Before you upgrade a Kubernetes cluster, you must ensure you won't break any existing apps running on it.
Any apps using deprecated API objects will need to be upgraded first.
Install FairwindsOps Pluto.
Quickly using DevOps-Bash-tools:
install_pluto.shpluto detect-all-in-clusterW0810 08:03:34.761332 12955 warnings.go:70] v1 ComponentStatus is deprecated in v1.19+
W0810 08:03:35.151381 12955 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED REPL AVAIL
aws-node-termination-handler/aws-node-termination-handler PodSecurityPolicy policy/v1beta1 true true false
eks.privileged PodSecurityPolicy policy/v1beta1 true true false
eks-exempt FlowSchema flowcontrol.apiserver.k8s.io/v1beta2 flowcontrol.apiserver.k8s.io/v1beta3 false true false
eks-workload-high FlowSchema flowcontrol.apiserver.k8s.io/v1beta2 flowcontrol.apiserver.k8s.io/v1beta3 false true false
Run also this script:
pluto_detect_kubectl_dump_objects.shwhich in my testing found different deprecated / removed API objects (see these Pluto issues: #461, #495, and this faq):
If you're using Helm or Kustomize and want to test your Git repo configs for deprecated objects, run these scripts from the DevOps-Bash-tools repo:
pluto_detect_helm_materialize.shpluto_detect_kustomize_materialize.shhttps://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy-removal-faq.html
PSPs were removed in 1.25 and need to be migrated.
Find PSPs installed
kubectl get pspCheck for pods which still use this annotation:
kubectl get pod -A \
-o jsonpath='{range.items[?(@.metadata.annotations.kubernetes\.io/psp)]}{.metadata.name}{"\t"}{.metadata.namespace}{"\t"}{.metadata.annotations.kubernetes\.io/psp}{"\n"}' |
column -tIf you think you can skip these checks above, you may end up like this:
