Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: check-deprecated-apisannotations:policies.kyverno.io/title: Check deprecated APIspolicies.kyverno.io/category: Best Practicespolicies.kyverno.io/subject: Kubernetes APIskyverno.io/kyverno-version: 1.7.4policies.kyverno.io/minversion: 1.7.4kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.spec:validationFailureAction: Auditbackground: truerules:- name: validate-v1-25-removalsmatch:any:- resources:kinds:- batch/*/CronJob- discovery.k8s.io/*/EndpointSlice- events.k8s.io/*/Event- policy/*/PodDisruptionBudget- policy/*/PodSecurityPolicy- node.k8s.io/*/RuntimeClasspreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- batch/v1beta1- discovery.k8s.io/v1beta1- events.k8s.io/v1beta1- policy/v1beta1- node.k8s.io/v1beta1validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-26-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration- autoscaling/*/HorizontalPodAutoscalerpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta1- autoscaling/v2beta2validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-27-removalsmatch:any:- resources:kinds:- storage.k8s.io/*/CSIStorageCapacitypreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- storage.k8s.io/v1beta1validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-29-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfigurationpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta2validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}- name: validate-v1-32-removalsmatch:any:- resources:kinds:- flowcontrol.apiserver.k8s.io/*/FlowSchema- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfigurationpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETE- key: "{{request.object.apiVersion}}"operator: AnyInvalue:- flowcontrol.apiserver.k8s.io/v1beta3validate:message: "{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.32. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/"deny: {}
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.