8s.io/client-go/transport/websocket/roundtripper.go b/vendor/k8s.io/client-go/transport/websocket/roundtripper.go
deleted file mode 100644
index 924518e8b..000000000
--- a/vendor/k8s.io/client-go/transport/websocket/roundtripper.go
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package websocket
-
-import (
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
-
-	gwebsocket "github.com/gorilla/websocket"
-
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/apimachinery/pkg/util/httpstream"
-	"k8s.io/apimachinery/pkg/util/httpstream/wsstream"
-	utilnet "k8s.io/apimachinery/pkg/util/net"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/transport"
-)
-
-var (
-	_ utilnet.TLSClientConfigHolder = &RoundTripper{}
-	_ http.RoundTripper             = &RoundTripper{}
-)
-
-var (
-	statusScheme = runtime.NewScheme()
-	statusCodecs = serializer.NewCodecFactory(statusScheme)
-)
-
-func init() {
-	statusScheme.AddUnversionedTypes(metav1.SchemeGroupVersion,
-		&metav1.Status{},
-	)
-}
-
-// ConnectionHolder defines functions for structure providing
-// access to the websocket connection.
-type ConnectionHolder interface {
-	DataBufferSize() int
-	Connection() *gwebsocket.Conn
-}
-
-// RoundTripper knows how to establish a connection to a remote WebSocket endpoint and make it available for use.
-// RoundTripper must not be reused.
-type RoundTripper struct {
-	// TLSConfig holds the TLS configuration settings to use when connecting
-	// to the remote server.
-	TLSConfig *tls.Config
-
-	// Proxier specifies a function to return a proxy for a given
-	// Request. If the function returns a non-nil error, the
-	// request is aborted with the provided error.
-	// If Proxy is nil or returns a nil *URL, no proxy is used.
-	Proxier func(req *http.Request) (*url.URL, error)
-
-	// Conn holds the WebSocket connection after a round trip.
-	Conn *gwebsocket.Conn
-}
-
-// Connection returns the stored websocket connection.
-func (rt *RoundTripper) Connection() *gwebsocket.Conn {
-	return rt.Conn
-}
-
-// DataBufferSize returns the size of buffers for the
-// websocket connection.
-func (rt *RoundTripper) DataBufferSize() int {
-	return 32 * 1024
-}
-
-// TLSClientConfig implements pkg/util/net.TLSClientConfigHolder.
-func (rt *RoundTripper) TLSClientConfig() *tls.Config {
-	return rt.TLSConfig
-}
-
-// RoundTrip connects to the remote websocket using the headers in the request and the TLS
-// configuration from the config
-func (rt *RoundTripper) RoundTrip(request *http.Request) (retResp *http.Response, retErr error) {
-	defer func() {
-		if request.Body != nil {
-			err := request.Body.Close()
-			if retErr == nil {
-				retErr = err
-			}
-		}
-	}()
-
-	// set the protocol version directly on the dialer from the header
-	protocolVersions := request.Header[wsstream.WebSocketProtocolHeader]
-	delete(request.Header, wsstream.WebSocketProtocolHeader)
-
-	dialer := gwebsocket.Dialer{
-		Proxy:           rt.Proxier,
-		TLSClientConfig: rt.TLSConfig,
-		Subprotocols:    protocolVersions,
-		ReadBufferSize:  rt.DataBufferSize() + 1024, // add space for the protocol byte indicating which channel the data is for
-		WriteBufferSize: rt.DataBufferSize() + 1024, // add space for the protocol byte indicating which channel the data is for
-	}
-	switch request.URL.Scheme {
-	case "https":
-		request.URL.Scheme = "wss"
-	case "http":
-		request.URL.Scheme = "ws"
-	default:
-		return nil, fmt.Errorf("unknown url scheme: %s", request.URL.Scheme)
-	}
-	wsConn, resp, err := dialer.DialContext(request.Context(), request.URL.String(), request.Header)
-	if err != nil {
-		// BadHandshake error becomes an "UpgradeFailureError" (used for streaming fallback).
-		if errors.Is(err, gwebsocket.ErrBadHandshake) {
-			cause := err
-			// Enhance the error message with the error response if possible.
