diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
index fa9385a774e..d95cf9ac7af 100644
--- a/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLManagerImpl.java
@@ -41,6 +41,8 @@ import com.cloud.network.vpc.NetworkACLItem.State;
 import com.cloud.network.vpc.dao.NetworkACLDao;
 import com.cloud.network.vpc.dao.VpcGatewayDao;
 import com.cloud.offering.NetworkOffering;
+import com.cloud.server.ResourceTag;
+import com.cloud.tags.dao.ResourceTagDao;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.db.DB;
 import com.cloud.utils.db.EntityManager;
@@ -73,6 +75,8 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
     private VpcService _vpcSvc;
     @Inject
     private MessageBus _messageBus;
+    @Inject
+    private ResourceTagDao resourceTagDao;
 
     private List<NetworkACLServiceProvider> _networkAclElements;
 
@@ -275,7 +279,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Found a rule that is still in stage state so just removing it: " + rule);
             }
-            _networkACLItemDao.remove(rule.getId());
+            removeRule(rule);
         } else if (rule.getState() == State.Add || rule.getState() == State.Active) {
             rule.setState(State.Revoke);
             _networkACLItemDao.update(rule.getId(), rule);
@@ -353,8 +357,9 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
         return rules;
     }
 
-    private void removeRule(final NetworkACLItem rule) {
-        _networkACLItemDao.remove(rule.getId());
+    boolean removeRule(final NetworkACLItem rule) {
+        boolean rc = resourceTagDao.removeByIdAndType(rule.getId(), ResourceTag.ResourceObjectType.NetworkACL);
+        return rc && _networkACLItemDao.remove(rule.getId());
     }
 
     @Override
@@ -390,7 +395,7 @@ public class NetworkACLManagerImpl extends ManagerBase implements NetworkACLMana
 
     /**
      * Updates and applies the network ACL rule ({@link NetworkACLItemVO}).
-     * We will first try to update the ACL rule in the database using {@link NetworkACLItemDao#update(Long, NetworkACLItemVO)}. If it does not work, a {@link CloudRuntimeException} is thrown.
+     * We will first try to update the ACL rule in the database using {@link NetworkACLItemDao#updateNumberFieldNetworkItem(long, int)}. If it does not work, a {@link CloudRuntimeException} is thrown.
      * If we manage to update the ACL rule in the database, we proceed to apply it using {@link #applyNetworkACL(long)}. If this does not work we throw a {@link CloudRuntimeException}.
      * If all is working we return the {@link NetworkACLItemVO} given as parameter. We wil set the state of the rule to {@link com.cloud.network.vpc.NetworkACLItem.State#Add}.
      */
diff --git a/server/src/main/java/com/cloud/server/StatsCollector.java b/server/src/main/java/com/cloud/server/StatsCollector.java
index 5197ccc3a3c..91410198e2f 100644
--- a/server/src/main/java/com/cloud/server/StatsCollector.java
+++ b/server/src/main/java/com/cloud/server/StatsCollector.java
@@ -974,8 +974,16 @@ public class StatsCollector extends ManagerBase implements ComponentMethodInterc
         private double getSystemCpuCyclesTotal() {
             String cpucaps = Script.runSimpleBashScript("cat /proc/cpuinfo | grep \"cpu MHz\" | grep \"cpu MHz\" | cut -f 2 -d : | tr -d ' '| tr '\\n' \" \"");
             double totalcpucap = 0;
-            for (String cpucap : cpucaps.split(" ")) {
-                totalcpucap += Double.parseDouble(cpucap);
+            if (StringUtils.isEmpty(cpucaps)) {
+                String totalCpus = Script.runSimpleBashScript("nproc --all| tr '\\n' \" \"");
+                String maxCpuSpeed = Script.runSimpleBashScript("lscpu | egrep 'CPU max MHz' | head -1 | cut -f 2 -d : | tr -d ' '| tr '\\n' \" \"");
+                if (StringUtils.isNotEmpty(totalCpus) && StringUtils.isNotEmpty(maxCpuSpeed)) {
+                    totalcpucap = Double.parseDouble(totalCpus) * Double.parseDouble(maxCpuSpeed);
+                }
+            } else {
+                for (String cpucap : cpucaps.split(" ")) {
+                    totalcpucap += Double.parseDouble(cpucap);
+                }
             }
             return totalcpucap;
         }
diff --git a/server/src/test/java/com/cloud/vpc/NetworkACLManagerTest.java b/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
similarity index 92%
rename from server/src/test/java/com/cloud/vpc/NetworkACLManagerTest.java
rename to server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
index 411f73aaf69..4dc75b432de 100644
--- a/server/src/test/java/com/cloud/vpc/NetworkACLManagerTest.java
+++ b/server/src/test/java/com/cloud/network/vpc/NetworkACLManagerTest.java
@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package com.cloud.vpc;
+package com.cloud.network.vpc;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
@@ -30,6 +30,7 @@ import java.util.UUID;
 
 import javax.inject.Inject;
 
