All Policies

Check deprecated APIs

Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.

Policy Definition

/best-practices/check-deprecated-apis/check-deprecated-apis.yaml

  1apiVersion: kyverno.io/v1
  2kind: ClusterPolicy
  3metadata:
  4  name: check-deprecated-apis
  5  annotations:
  6    policies.kyverno.io/title: Check deprecated APIs
  7    policies.kyverno.io/category: Best Practices
  8    policies.kyverno.io/subject: Kubernetes APIs
  9    kyverno.io/kyverno-version: 1.7.4
 10    policies.kyverno.io/minversion: 1.7.4
 11    kyverno.io/kubernetes-version: "1.23"
 12    policies.kyverno.io/description: >-
 13      Kubernetes APIs are sometimes deprecated and removed after a few releases.
 14      As a best practice, older API versions should be replaced with newer versions.
 15      This policy validates for APIs that are deprecated or scheduled for removal.
 16      Note that checking for some of these resources may require modifying the Kyverno
 17      ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
 18      has been commented out due to a check for this kind having a performance penalty
 19      on Kubernetes clusters with many leases. Its enabling should be attended carefully
 20      and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
 21      so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
 22      This policy requires Kyverno v1.7.4+ to function properly.      
 23spec:
 24  validationFailureAction: audit
 25  background: true
 26  rules:
 27  - name: validate-v1-25-removals
 28    match:
 29      any:
 30      - resources:
 31          # NOTE: PodSecurityPolicy is completely removed in 1.25.
 32          kinds:
 33          - batch/*/CronJob
 34          - discovery.k8s.io/*/EndpointSlice
 35          - events.k8s.io/*/Event
 36          - policy/*/PodDisruptionBudget
 37          - policy/*/PodSecurityPolicy
 38          - node.k8s.io/*/RuntimeClass
 39    preconditions:
 40      all:
 41      - key: "{{ request.operation || 'BACKGROUND' }}"
 42        operator: NotEquals
 43        value: DELETE
 44      - key: "{{request.object.apiVersion}}"
 45        operator: AnyIn
 46        value:
 47        - batch/v1beta1
 48        - discovery.k8s.io/v1beta1
 49        - events.k8s.io/v1beta1
 50        - policy/v1beta1
 51        - node.k8s.io/v1beta1
 52    validate:
 53      message: >-
 54        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
 55        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
 56      deny: {}
 57  - name: validate-v1-26-removals
 58    match:
 59      any:
 60      - resources:
 61          kinds:
 62          - flowcontrol.apiserver.k8s.io/*/FlowSchema
 63          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
 64          - autoscaling/*/HorizontalPodAutoscaler
 65    preconditions:
 66      all:
 67      - key: "{{ request.operation || 'BACKGROUND' }}"
 68        operator: NotEquals
 69        value: DELETE
 70      - key: "{{request.object.apiVersion}}"
 71        operator: AnyIn
 72        value:
 73        - flowcontrol.apiserver.k8s.io/v1beta1
 74        - autoscaling/v2beta2
 75    validate:
 76      message: >-
 77        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
 78        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
 79      deny: {}
 80  - name: validate-v1-27-removals
 81    match:
 82      any:
 83      - resources:
 84          kinds:
 85          - storage.k8s.io/*/CSIStorageCapacity
 86    preconditions:
 87      all:
 88      - key: "{{ request.operation || 'BACKGROUND' }}"
 89        operator: NotEquals
 90        value: DELETE
 91      - key: "{{request.object.apiVersion}}"
 92        operator: AnyIn
 93        value:
 94        - storage.k8s.io/v1beta1
 95    validate:
 96      message: >-
 97        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
 98        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
 99      deny: {}
100  - name: validate-v1-29-removals
101    match:
102      any:
103      - resources:
104          kinds:
105          - flowcontrol.apiserver.k8s.io/*/FlowSchema
106          - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
107    preconditions:
108      all:
109      - key: "{{ request.operation || 'BACKGROUND' }}"
110        operator: NotEquals
111        value: DELETE
112      - key: "{{request.object.apiVersion}}"
113        operator: AnyIn
114        value:
115        - flowcontrol.apiserver.k8s.io/v1beta2
116    validate:
117      message: >-
118        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
119        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
120      deny: {}
121