The current packages either derive from the SRE team's k8s system setup. This set up is incomplete for stretch and very out of step with common practices around k8s, which limits toolforge flexibility and upgrades.
Since it is currently not possible to stand up a bastion that can talk to both Son of Grid Engine and Kubernetes at the same time (since SGE = stretch), this is a blocker for proceeding with the full Trusty deprecation in Tools.
To unblock the quarterly goal, I suggest we simply get packages for kubernetes-node, kubernetes-client, flannel and docker-ce in the tools repo that are compatible with stretch. This should be sufficient with current puppet code (with some modifications on our profile) to stand up a bastion that should work with the rest of the environment.
Since flannel is not normally packaged, rather it is installed with kubeadm, we will have to make our own package for that.
Ultimately, it may be necessary to use kubeadm due to the structure of upstream packaging.