+import com.cloud.server.ResourceTag;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.messagebus.MessageBus;
@@ -58,18 +59,7 @@ import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.element.NetworkACLServiceProvider;
-import com.cloud.network.vpc.NetworkACLItem;
 import com.cloud.network.vpc.NetworkACLItem.State;
-import com.cloud.network.vpc.NetworkACLItemDao;
-import com.cloud.network.vpc.NetworkACLItemVO;
-import com.cloud.network.vpc.NetworkACLManager;
-import com.cloud.network.vpc.NetworkACLManagerImpl;
-import com.cloud.network.vpc.NetworkACLVO;
-import com.cloud.network.vpc.PrivateGateway;
-import com.cloud.network.vpc.VpcGateway;
-import com.cloud.network.vpc.VpcGatewayVO;
-import com.cloud.network.vpc.VpcManager;
-import com.cloud.network.vpc.VpcService;
 import com.cloud.network.vpc.dao.NetworkACLDao;
 import com.cloud.network.vpc.dao.VpcGatewayDao;
 import com.cloud.offerings.dao.NetworkOfferingDao;
@@ -88,7 +78,7 @@ import junit.framework.TestCase;
 @ContextConfiguration(loader = AnnotationConfigContextLoader.class)
 public class NetworkACLManagerTest extends TestCase {
     @Inject
-    NetworkACLManager _aclMgr;
+    NetworkACLManagerImpl _aclMgr;
 
     @Inject
     AccountManager _accountMgr;
@@ -103,10 +93,6 @@ public class NetworkACLManagerTest extends TestCase {
     @Inject
     NetworkOfferingDao networkOfferingDao;
     @Inject
-    ConfigurationManager _configMgr;
-    @Inject
-    EntityManager _entityMgr;
-    @Inject
     NetworkModel _networkModel;
     @Inject
     List<NetworkACLServiceProvider> _networkAclElements;
@@ -114,6 +100,8 @@ public class NetworkACLManagerTest extends TestCase {
     VpcService _vpcSvc;
     @Inject
     VpcGatewayDao _vpcGatewayDao;
+    @Inject
+    private ResourceTagDao resourceTagDao;
 
     private NetworkACLVO acl;
     private NetworkACLItemVO aclItem;
@@ -154,9 +142,17 @@ public class NetworkACLManagerTest extends TestCase {
     }
 
     @Test
-    public void testApplyNetworkACL() throws Exception {
+    public void testApplyNetworkACLsOnGatewayAndInGeneral() throws Exception {
         driveTestApplyNetworkACL(true, true, true);
+    }
+
+    @Test
+    public void testApplyNetworkACLsOnGatewayOnly() throws Exception {
         driveTestApplyNetworkACL(false, false, true);
+    }
+
+    @Test
+    public void testApplyNetworkACLsButNotOnGateway() throws Exception {
         driveTestApplyNetworkACL(false, true, false);
     }
 
@@ -168,11 +164,12 @@ public class NetworkACLManagerTest extends TestCase {
         // Prepare
         // Reset mocked objects to reuse
         Mockito.reset(_networkACLItemDao);
+        Mockito.reset(_networkDao);
 
         // Make sure it is handled
         final long aclId = 1L;
         final NetworkVO network = Mockito.mock(NetworkVO.class);
-        final List<NetworkVO> networks = new ArrayList<NetworkVO>();
+        final List<NetworkVO> networks = new ArrayList<>();
         networks.add(network);
 
         NetworkServiceMapDao ntwkSrvcDao = mock(NetworkServiceMapDao.class);
@@ -194,7 +191,7 @@ public class NetworkACLManagerTest extends TestCase {
 
         // Create 4 rules to test all 4 scenarios: only revoke should
         // be deleted, only add should update
-        final List<NetworkACLItemVO> rules = new ArrayList<NetworkACLItemVO>();
+        final List<NetworkACLItemVO> rules = new ArrayList<>();
         final NetworkACLItemVO ruleActive = Mockito.mock(NetworkACLItemVO.class);
         final NetworkACLItemVO ruleStaged = Mockito.mock(NetworkACLItemVO.class);
         final NetworkACLItemVO rule2Revoke = Mockito.mock(NetworkACLItemVO.class);
@@ -224,7 +221,6 @@ public class NetworkACLManagerTest extends TestCase {
 
         // Assert if conditions met, network ACL was applied
         final int timesProcessingDone = applyNetworkACLs && applyACLToPrivateGw ? 1 : 0;
-        Mockito.verify(_networkACLItemDao, Mockito.times(timesProcessingDone)).remove(revokeId);
         Mockito.verify(rule2Add, Mockito.times(timesProcessingDone)).setState(NetworkACLItem.State.Active);
         Mockito.verify(_networkACLItemDao, Mockito.times(timesProcessingDone)).update(addId, rule2Add);
     }
@@ -235,9 +231,20 @@ public class NetworkACLManagerTest extends TestCase {
         assertTrue(_aclMgr.revokeNetworkACLItem(1L));
     }
 
