diff --git a/content/en/docs/examples/bookinfo/index.md b/content/en/docs/examples/bookinfo/index.md
index 5073bc1441..cf4a1fa212 100644
--- a/content/en/docs/examples/bookinfo/index.md
+++ b/content/en/docs/examples/bookinfo/index.md
@@ -137,7 +137,7 @@ If you use GKE, please ensure your cluster has at least 4 standard GKE nodes. If
     example from `ratings`:
 
     {{< text bash >}}
-    $ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
+    $ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
     <title>Simple Bookstore App</title>
     {{< /text >}}
 
diff --git a/content/en/docs/examples/bookinfo/snips.sh b/content/en/docs/examples/bookinfo/snips.sh
index 6a5b5bc3ea..a277da2dea 100644
--- a/content/en/docs/examples/bookinfo/snips.sh
+++ b/content/en/docs/examples/bookinfo/snips.sh
@@ -60,7 +60,7 @@ reviews-v3-1813607990-8ch52      2/2       Running   0          6m
 ENDSNIP
 
 snip_start_the_application_services_6() {
-kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
+kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
 }
 
 ! read -r -d '' snip_start_the_application_services_6_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/observability/logs/access-log/index.md b/content/en/docs/tasks/observability/logs/access-log/index.md
index 4a32c8fb6b..fc9c6e6c98 100644
--- a/content/en/docs/tasks/observability/logs/access-log/index.md
+++ b/content/en/docs/tasks/observability/logs/access-log/index.md
@@ -68,7 +68,6 @@ All three of these parameters may also be configured via [install options](https
           |       ;/
           \_     _/
             `"""`
-    ...
     {{< /text >}}
 
 1.  Check `sleep`'s log:
diff --git a/content/en/docs/tasks/observability/logs/access-log/snips.sh b/content/en/docs/tasks/observability/logs/access-log/snips.sh
index 21d10b844e..76f37f4415 100644
--- a/content/en/docs/tasks/observability/logs/access-log/snips.sh
+++ b/content/en/docs/tasks/observability/logs/access-log/snips.sh
@@ -51,7 +51,6 @@ kubectl exec "$SOURCE_POD" -c sleep -- curl -v httpbin:8000/status/418
       |       ;/
       \_     _/
         `"""`
-...
 ENDSNIP
 
 snip_test_the_access_log_2() {
diff --git a/content/en/docs/tasks/observability/logs/access-log/test.sh b/content/en/docs/tasks/observability/logs/access-log/test.sh
index 63cae6548b..0fa298b657 100644
--- a/content/en/docs/tasks/observability/logs/access-log/test.sh
+++ b/content/en/docs/tasks/observability/logs/access-log/test.sh
@@ -42,8 +42,7 @@ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadat
 startup_httpbin_sample
 
 # Make curl request to httpbin
-#TODO _verify_elided snip_test_the_access_log_1 "$snip_test_the_access_log_1_out"
-_verify_contains snip_test_the_access_log_1 "-=[ teapot ]=-"
+_verify_elided snip_test_the_access_log_1 "$snip_test_the_access_log_1_out"
 
 # Check the logs
 _verify_contains snip_test_the_access_log_2 "outbound|8000||httpbin.default.svc.cluster.local"
diff --git a/content/en/docs/tasks/security/authentication/mtls-migration/index.md b/content/en/docs/tasks/security/authentication/mtls-migration/index.md
index e851bf1c5f..3d010d056e 100644
--- a/content/en/docs/tasks/security/authentication/mtls-migration/index.md
+++ b/content/en/docs/tasks/security/authentication/mtls-migration/index.md
@@ -116,7 +116,7 @@ If you installed Istio with `values.global.proxy.privileged=true`, you can use `
 traffic is encrypted or not.
 
