All Policies

Check deprecated APIs

Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters.

Policy Definition

/best-practices/check_deprecated_apis.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-deprecated-apis
 5  annotations:
 6    policies.kyverno.io/title: Check deprecated APIs
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/subject: Kubernetes APIs
 9    policies.kyverno.io/description: >-
10      Kubernetes APIs are sometimes deprecated and removed after a few releases.
11      As a best practice, older API versions should be replaced with newer versions.
12      This policy validates for APIs that are deprecated or scheduled for removal.
13      Note that checking for some of these resources may require modifying the Kyverno
14      ConfigMap to remove filters.      
15spec:
16  validationFailureAction: audit
17  background: true
18  rules:
19  - name: validate-v1-22-removals
20    match:
21      resources:
22        kinds:
23        - admissionregistration.k8s.io/v1beta1/ValidatingWebhookConfiguration
24        - admissionregistration.k8s.io/v1beta1/MutatingWebhookConfiguration
25        - apiextensions.k8s.io/v1beta1/CustomResourceDefinition
26        - apiregistration.k8s.io/v1beta1/APIService
27        - authentication.k8s.io/v1beta1/TokenReview
28        - authorization.k8s.io/v1beta1/SubjectAccessReview
29        - authorization.k8s.io/v1beta1/LocalSubjectAccessReview
30        - authorization.k8s.io/v1beta1/SelfSubjectAccessReview
31        - certificates.k8s.io/v1beta1/CertificateSigningRequest
32        - coordination.k8s.io/v1beta1/Lease
33        - extensions/v1beta1/Ingress
34        - networking.k8s.io/v1beta1/Ingress
35        - networking.k8s.io/v1beta1/IngressClass
36        - rbac.authorization.k8s.io/v1beta1/ClusterRole
37        - rbac.authorization.k8s.io/v1beta1/ClusterRoleBinding
38        - rbac.authorization.k8s.io/v1beta1/Role
39        - rbac.authorization.k8s.io/v1beta1/RoleBinding
40        - scheduling.k8s.io/v1beta1/PriorityClass
41        - storage.k8s.io/v1beta1/CSIDriver
42        - storage.k8s.io/v1beta1/CSINode
43        - storage.k8s.io/v1beta1/StorageClass
44        - storage.k8s.io/v1beta1/VolumeAttachment
45    validate:
46      message: >-
47        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.22.
48        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
49      deny: {}
50  - name: validate-v1-25-removals
51    match:
52      resources:
53        kinds:
54        - batch/v1beta1/CronJob
55        - discovery.k8s.io/v1beta1/EndpointSlice
56        - events.k8s.io/v1beta1/Event
57        - policy/v1beta1/PodDisruptionBudget
58        - policy/v1beta1/PodSecurityPolicy
59        - node.k8s.io/v1beta1/RuntimeClass
60    validate:
61      message: >-
62        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
63        See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/        
64      deny: {}
65
Create policy issue