All Policies
Check deprecated APIs
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
Policy Definition
/best-practices/check_deprecated_apis/check_deprecated_apis.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: check-deprecated-apis
5 annotations:
6 policies.kyverno.io/title: Check deprecated APIs
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/subject: Kubernetes APIs
9 kyverno.io/kyverno-version: 1.7.4
10 policies.kyverno.io/minversion: 1.7.4
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/description: >-
13 Kubernetes APIs are sometimes deprecated and removed after a few releases.
14 As a best practice, older API versions should be replaced with newer versions.
15 This policy validates for APIs that are deprecated or scheduled for removal.
16 Note that checking for some of these resources may require modifying the Kyverno
17 ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
18 has been commented out due to a check for this kind having a performance penalty
19 on Kubernetes clusters with many leases. Its enabling should be attended carefully
20 and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
21 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
22 This policy requires Kyverno v1.7.4+ to function properly.
23spec:
24 validationFailureAction: audit
25 background: true
26 rules:
27 - name: validate-v1-22-removals
28 match:
29 any:
30 - resources:
31 kinds:
32 - admissionregistration.k8s.io/*/ValidatingWebhookConfiguration
33 - admissionregistration.k8s.io/*/MutatingWebhookConfiguration
34 - apiextensions.k8s.io/*/CustomResourceDefinition
35 - apiregistration.k8s.io/*/APIService
36 - authentication.k8s.io/*/TokenReview
37 - authorization.k8s.io/*/SubjectAccessReview
38 - authorization.k8s.io/*/LocalSubjectAccessReview
39 - authorization.k8s.io/*/SelfSubjectAccessReview
40 - certificates.k8s.io/*/CertificateSigningRequest
41 # - coordination.k8s.io/*/Lease
42 - extensions/*/Ingress
43 - networking.k8s.io/*/Ingress
44 - networking.k8s.io/*/IngressClass
45 - rbac.authorization.k8s.io/*/ClusterRole
46 - rbac.authorization.k8s.io/*/ClusterRoleBinding
47 - rbac.authorization.k8s.io/*/Role
48 - rbac.authorization.k8s.io/*/RoleBinding
49 - scheduling.k8s.io/*/PriorityClass
50 - storage.k8s.io/*/CSIDriver
51 - storage.k8s.io/*/CSINode
52 - storage.k8s.io/*/StorageClass
53 - storage.k8s.io/*/VolumeAttachment
54 preconditions:
55 all:
56 - key: "{{ request.operation || 'BACKGROUND' }}"
57 operator: NotEquals
58 value: DELETE
59 - key: "{{request.object.apiVersion}}"
60 operator: AnyIn
61 value:
62 - admissionregistration.k8s.io/v1beta1
63 - apiextensions.k8s.io/v1beta1
64 - apiregistration.k8s.io/v1beta1
65 - authentication.k8s.io/v1beta1
66 - authorization.k8s.io/v1beta1
67 - certificates.k8s.io/v1beta1
68 - coordination.k8s.io/v1beta1
69 - extensions/v1beta1
70 - networking.k8s.io/v1beta1
71 - rbac.authorization.k8s.io/v1beta1
72 - scheduling.k8s.io/v1beta1
73 - storage.k8s.io/v1beta1
74 validate:
75 message: >-
76 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.22.
77 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
78 deny: {}
79 - name: validate-v1-25-removals
80 match:
81 any:
82 - resources:
83 # NOTE: PodSecurityPolicy is completely removed in 1.25.
84 kinds:
85 - batch/*/CronJob
86 - discovery.k8s.io/*/EndpointSlice
87 - events.k8s.io/*/Event
88 - policy/*/PodDisruptionBudget
89 - policy/*/PodSecurityPolicy
90 - node.k8s.io/*/RuntimeClass
91 preconditions:
92 all:
93 - key: "{{ request.operation || 'BACKGROUND' }}"
94 operator: NotEquals
95 value: DELETE
96 - key: "{{request.object.apiVersion}}"
97 operator: AnyIn
98 value:
99 - batch/v1beta1
100 - discovery.k8s.io/v1beta1
101 - events.k8s.io/v1beta1
102 - policy/v1beta1
103 - node.k8s.io/v1beta1
104 validate:
105 message: >-
106 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
107 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
108 deny: {}
109 - name: validate-v1-26-removals
110 match:
111 any:
112 - resources:
113 kinds:
114 - flowcontrol.apiserver.k8s.io/*/FlowSchema
115 - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
116 - autoscaling/*/HorizontalPodAutoscaler
117 preconditions:
118 all:
119 - key: "{{ request.operation || 'BACKGROUND' }}"
120 operator: NotEquals
121 value: DELETE
122 - key: "{{request.object.apiVersion}}"
123 operator: AnyIn
124 value:
125 - flowcontrol.apiserver.k8s.io/v1beta1
126 - autoscaling/v2beta2
127 validate:
128 message: >-
129 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
130 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
131 deny: {}
132 - name: validate-v1-27-removals
133 match:
134 any:
135 - resources:
136 kinds:
137 - storage.k8s.io/*/CSIStorageCapacity
138 preconditions:
139 all:
140 - key: "{{ request.operation || 'BACKGROUND' }}"
141 operator: NotEquals
142 value: DELETE
143 - key: "{{request.object.apiVersion}}"
144 operator: AnyIn
145 value:
146 - storage.k8s.io/v1beta1
147 validate:
148 message: >-
149 {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
150 See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
151 deny: {}