-			if resp != nil && len(resp.Status) > 0 {
-				defer resp.Body.Close()                         //nolint:errcheck
-				cause = fmt.Errorf("%w (%s)", err, resp.Status) // Always add the response status
-				responseError := ""
-				responseErrorBytes, readErr := io.ReadAll(io.LimitReader(resp.Body, 64*1024))
-				if readErr != nil {
-					cause = fmt.Errorf("%w: unable to read error from server response", cause)
-				} else {
-					// If returned error can be decoded as "metav1.Status", return a "StatusError".
-					responseError = strings.TrimSpace(string(responseErrorBytes))
-					if len(responseError) > 0 {
-						if obj, _, decodeErr := statusCodecs.UniversalDecoder().Decode(responseErrorBytes, nil, &metav1.Status{}); decodeErr == nil {
-							if status, ok := obj.(*metav1.Status); ok {
-								cause = &apierrors.StatusError{ErrStatus: *status}
-							}
-						} else {
-							// Otherwise, append the responseError string.
-							cause = fmt.Errorf("%w: %s", cause, responseError)
-						}
-					}
-				}
-			}
-			return nil, &httpstream.UpgradeFailureError{Cause: cause}
-		}
-		return nil, err
-	}
-
-	// Ensure we got back a protocol we understand
-	foundProtocol := false
-	for _, protocolVersion := range protocolVersions {
-		if protocolVersion == wsConn.Subprotocol() {
-			foundProtocol = true
-			break
-		}
-	}
-	if !foundProtocol {
-		wsConn.Close() // nolint:errcheck
-		return nil, &httpstream.UpgradeFailureError{Cause: fmt.Errorf("invalid protocol, expected one of %q, got %q", protocolVersions, wsConn.Subprotocol())}
-	}
-
-	rt.Conn = wsConn
-
-	return resp, nil
-}
-
-// RoundTripperFor transforms the passed rest config into a wrapped roundtripper, as well
-// as a pointer to the websocket RoundTripper. The websocket RoundTripper contains the
-// websocket connection after RoundTrip() on the wrapper. Returns an error if there is
-// a problem creating the round trippers.
-func RoundTripperFor(config *restclient.Config) (http.RoundTripper, ConnectionHolder, error) {
-	transportCfg, err := config.TransportConfig()
-	if err != nil {
-		return nil, nil, err
-	}
-	tlsConfig, err := transport.TLSConfigFor(transportCfg)
-	if err != nil {
-		return nil, nil, err
-	}
-	proxy := config.Proxy
-	if proxy == nil {
-		proxy = utilnet.NewProxierWithNoProxyCIDR(http.ProxyFromEnvironment)
-	}
-
-	upgradeRoundTripper := &RoundTripper{
-		TLSConfig: tlsConfig,
-		Proxier:   proxy,
-	}
-	wrapper, err := transport.HTTPWrappersForConfig(transportCfg, upgradeRoundTripper)
-	if err != nil {
-		return nil, nil, err
-	}
-	return wrapper, upgradeRoundTripper, nil
-}
-
-// Negotiate opens a connection to a remote server and attempts to negotiate
-// a WebSocket connection. Upon success, it returns the negotiated connection.
-// The round tripper rt must use the WebSocket round tripper wsRt - see RoundTripperFor.
-func Negotiate(rt http.RoundTripper, connectionInfo ConnectionHolder, req *http.Request, protocols ...string) (*gwebsocket.Conn, error) {
-	// Plumb protocols to RoundTripper#RoundTrip
-	req.Header[wsstream.WebSocketProtocolHeader] = protocols
-	resp, err := rt.RoundTrip(req)
-	if err != nil {
-		return nil, err
-	}
-	err = resp.Body.Close()
-	if err != nil {
-		connectionInfo.Connection().Close()
-		return nil, fmt.Errorf("error closing response body: %v", err)
-	}
-	return connectionInfo.Connection(), nil
-}
diff --git a/vendor/k8s.io/client-go/util/exec/exec.go b/vendor/k8s.io/client-go/util/exec/exec.go
deleted file mode 100644
index d170badb6..000000000
--- a/vendor/k8s.io/client-go/util/exec/exec.go
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package exec
-
-// ExitError is an interface that presents an API similar to os.ProcessState, which is
-// what ExitError from os/exec is.  This is designed to make testing a bit easier and
-// probably loses some of the cross-platform properties of the underlying library.
-type ExitError interface {
-	String() string
-	Error() string
-	Exited() bool
-	ExitStatus() int
-}
-
-// CodeExitError is an implementation of ExitError consisting of an error object
-// and an exit code (the upper bits of os.exec.ExitStatus).
