All Policies
Check deprecated APIs
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
Policy Definition
/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: check-deprecated-apis
5 annotations:
6 policies.kyverno.io/title: Check deprecated APIs
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/subject: Kubernetes APIs
9 kyverno.io/kyverno-version: 1.7.4
10 policies.kyverno.io/minversion: 1.7.4
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/description: >-
13 Kubernetes APIs are sometimes deprecated and removed after a few releases.
14 As a best practice, older API versions should be replaced with newer versions.
15 This policy validates for APIs that are deprecated or scheduled for removal.
16 Note that checking for some of these resources may require modifying the Kyverno
17 ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
18 has been commented out due to a check for this kind having a performance penalty
19 on Kubernetes clusters with many leases. Its enabling should be attended carefully
20 and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
21 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
22 This policy requires Kyverno v1.7.4+ to function properly.
23spec:
24 validationFailureAction: audit
25 background: true
26 rules:
27 - name: validate-v1-25-removals
28 match:
29 any:
30 - resources:
31 # NOTE: PodSecurityPolicy is completely removed in 1.25.
32 kinds:
33 - batch/*/CronJob
34 - discovery.k8s.io/*/EndpointSlice
35 - events.k8s.io/*/Event
36 - policy/*/PodDisruptionBudget
37 - policy/*/PodSecurityPolicy
38 - node.k8s.io/*/RuntimeClass
39 preconditions:
40 all:
41 - key: "{{ request.operation || 'BACKGROUND' }}"
42 operator: NotEquals
43 value: DELETE
44 - key: "{{request.object.apiVersion}}"
45 operator: AnyIn
46 value:
47 - batch/v1beta1
48 - discovery.k8s.io/v1beta1
49 - events.k8s.io/v1beta1
50 - policy/v1beta1
51 - node.k8s.io/v1beta1
52 validate:
53 message: >-
54 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
55 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
56 deny: {}
57 - name: validate-v1-26-removals
58 match:
59 any:
60 - resources:
61 kinds:
62 - flowcontrol.apiserver.k8s.io/*/FlowSchema
63 - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
64 - autoscaling/*/HorizontalPodAutoscaler
65 preconditions:
66 all:
67 - key: "{{ request.operation || 'BACKGROUND' }}"
68 operator: NotEquals
69 value: DELETE
70 - key: "{{request.object.apiVersion}}"
71 operator: AnyIn
72 value:
73 - flowcontrol.apiserver.k8s.io/v1beta1
74 - autoscaling/v2beta2
75 validate:
76 message: >-
77 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
78 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
79 deny: {}
80 - name: validate-v1-27-removals
81 match:
82 any:
83 - resources:
84 kinds:
85 - storage.k8s.io/*/CSIStorageCapacity
86 preconditions:
87 all:
88 - key: "{{ request.operation || 'BACKGROUND' }}"
89 operator: NotEquals
90 value: DELETE
91 - key: "{{request.object.apiVersion}}"
92 operator: AnyIn
93 value:
94 - storage.k8s.io/v1beta1
95 validate:
96 message: >-
97 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
98 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
99 deny: {}
100 - name: validate-v1-29-removals
101 match:
102 any:
103 - resources:
104 kinds:
105 - flowcontrol.apiserver.k8s.io/*/FlowSchema
106 - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
107 preconditions:
108 all:
109 - key: "{{ request.operation || 'BACKGROUND' }}"
110 operator: NotEquals
111 value: DELETE
112 - key: "{{request.object.apiVersion}}"
113 operator: AnyIn
114 value:
115 - flowcontrol.apiserver.k8s.io/v1beta2
116 validate:
117 message: >-
118 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
119 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
120 deny: {}
121