 {{< text bash >}}
-$ kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -it -- sudo tcpdump dst port 80  -A
+$ kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80  -A
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 {{< /text >}}
diff --git a/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh b/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
index cf1ec87bfe..f307886d52 100644
--- a/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
+++ b/content/en/docs/tasks/security/authentication/mtls-migration/snips.sh
@@ -90,7 +90,7 @@ sleep.legacy to httpbin.bar: 200
 ENDSNIP
 
 snip_lock_down_to_mutual_tls_by_namespace_3() {
-kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -it -- sudo tcpdump dst port 80  -A
+kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80  -A
 }
 
 ! read -r -d '' snip_lock_down_to_mutual_tls_by_namespace_3_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/traffic-management/circuit-breaking/index.md b/content/en/docs/tasks/traffic-management/circuit-breaking/index.md
index 6ca000f57c..d3436f3570 100644
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/index.md
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/index.md
@@ -107,8 +107,8 @@ governed by Istio.
 Pass in `-curl` to indicate that you just want to make one call:
 
     {{< text bash >}}
-    $ FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
+    $ export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
     HTTP/1.1 200 OK
     server: envoy
     date: Tue, 25 Feb 2020 20:25:52 GMT
@@ -148,7 +148,7 @@ one connection and request concurrently, you should see some failures when the
 (`-n 20`):
 
     {{< text bash >}}
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
     20:33:46 I logger.go:97> Log level is now 3 Warning (was 2 Info)
     Fortio 1.3.1 running at 0 queries per second, 6->6 procs, for 20 calls: http://httpbin:8000/get
     Starting at max qps with 2 thread(s) [gomax 6] for exactly 20 calls (10 per thread + 0)
@@ -193,7 +193,7 @@ one connection and request concurrently, you should see some failures when the
 1. Bring the number of concurrent connections up to 3:
 
     {{< text bash >}}
-    $ kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
+    $ kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
     20:32:30 I logger.go:97> Log level is now 3 Warning (was 2 Info)
     Fortio 1.3.1 running at 0 queries per second, 6->6 procs, for 30 calls: http://httpbin:8000/get
     Starting at max qps with 3 thread(s) [gomax 6] for exactly 30 calls (10 per thread + 0)
diff --git a/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh b/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh
index fd46a0bd86..7cf1baf602 100644
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/snips.sh
@@ -76,8 +76,8 @@ kubectl apply -f <(istioctl kube-inject -f samples/httpbin/sample-client/fortio-
 }
 
 snip_adding_a_client_3() {
-FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
+export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -curl http://httpbin:8000/get
 }
 
 ! read -r -d '' snip_adding_a_client_3_out <<\ENDSNIP
@@ -108,7 +108,7 @@ x-envoy-upstream-service-time: 36
 ENDSNIP
 
 snip_tripping_the_circuit_breaker_1() {
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 2 -qps 0 -n 20 -loglevel Warning http://httpbin:8000/get
 }
 
 ! read -r -d '' snip_tripping_the_circuit_breaker_1_out <<\ENDSNIP
@@ -151,7 +151,7 @@ Code 503 : 3 (15.0 %)
 ENDSNIP
 
 snip_tripping_the_circuit_breaker_3() {
-kubectl exec -it "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
+kubectl exec "$FORTIO_POD" -c fortio -- /usr/bin/fortio load -c 3 -qps 0 -n 30 -loglevel Warning http://httpbin:8000/get
 }
 
 ! read -r -d '' snip_tripping_the_circuit_breaker_3_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh b/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh
index c8b22fb405..4bbb43aa14 100644
--- a/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh
+++ b/content/en/docs/tasks/traffic-management/circuit-breaking/test.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC1090,SC2154
+# shellcheck disable=SC1090,SC2154,SC2155
 
 # Copyright 2020 Istio Authors
 #
@@ -42,7 +42,7 @@ snip_adding_a_client_1
 _wait_for_deployment default fortio-deploy
 
 # Make one call to httpbin
-_verify_contains snip_adding_a_client_3 "HTTP/1.1 200 OK"
+_verify_first_line snip_adding_a_client_3 "$snip_adding_a_client_3_out"
 
 # FIXME / TODO: These tests previously relied on checking that the
 # percentage of 200 and 503 responses fell within a given range. That
@@ -54,6 +54,9 @@ _verify_contains snip_adding_a_client_3 "HTTP/1.1 200 OK"
 #  Temporary fix: https://github.com/istio/istio.io/pull/7043
 #          Issue: https://github.com/istio/istio.io/issues/7074
 
+# TODO: FORTIO_POD is set in snip_adding_a_client_3. Why is it not still set?
+export FORTIO_POD=$(kubectl get pods -lapp=fortio -o 'jsonpath={.items[0].metadata.name}')
+
 # Make requests with 2 connections
 _verify_lines snip_tripping_the_circuit_breaker_1 "
 + Code 200 :
@@ -67,12 +70,12 @@ _verify_lines snip_tripping_the_circuit_breaker_3 "
 "
 
