Improve upgrade procedure

This improves the upgrade.yml playbook to do more than just the kubeadm upgrade.

The docker-ce packages are also now marked as hold (as well as nvidia-container-toolkit and nvidia-docker2). This will prevent spurious upgrades of Docker (ex: from unattended-upgrades) restarting containers which can cause issues (particularly on master nodes).