Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: check-deprecated-apisannotations:policies.kyverno.io/title: Check deprecated APIspolicies.kyverno.io/category: Best Practicespolicies.kyverno.io/subject: Kubernetes APIskyverno.io/kyverno-version: 1.7.4policies.kyverno.io/minversion: 1.7.4kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.spec:validationFailureAction: Auditbackground: truerules:- name: validate-v1-25-removalsmatch:any:- resources:kinds:- batch/*/CronJob- discovery.k8s.io/*/EndpointSlice- events.k8s.io/*/Event- policy/*/PodDisruptionBudget- policy/*/PodSecurityPolicy- node.k8s.io/*/RuntimeClasspreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- batch/v1beta1- discovery.k8s.io/v1beta1- events.k8s.io/v1beta1- policy/v1beta1- node.k8s.io/v1beta1validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-26-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration- autoscaling/*/HorizontalPodAutoscalerpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta1- autoscaling/v2beta2validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-27-removalsmatch:any:- resources:kinds:- storage.k8s.io/*/CSIStorageCapacitypreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- storage.k8s.io/v1beta1validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-29-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfigurationpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta2validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-32-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfigurationpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta3validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.32. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.