 # Query the istio-proxy stats
-expected="cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.circuit_breakers.default.rq_pending_open: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.circuit_breakers.high.rq_pending_open: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_active: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_failure_eject: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_overflow: ...
-cluster.outbound|8000||httpbin.istio-io-circuitbreaker.svc.cluster.local.upstream_rq_pending_total: ..."
+expected="cluster.outbound|8000||httpbin.default.svc.cluster.local.circuit_breakers.default.rq_pending_open: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.circuit_breakers.high.rq_pending_open: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_active: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_failure_eject: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_overflow: ...
+cluster.outbound|8000||httpbin.default.svc.cluster.local.upstream_rq_pending_total: ..."
 _verify_like snip_tripping_the_circuit_breaker_5 "$expected"
 
 # @cleanup
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
index 953ef30dfe..c37a8388bd 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@@ -619,7 +619,7 @@ to hold the configuration of the NGINX server:
 1.  Verify that the key and the certificate are successfully loaded in the `istio-egressgateway` pod:
 
     {{< text bash >}}
-    $ kubectl exec -it -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
+    $ kubectl exec -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
     {{< /text >}}
 
     `tls.crt` and `tls.key` should exist in `/etc/istio/nginx-client-certs`, while `ca-chain.cert.pem` in
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh
index 8e00adbcf7..337a8cf236 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh
@@ -86,7 +86,7 @@ _wait_for_istio virtualservice default direct-nginx-through-egress-gateway
 _wait_for_istio destinationrule default originate-mtls-for-nginx
 
 # TODO: Verify HTTP connection to nginx
-# _verify_contains snip_configure_mutual_tls_origination_for_egress_traffic_3 "Welcome to nginx!"
+#_verify_elided snip_configure_mutual_tls_origination_for_egress_traffic_3 "$snip_configure_mutual_tls_origination_for_egress_traffic_3_out"
 
 #TODO: verify request is actually being routed through egress gateway
 
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
index d616a691ee..be364b8e23 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
@@ -494,7 +494,7 @@ kubectl -n istio-system patch --type=json deploy istio-egressgateway -p "$(cat g
 }
 
 snip_redeploy_the_egress_gateway_with_the_client_certificates_4() {
-kubectl exec -it -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
+kubectl exec -n istio-system "$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}')" -- ls -al /etc/istio/nginx-client-certs /etc/istio/nginx-ca-certs
 }
 
 snip_configure_mutual_tls_origination_for_egress_traffic_1() {
diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md b/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
index ba00627a16..9117f4760a 100644
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
@@ -200,13 +200,8 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
     {{< text bash >}}
     $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
     HTTP/1.1 200 OK
-    server: envoy
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    content-type: text/html; charset=utf-8
-    access-control-allow-origin: *
-    access-control-allow-credentials: true
-    content-length: 0
-    x-envoy-upstream-service-time: 48
+    server: istio-envoy
+    ...
     {{< /text >}}
 
     Note that you use the `-H` flag to set the _Host_ HTTP header to
@@ -218,9 +213,7 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
     {{< text bash >}}
     $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
     HTTP/1.1 404 Not Found
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    server: envoy
-    content-length: 0
+    ...
     {{< /text >}}
 
 ## Accessing ingress services using a browser
diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh b/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
index 2f57786bbd..a321bc1c7c 100644
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
@@ -117,13 +117,8 @@ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status
 
 ! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_3_out <<\ENDSNIP
 HTTP/1.1 200 OK
-server: envoy
-date: Mon, 29 Jan 2018 04:45:49 GMT
-content-type: text/html; charset=utf-8
-access-control-allow-origin: *
-access-control-allow-credentials: true
-content-length: 0
-x-envoy-upstream-service-time: 48
+server: istio-envoy
+...
 ENDSNIP
 
 snip_configuring_ingress_using_an_istio_gateway_4() {
@@ -132,9 +127,7 @@ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/header
 
 ! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_4_out <<\ENDSNIP
 HTTP/1.1 404 Not Found
-date: Mon, 29 Jan 2018 04:45:49 GMT
-server: envoy
-content-length: 0
+...
 ENDSNIP
 
 snip_accessing_ingress_services_using_a_browser_1() {
diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh b/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
index 378bd2057f..a24b300c60 100644
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
@@ -50,12 +50,10 @@ _wait_for_istio gateway default httpbin-gateway
 _wait_for_istio virtualservice default httpbin
 
 # access the httpbin service
-#_verify_first_line snip_configuring_ingress_using_an_istio_gateway_3 "$snip_configuring_ingress_using_an_istio_gateway_3_out"
-_verify_contains snip_configuring_ingress_using_an_istio_gateway_3 "HTTP/1.1 200 OK"
+_verify_elided snip_configuring_ingress_using_an_istio_gateway_3 "$snip_configuring_ingress_using_an_istio_gateway_3_out"
 
 # access the httpbin service
-#_verify_first_line snip_configuring_ingress_using_an_istio_gateway_4 "$snip_configuring_ingress_using_an_istio_gateway_4_out"
-_verify_contains snip_configuring_ingress_using_an_istio_gateway_4 "HTTP/1.1 404 Not Found"
+_verify_elided snip_configuring_ingress_using_an_istio_gateway_4 "$snip_configuring_ingress_using_an_istio_gateway_4_out"
 
 # configure for web browser
 snip_accessing_ingress_services_using_a_browser_1
diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
index b348134ab8..7edddb6ef5 100644
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/index.md
@@ -136,7 +136,7 @@ to hold the configuration of the NGINX server:
     printed correctly, i.e., `common name (CN)` is equal to `nginx.example.com`.
 
     {{< text bash >}}
-    $ kubectl exec -it "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
+    $ kubectl exec "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
     ...
     SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
     ALPN, server accepted to use http/1.1
diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
index 3bfbfe5666..ec41ab67a4 100644
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/snips.sh
@@ -115,7 +115,7 @@ EOF
 }
 
 snip_deploy_an_nginx_server_5() {
-kubectl exec -it "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
+kubectl exec "$(kubectl get pod  -l run=my-nginx -o jsonpath={.items..metadata.name})" -c istio-proxy -- curl -v -k --resolve nginx.example.com:443:127.0.0.1 https://nginx.example.com
 }
 
 ! read -r -d '' snip_deploy_an_nginx_server_5_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
index af0d88f1fa..f6a64eedf7 100644
--- a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
@@ -3,7 +3,7 @@ title: Ingress (Kubernetes)
 description: Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh.
 weight: 15
 keywords: [traffic-management,ingress]
-test: no
+test: yes
 ---
 
 This task describes how to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes [Ingress Resource](https://kubernetes.io/docs/concepts/services-networking/ingress/).
@@ -22,7 +22,7 @@ A [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-ne
 
 Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.
 
-1.  Create an Istio `Gateway`:
+1.  Create an `Ingress` resource:
 
     {{< text bash >}}
     $ kubectl apply -f - <<EOF
@@ -49,15 +49,10 @@ Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.
 1.  Access the _httpbin_ service using _curl_:
 
     {{< text bash >}}
-    $ curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
+    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
     HTTP/1.1 200 OK
-    server: envoy
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    content-type: text/html; charset=utf-8
-    access-control-allow-origin: *
-    access-control-allow-credentials: true
-    content-length: 0
-    x-envoy-upstream-service-time: 48
+    server: istio-envoy
+    ...
     {{< /text >}}
 
     Note that you use the `-H` flag to set the _Host_ HTTP header to
@@ -67,11 +62,9 @@ Let's see how you can configure a `Ingress` on port 80 for HTTP traffic.
 1.  Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:
 
     {{< text bash >}}
-    $ curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/headers
+    $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
     HTTP/1.1 404 Not Found
-    date: Mon, 29 Jan 2018 04:45:49 GMT
-    server: envoy
-    content-length: 0
+    ...
     {{< /text >}}
 
 ## Next Steps
@@ -104,7 +97,15 @@ metadata:
   name: ingress
 spec:
   ingressClassName: istio
-  ...
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
 {{< /text >}}
 
