Turns out, not everything has a --yes parameter. For a uniform usage,
let's stick with `-y` then.

This reverts commit 5b2b1a9d.

This patch enables the upgrades only on control-plane nodes. Given that
my clusters currently have no worker nodes, this is suffient, in the
future one can consider to add a second plan for worker nodes.

First of all, `kubeadm upgrade apply` shall only be used on the first
controlplane node. Therefore it'll check if another node controlplane
node is already upgraded.

Second we fixed the order, so that the kubelet is upgraded after the
node, and restarted after the update is installed.

This patch enables kubernetes upgrades for all clusters, this might
needs some adjustments in the future to allow different clusters in
different versions.

In order to ensure updates, there is currently a copr fork of the
upstream kubernetes.

References:
https://git.shivering-isles.com/sheogorath/kubernetes-fedora

This patch disabled the CRS modsecurity role for anomaly detection,
since apparently ~80% of all requests are anomalies. This patch adds an
explicit exclude for this rule to the modsecurity config snippet which
should help to keep synapse working, while utilising modsecurity.

This patch should enable the core-crs-rules for good, since one ahs to
add them into the snippet explicitly according to the documentation

Reference:
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity

This patch tries to figure out, why the proxy-protocol isn't supported
properly yet.