Kubernetes 1.27 Upgrade guide

This guide is intended to help you safely upgrade your cluster to Kubernetes version 1.27.

ServiceAccounts deprecation warning

You may see deprecation warnings for ServiceAccounts that were created (including automatically) before the upgrade to 1.27:

# Example
warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.

Kubernetes used to create a Secret with a long-living self signed certificate for each service account.
A volume for this Secret was added to Pods using a service account.

This is no longer the case. Kubernetes now uses a projected volume.
This means Kubelet manages a short-lived certificate in the container that is rotated automatically.

To remove this warning, remove the Secrets that were created through ServiceAccounts.

You can list all ServiceAccounts like this:

kubectl get secrets --all-namespaces --field-selector="type==kubernetes.io/service-account-token"

To verify that the Secrets aren't used anymore, look at the volumes in the Pod's spec.
The Pod spec should show a "projected volume" with the service account token instead.

What do I need to change?

The Official Deprecation Guide has detailed information on each resource.

References