All Policies
Check deprecated APIs in CEL expressions
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
Policy Definition
/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: check-deprecated-apis
5 annotations:
6 policies.kyverno.io/title: Check deprecated APIs in CEL expressions
7 policies.kyverno.io/category: Best Practices in CEL
8 policies.kyverno.io/subject: Kubernetes APIs
9 kyverno.io/kyverno-version: 1.12.1
10 kyverno.io/kubernetes-version: "1.26-1.27"
11 policies.kyverno.io/description: >-
12 Kubernetes APIs are sometimes deprecated and removed after a few releases.
13 As a best practice, older API versions should be replaced with newer versions.
14 This policy validates for APIs that are deprecated or scheduled for removal.
15 Note that checking for some of these resources may require modifying the Kyverno
16 ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25
17 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: validate-v1-25-removals
23 match:
24 any:
25 - resources:
26 # NOTE: PodSecurityPolicy is completely removed in 1.25.
27 kinds:
28 - batch/*/CronJob
29 - discovery.k8s.io/*/EndpointSlice
30 - events.k8s.io/*/Event
31 - policy/*/PodDisruptionBudget
32 - policy/*/PodSecurityPolicy
33 - node.k8s.io/*/RuntimeClass
34 celPreconditions:
35 - name: "allowed-api-versions"
36 expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']"
37 validate:
38 cel:
39 expressions:
40 - expression: "false"
41 messageExpression: >-
42 object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25.
43 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
44 - name: validate-v1-26-removals
45 match:
46 any:
47 - resources:
48 kinds:
49 - flowcontrol.apiserver.k8s.io/*/FlowSchema
50 - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
51 - autoscaling/*/HorizontalPodAutoscaler
52 celPreconditions:
53 - name: "allowed-api-versions"
54 expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']"
55 validate:
56 cel:
57 expressions:
58 - expression: "false"
59 messageExpression: >-
60 object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26.
61 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
62 - name: validate-v1-27-removals
63 match:
64 any:
65 - resources:
66 kinds:
67 - storage.k8s.io/*/CSIStorageCapacity
68 celPreconditions:
69 - name: "allowed-api-versions"
70 expression: "object.apiVersion in ['storage.k8s.io/v1beta1']"
71 validate:
72 cel:
73 expressions:
74 - expression: "false"
75 messageExpression: >-
76 object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27.
77 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
78 - name: validate-v1-29-removals
79 match:
80 any:
81 - resources:
82 kinds:
83 - flowcontrol.apiserver.k8s.io/*/FlowSchema
84 - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
85 celPreconditions:
86 - name: "object.apiVersion"
87 expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']"
88 validate:
89 cel:
90 expressions:
91 - expression: "false"
92 messageExpression: >-
93 object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29.
94 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
95