 ## Cleanup
diff --git a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/snips.sh b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/snips.sh
new file mode 100644
index 0000000000..ee691facf4
--- /dev/null
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/snips.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/tasks/traffic-management/ingress/kubernetes-ingress/index.md
+####################################################################################################
+
+snip_configuring_ingress_using_an_ingress_resource_1() {
+kubectl apply -f - <<EOF
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: istio
+  name: ingress
+spec:
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /status/*
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
+EOF
+}
+
+snip_configuring_ingress_using_an_ingress_resource_2() {
+curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
+}
+
+! read -r -d '' snip_configuring_ingress_using_an_ingress_resource_2_out <<\ENDSNIP
+HTTP/1.1 200 OK
+server: istio-envoy
+...
+ENDSNIP
+
+snip_configuring_ingress_using_an_ingress_resource_3() {
+curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+}
+
+! read -r -d '' snip_configuring_ingress_using_an_ingress_resource_3_out <<\ENDSNIP
+HTTP/1.1 404 Not Found
+...
+ENDSNIP
+
+! read -r -d '' snip_specifying_ingressclass_1 <<\ENDSNIP
+apiVersion: networking.k8s.io/v1beta1
+kind: IngressClass
+metadata:
+  name: istio
+spec:
+  controller: istio.io/ingress-controller
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: ingress
+spec:
+  ingressClassName: istio
+  rules:
+  - host: httpbin.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          serviceName: httpbin
+          servicePort: 8000
+ENDSNIP
+
+snip_cleanup_1() {
+kubectl delete ingress ingress
+kubectl delete --ignore-not-found=true -f samples/httpbin/httpbin.yaml
+}
diff --git a/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/test.sh b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/test.sh
new file mode 100644
index 0000000000..a395385a67
--- /dev/null
+++ b/content/en/docs/tasks/traffic-management/ingress/kubernetes-ingress/test.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+set -o pipefail
+
+source "tests/util/samples.sh"
+
+# @setup profile=default
+
+kubectl label namespace default istio-injection=enabled --overwrite
+
+# start the httpbin sample
+startup_httpbin_sample
+
+# export the INGRESS_ environment variables
+_set_ingress_environment_variables
+
+# create the Ingress resource
+snip_configuring_ingress_using_an_ingress_resource_1
+
+# access exposed httpbin URL
+_verify_elided snip_configuring_ingress_using_an_ingress_resource_2 "$snip_configuring_ingress_using_an_ingress_resource_2_out"
+
+# Access other URL
+_verify_elided snip_configuring_ingress_using_an_ingress_resource_3 "$snip_configuring_ingress_using_an_ingress_resource_3_out"
+
+# Test IngressClass and pathType
+kubectl apply -f - <<< "$snip_specifying_ingressclass_1"
+
+get_headers() {
+curl -s -H "Foo: bar" -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
+}
+_verify_contains get_headers '"Foo": "bar"'
+
+# @cleanup
+
+set +e # ignore cleanup errors
+snip_cleanup_1
diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
index 5ea868f254..c81796fc4e 100644
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
@@ -155,15 +155,15 @@ For this task you can use your favorite tool to generate certificates and keys.
     ...
     HTTP/2 418
     ...
-    -=[ teapot ]=-
+        -=[ teapot ]=-
 
-       _...._
-     .'  _ _ `.
-    | ."` ^ `". _,
-    \_;`"---"`|//
-      |       ;/
-      \_     _/
-        `"""`
+           _...._
+         .'  _ _ `.
+        | ."` ^ `". _,
+        \_;`"---"`|//
+          |       ;/
+          \_     _/
+            `"""`
     {{< /text >}}
 
 1. If you try to access `httpbin` with the previous certificate chain, the attempt now fails.
@@ -327,15 +327,15 @@ retrieves unique credentials corresponding to a specific `credentialName`.
     $ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST" \
     --cacert example.com.crt "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
     ...
-    -=[ teapot ]=-
+        -=[ teapot ]=-
 
-       _...._
-     .'  _ _ `.
-    | ."` ^ `". _,
-    \_;`"---"`|//
-      |       ;/
-      \_     _/
-        `"""`
+           _...._
+         .'  _ _ `.
+        | ."` ^ `". _,
+        \_;`"---"`|//
+          |       ;/
+          \_     _/
+            `"""`
     {{< /text >}}
 
