The Kubernetes 1.25 release removes some deprecated resource versions.
This guide is intended to help you safely upgrade your cluster to the latest Kubernetes version that MetaKube offers.
The deprecated admission plugin "PodSecurityPolicy" will be removed with 1.25.
Differently from other resources, the PodSecurityPolicy "beta" version has not graduated to a stable version.
This means, the resource PodSecurityPolicy
is no longer served by apiserver and also any previously intsalled
PodSecurityPolicy
objects no longer have any effect.
There's various possible alternatives.
See the guide to migrate to the official replacement: the PodSecurity Admission controller.
Kubernetes commonly deprecates resource versions. Deprecated versions are "marked" for removal for a future version.
All the versions that are being removed, have respective stable "v1" versions.
All objects of the resources have already been translated and stored by Kubernetes in their "preferred" version "v1".
However, the Kubernetes API will no longer accept operations on resources with versions that were removed.
This means, that clients that use these versions, will fail with errors.
The most common clients are:
kubectl
or helm
using Kubernetes manifestsMost open source software for Kubernetes have released newer versions that are no longer using deprecated versions.
helm upgrade
fails because my release is referencing old resource versionsHelm is tracking "revisions" of every "release" including manifests that were installed, in Secrets.
You can look at them like so:
# to list releases
helm -n <namespace> ls
# list revisions of a release
helm -n <namespace> history <release name>
On an upgrade
, Helm generates a diff to the last revision with the "Deployed" state.
Let's say, you disable PSP in your Helm chart after the upgrade to 1.25 and run an update.
Then Helm will want to delete the PSP resources that were previously installed and issues "DELETE" requests to the API.
But because the API no longer serves this resource, the requests will fail.
To fix the issue, the Helm documentation refers to this tool: helm-mapkubeapis
To avoid the issue in the first place, remove any resources with deprecated versions and run helm upgrade
before upgrading the cluster.
Kubernetes won't store objects in their deprecated versions, so listing e.g. all CronJob
objects, will show only v1
resources.
To find out if you're using deprecated versions:
helm template
command to print the manifests that Helm installs.apiserver_requested_deprecated_apis{removed_release="1.25"}
metric, if you scrape it.Some resources use a modified schema, so you might have to change some fields.
The Official Deprecation Guide has detailed information on each resource.