-type CodeExitError struct {
-	Err  error
-	Code int
-}
-
-var _ ExitError = CodeExitError{}
-
-func (e CodeExitError) Error() string {
-	return e.Err.Error()
-}
-
-func (e CodeExitError) String() string {
-	return e.Err.Error()
-}
-
-func (e CodeExitError) Exited() bool {
-	return true
-}
-
-func (e CodeExitError) ExitStatus() int {
-	return e.Code
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index fab322ae4..518c8d9c2 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -621,10 +621,6 @@ github.com/moby/docker-image-spec/specs-go/v1
 # github.com/moby/locker v1.0.1
 ## explicit; go 1.13
 github.com/moby/locker
-# github.com/moby/spdystream v0.5.0
-## explicit; go 1.13
-github.com/moby/spdystream
-github.com/moby/spdystream/spdy
 # github.com/moby/sys/atomicwriter v0.1.0
 ## explicit; go 1.18
 # github.com/moby/sys/mountinfo v0.7.1
@@ -657,9 +653,6 @@ github.com/modern-go/reflect2
 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 ## explicit
 github.com/munnerz/goautoneg
-# github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
-## explicit
-github.com/mxk/go-flowrate/flowrate
 # github.com/onsi/ginkgo/v2 v2.27.4
 ## explicit; go 1.23.0
 github.com/onsi/ginkgo/v2
@@ -1035,7 +1028,6 @@ golang.org/x/net/ipv4
 golang.org/x/net/ipv6
 golang.org/x/net/proxy
 golang.org/x/net/trace
-golang.org/x/net/websocket
 # golang.org/x/oauth2 v0.32.0
 ## explicit; go 1.24.0
 golang.org/x/oauth2
@@ -1357,9 +1349,6 @@ k8s.io/apimachinery/pkg/util/dump
 k8s.io/apimachinery/pkg/util/duration
 k8s.io/apimachinery/pkg/util/errors
 k8s.io/apimachinery/pkg/util/framer
-k8s.io/apimachinery/pkg/util/httpstream
-k8s.io/apimachinery/pkg/util/httpstream/spdy
-k8s.io/apimachinery/pkg/util/httpstream/wsstream
 k8s.io/apimachinery/pkg/util/intstr
 k8s.io/apimachinery/pkg/util/json
 k8s.io/apimachinery/pkg/util/managedfields
@@ -1367,10 +1356,7 @@ k8s.io/apimachinery/pkg/util/managedfields/internal
 k8s.io/apimachinery/pkg/util/mergepatch
 k8s.io/apimachinery/pkg/util/naming
 k8s.io/apimachinery/pkg/util/net
-k8s.io/apimachinery/pkg/util/portforward
-k8s.io/apimachinery/pkg/util/proxy
 k8s.io/apimachinery/pkg/util/rand
-k8s.io/apimachinery/pkg/util/remotecommand
 k8s.io/apimachinery/pkg/util/runtime
 k8s.io/apimachinery/pkg/util/sets
 k8s.io/apimachinery/pkg/util/strategicpatch
@@ -1382,7 +1368,6 @@ k8s.io/apimachinery/pkg/util/yaml
 k8s.io/apimachinery/pkg/version
 k8s.io/apimachinery/pkg/watch
 k8s.io/apimachinery/third_party/forked/golang/json
-k8s.io/apimachinery/third_party/forked/golang/netutil
 k8s.io/apimachinery/third_party/forked/golang/reflect
 # k8s.io/cli-runtime v0.33.3
 ## explicit; go 1.24.0
@@ -1714,15 +1699,11 @@ k8s.io/client-go/tools/pager
 k8s.io/client-go/tools/record
 k8s.io/client-go/tools/record/util
 k8s.io/client-go/tools/reference
-k8s.io/client-go/tools/remotecommand
 k8s.io/client-go/transport
-k8s.io/client-go/transport/spdy
-k8s.io/client-go/transport/websocket
 k8s.io/client-go/util/apply
 k8s.io/client-go/util/cert
 k8s.io/client-go/util/connrotation
 k8s.io/client-go/util/consistencydetector
-k8s.io/client-go/util/exec
 k8s.io/client-go/util/flowcontrol
 k8s.io/client-go/util/homedir
 k8s.io/client-go/util/jsonpath