 ### Configure a mutual TLS ingress gateway
@@ -411,15 +411,15 @@ $ kubectl create -n istio-system secret generic httpbin-credential --from-file=t
     --cacert example.com.crt --cert client.example.com.crt --key client.example.com.key \
     "https://httpbin.example.com:$SECURE_INGRESS_PORT/status/418"
     ...
-    -=[ teapot ]=-
+        -=[ teapot ]=-
 
-       _...._
-     .'  _ _ `.
-    | ."` ^ `". _,
-    \_;`"---"`|//
-      |       ;/
-      \_     _/
-        `"""`
+           _...._
+         .'  _ _ `.
+        | ."` ^ `". _,
+        \_;`"---"`|//
+          |       ;/
+          \_     _/
+            `"""`
     {{< /text >}}
 
 Istio supports reading a few different Secret formats, to support integration with various tools such as [cert-manager](/docs/ops/integrations/certmanager/):
diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
index fbf01a7a7c..78adb992ee 100644
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/snips.sh
@@ -116,15 +116,15 @@ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRES
 ...
 HTTP/2 418
 ...
--=[ teapot ]=-
+    -=[ teapot ]=-
 
-   _...._
- .'  _ _ `.
-| ."` ^ `". _,
-\_;`"---"`|//
-  |       ;/
-  \_     _/
-    `"""`
+       _...._
+     .'  _ _ `.
+    | ."` ^ `". _,
+    \_;`"---"`|//
+      |       ;/
+      \_     _/
+        `"""`
 ENDSNIP
 
 snip_configure_a_tls_ingress_gateway_for_a_single_host_8() {
@@ -270,15 +270,15 @@ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRES
 
 ! read -r -d '' snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8_out <<\ENDSNIP
 ...
--=[ teapot ]=-
+    -=[ teapot ]=-
 
-   _...._
- .'  _ _ `.
-| ."` ^ `". _,
-\_;`"---"`|//
-  |       ;/
-  \_     _/
-    `"""`
+       _...._
+     .'  _ _ `.
+    | ."` ^ `". _,
+    \_;`"---"`|//
+      |       ;/
+      \_     _/
+        `"""`
 ENDSNIP
 
 snip_configure_a_mutual_tls_ingress_gateway_1() {
@@ -342,15 +342,15 @@ curl -v -HHost:httpbin.example.com --resolve "httpbin.example.com:$SECURE_INGRES
 
 ! read -r -d '' snip_configure_a_mutual_tls_ingress_gateway_5_out <<\ENDSNIP
 ...
--=[ teapot ]=-
+    -=[ teapot ]=-
 
-   _...._
- .'  _ _ `.
-| ."` ^ `". _,
-\_;`"---"`|//
-  |       ;/
-  \_     _/
-    `"""`
+       _...._
+     .'  _ _ `.
+    | ."` ^ `". _,
+    \_;`"---"`|//
+      |       ;/
+      \_     _/
+        `"""`
 ENDSNIP
 
 snip_troubleshooting_1() {
diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
index dce922301f..4f7677467c 100644
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/test.sh
@@ -61,10 +61,7 @@ snip_configure_a_tls_ingress_gateway_for_a_single_host_6
 # TODO: wait for the secret change to propagate
 
 # verifying new httpbin credentials
-_verify_lines snip_configure_a_tls_ingress_gateway_for_a_single_host_7 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_tls_ingress_gateway_for_a_single_host_7 "$snip_configure_a_tls_ingress_gateway_for_a_single_host_7_out"
 
 # verifying old httpbin credentials no longer work
 _verify_failure snip_configure_a_tls_ingress_gateway_for_a_single_host_8
@@ -91,10 +88,7 @@ _wait_for_istio virtualservice default helloworld-v1
 
 _verify_contains snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7 "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_7_out"
 
-_verify_lines snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8 "$snip_configure_a_tls_ingress_gateway_for_multiple_hosts_8_out"
 
 snip_configure_a_mutual_tls_ingress_gateway_1
 
@@ -107,10 +101,7 @@ _verify_failure snip_configure_a_mutual_tls_ingress_gateway_3
 
 snip_configure_a_mutual_tls_ingress_gateway_4
 
-_verify_lines snip_configure_a_mutual_tls_ingress_gateway_5 "
-+ HTTP/2 418
-+ -=[ teapot ]=-
-"
+_verify_elided snip_configure_a_mutual_tls_ingress_gateway_5 "$snip_configure_a_mutual_tls_ingress_gateway_5_out"
 
