All Policies

Check deprecated APIs

Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters.

Policy Definition

/best-practices/check_deprecated_apis.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-deprecated-apis
 5  annotations:
 6    policies.kyverno.io/title: Check deprecated APIs
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/subject: Kubernetes APIs
 9    policies.kyverno.io/description: >-
10      Kubernetes APIs are sometimes deprecated and removed after a few releases. 
11      As a best practice, older API versions should be replaced with newer versions. 
12      This policy validates for APIs that are deprecated or scheduled for removal.
13      Note that checking for some of these resources may require modifying the Kyverno
14      ConfigMap to remove filters.      
15spec:
16  validationFailureAction: audit
17  rules:
18  - name: validate-v1-22-removals
19    match:
20      resources:
21        kinds:
22        - admissionregistration.k8s.io/v1beta1/ValidatingWebhookConfiguration
23        - admissionregistration.k8s.io/v1beta1/MutatingWebhookConfiguration
24        - apiextensions.k8s.io/v1beta1/CustomResourceDefinition
25        - apiregistration.k8s.io/v1beta1/APIService
26        - authentication.k8s.io/v1beta1/TokenReview
27        - authorization.k8s.io/v1beta1/SubjectAccessReview
28        - authorization.k8s.io/v1beta1/LocalSubjectAccessReview
29        - authorization.k8s.io/v1beta1/SelfSubjectAccessReview 
30        - certificates.k8s.io/v1beta1/CertificateSigningRequest
31        - coordination.k8s.io/v1beta1/Lease
32        - extensions/v1beta1/Ingress
33        - networking.k8s.io/v1beta1/Ingress
34        - networking.k8s.io/v1beta1/IngressClass
35        - rbac.authorization.k8s.io/v1beta1/ClusterRole
36        - rbac.authorization.k8s.io/v1beta1/ClusterRoleBinding
37        - rbac.authorization.k8s.io/v1beta1/Role
38        - rbac.authorization.k8s.io/v1beta1/RoleBinding
39        - scheduling.k8s.io/v1beta1/PriorityClass
40        - storage.k8s.io/v1beta1/CSIDriver
41        - storage.k8s.io/v1beta1/CSINode
42        - storage.k8s.io/v1beta1/StorageClass
43        - storage.k8s.io/v1beta1/VolumeAttachment
44    validate:
45      message: >-
46        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.22. 
47        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
48      deny: {}
49  - name: validate-v1-25-removals
50    match:
51      resources:
52        kinds:
53        - batch/v1beta1/CronJob
54        - discovery.k8s.io/v1beta1/EndpointSlice
55        - events.k8s.io/v1beta1/Event
56        - policy/v1beta1/PodDisruptionBudget
57        - policy/v1beta1/PodSecurityPolicy
58        - node.k8s.io/v1beta1/RuntimeClass
59    validate:
60      message: >-
61        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. 
62        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
63      deny: {}
64
Create policy issue