+    @Test
+    public void testRemoveRule() {
+        NetworkACLItem aclItem = Mockito.mock(NetworkACLItemVO.class);
+        when(aclItem.getId()).thenReturn(1l);
+        Mockito.when(resourceTagDao.removeByIdAndType(1l, ResourceTag.ResourceObjectType.NetworkACL)).thenReturn(true);
+        Mockito.when(_networkACLItemDao.remove(1l)).thenReturn(true);
+        assertTrue(_aclMgr.removeRule(aclItem));
+
+    }
+
     @Test
     public void deleteNonEmptyACL() throws Exception {
-        final List<NetworkACLItemVO> aclItems = new ArrayList<NetworkACLItemVO>();
+        Mockito.reset(_networkDao);
+        final List<NetworkACLItemVO> aclItems = new ArrayList<>();
         aclItems.add(aclItem);
         Mockito.when(_networkACLItemDao.listByACL(anyLong())).thenReturn(aclItems);
         Mockito.when(acl.getId()).thenReturn(3l);
@@ -342,5 +349,4 @@ public class NetworkACLManagerTest extends TestCase {
             }
         }
     }
-
 }
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 30d206f60fc..2f6f335de7d 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -1113,6 +1113,8 @@
 "label.kubernetes.cluster.stop": "Stop Kubernetes cluster",
 "label.kubernetes.cluster.upgrade": "Upgrade Kubernetes cluster",
 "label.kubernetes.dashboard": "Kubernetes dashboard UI",
+"label.kubernetes.dashboard.create.token": "Create token for Kubernetes dashboard",
+"label.kubernetes.dashboard.create.token.desc": "Since Kubernetes v1.24.0, there is no auto-generation of secret-based service account token due to security reason. You need to create a service account and an optional long-lived Bearer Token for the service account.",
 "label.kubernetes.isos": "Kubernetes ISOs",
 "label.kubernetes.service": "Kubernetes service",
 "label.kubernetes.version.add": "Add Kubernetes version",
diff --git a/ui/src/views/compute/DeployVM.vue b/ui/src/views/compute/DeployVM.vue
index 0f63f4e30f0..507b902e11f 100644
--- a/ui/src/views/compute/DeployVM.vue
+++ b/ui/src/views/compute/DeployVM.vue
@@ -1995,7 +1995,8 @@ export default {
         deployVmData.iodriverpolicy = values.iodriverpolicy
         deployVmData.nicmultiqueuenumber = values.nicmultiqueuenumber
         deployVmData.nicpackedvirtqueuesenabled = values.nicpackedvirtqueuesenabled
-        if (values.userdata && values.userdata.length > 0) {
+        const isUserdataAllowed = !this.userdataDefaultOverridePolicy || (this.userdataDefaultOverridePolicy === 'ALLOWOVERRIDE' && this.doUserdataOverride) || (this.userdataDefaultOverridePolicy === 'APPEND' && this.doUserdataAppend)
+        if (isUserdataAllowed && values.userdata && values.userdata.length > 0) {
           deployVmData.userdata = this.$toBase64AndURIEncoded(values.userdata)
         }
         // step 2: select template/iso
@@ -2118,7 +2119,9 @@ export default {
         }
         // step 7: select ssh key pair
         deployVmData.keypairs = this.sshKeyPairs.join(',')
-        deployVmData.userdataid = values.userdataid
+        if (isUserdataAllowed) {
+          deployVmData.userdataid = values.userdataid
+        }
 
         if (values.name) {
           deployVmData.name = values.name
@@ -2154,7 +2157,7 @@ export default {
             idx++
           }
         }
-        if (this.userDataValues) {
+        if (isUserdataAllowed && this.userDataValues) {
           for (const [key, value] of Object.entries(this.userDataValues)) {
             deployVmData['userdatadetails[' + idx + '].' + `${key}`] = value
             idx++
diff --git a/ui/src/views/compute/KubernetesServiceTab.vue b/ui/src/views/compute/KubernetesServiceTab.vue
index bce4ea25424..b3556cb65ce 100644
--- a/ui/src/views/compute/KubernetesServiceTab.vue
+++ b/ui/src/views/compute/KubernetesServiceTab.vue
@@ -79,6 +79,11 @@
                 <a href="http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/"><code>http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/</code></a>
               </p>
             </a-timeline-item>
+            <a-timeline-item>
+              <p v-html="$t('label.kubernetes.dashboard.create.token')"></p>
+              <p v-html="$t('label.kubernetes.dashboard.create.token.desc')"></p>
+              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubernetes-dashboard-admin-user\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubernetes-dashboard-token\n  namespace: kubernetes-dashboard\n  annotations:\n    kubernetes.io/service-account.name: kubernetes-dashboard-admin-user\nEOF'" :rows="10" readonly />
+            </a-timeline-item>
             <a-timeline-item>
               <p>
                 {{ $t('label.token.for.dashboard.login') }}<br><br>