 # @cleanup
 set +e # ignore cleanup errors
diff --git a/scripts/snip.py b/scripts/snip.py
index b574d16cc6..86926bcf4d 100644
--- a/scripts/snip.py
+++ b/scripts/snip.py
@@ -54,6 +54,7 @@ HEADER = """#!/bin/bash
 startsnip = re.compile(r"^(\s*){{< text (syntax=)?\"?(\w+)\"? .*>}}$")
 snippetid = re.compile(r"snip_id=(\w+)")
 githubfile = re.compile(r"^([^@]*)(?<![A-Za-z0-9])@([\w\.\-_/]+)@([^@]*)$")
+execit = re.compile(r"^(.*kubectl exec.*) -it (.*)$")
 heredoc = re.compile(r"<<\s*\\?EOF")
 sectionhead = re.compile(r"^##+ (.*)$")
 invalidchar = re.compile(r"[^0-9a-zA-Z_]")
@@ -142,6 +143,9 @@ with open(markdown, 'rt', encoding='utf-8') as mdfile:
                     match = githubfile.match(line)
                     if match:
                         line = match.group(1) + match.group(2) + match.group(3)
+                    match = execit.match(line)
+                    if match:
+                        print("    WARNING: -it should be removed from kubectl exec of .md line: " + str(linenum))
                     if heredoc.search(line):
                         multiline_cmd = True
                 current_snip["script"].append(line)
diff --git a/tests/util/verify.sh b/tests/util/verify.sh
index d7fa8233cd..62b45af3a1 100644
--- a/tests/util/verify.sh
+++ b/tests/util/verify.sh
@@ -24,7 +24,7 @@ __err_exit() {
 
 # Returns 0 if $out and $expected are the same.  Otherwise, returns 1.
 __cmp_same() {
-    local out=$1
+    local out="${1//$'\r'}"
     local expected=$2
 
     if [[ "$out" != "$expected" ]]; then
@@ -36,7 +36,7 @@ __cmp_same() {
 
 # Returns 0 if $out contains the substring $expected.  Otherwise, returns 1.
 __cmp_contains() {
-    local out=$1
+    local out="${1//$'\r'}"
     local expected=$2
 
     if [[ "$out" != *"$expected"* ]]; then
@@ -49,7 +49,7 @@ __cmp_contains() {
 # Returns 0 if $out does not contain the substring $expected.  Otherwise,
 # returns 1.
 __cmp_not_contains() {
-    local out=$1
+    local out="${1//$'\r'}"
     local expected=$2
 
     if [[ "$out" == *"$expected"* ]]; then
@@ -62,7 +62,7 @@ __cmp_not_contains() {
 # Returns 0 if $out contains the lines in $expected where "..." on a line
 # matches one or more lines containing any text.  Otherwise, returns 1.
 __cmp_elided() {
-    local out=$1
+    local out="${1//$'\r'}"
     local expected=$2
 
     local contains=""
@@ -88,18 +88,13 @@ __cmp_elided() {
 
 # Returns 0 if the first line of $out matches the first line in $expected.
 # Otherwise, returns 1.
-# TODO ???? flaky behavior, doesn't seem to work as expected
 __cmp_first_line() {
     local out=$1
     local expected=$2
 
-    # TODO ???? the following seem to leave a trailing \n in some cases and then the following check fails
-    IFS=$'\n' read -r out_first_line <<< "$out"
+    IFS=$'\n\r' read -r out_first_line <<< "$out"
     IFS=$'\n' read -r expected_first_line <<< "$expected"
-    echo "out first line: \"$out_first_line\""
-    echo "expected first line: \"$expected_first_line\""
 
-    # TODO ???? following fails because one or the other might have a \n at the end of the string, when the other does not
     if [[ "$out_first_line" != "$expected_first_line" ]]; then
         return 1
     fi
@@ -117,7 +112,7 @@ __cmp_first_line() {
 #        - expected ... is a wildcard token, matches anything
 # Otherwise, returns 1.
 __cmp_like() {
-    local out=$1
+    local out="${1//$'\r'}"
     local expected=$2
 
     if [[ "$out" != "$expected" ]]; then