DO280 - ch09s03

Bookmark this page

Detect Deprecated Kubernetes API Usage

Objectives

Identify applications that use deprecated Kubernetes APIs.

OpenShift Versions

Kubernetes is an open source container orchestration engine for automating the deployment, scaling, and management of containerized applications. The OpenShift Container Platform foundation is based on Kubernetes and therefore shares the underlying technology. The following table lists the OpenShift version and the Kubernetes version that it is based on:

OpenShift version	Kubernetes version
4.12	1.25
4.13	1.26
4.14	1.27

Kubernetes API Deprecation Policy

The Kubernetes API versions are categorized based on feature maturity (experimental, pre-release, and stable).

API version	Category	Description
v1alpha1	Alpha	Experimental features
v1beta1	Beta	Pre-release features
v1	Stable	Stable features, generally available

Use the following command to view the current version of a resource:

[user@host ~]$ oc api-resources | egrep '^NAME|cronjobs'
NAME      SHORTNAMES  APIVERSION  NAMESPACED  KIND
cronjobs  cj          batch/v1    true        CronJob

When a stable version of a feature is released, the beta versions are marked as deprecated and are removed after three Kubernetes releases. If a request uses a deprecated API version, then the API server returns a deprecation warning that includes the name of the current version of the cluster.

[user@host ~]$ egrep 'kind|apiVersion' cronjob-beta.yaml
kind: CronJob
apiVersion: batch/v1beta1

[user@host ~]$ oc create -f cronjob-beta.yaml
Warning: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
cronjob.batch/hello created

If a request uses an API version that Kubernetes removed, then the API server returns an error, because that API version is not supported in the cluster.

[user@host ~]$ egrep 'kind|apiVersion' cronjob-alpha.yaml
apiVersion: batch/v1alpha1
kind: CronJob

[user@host ~]$ oc create -f cronjob-alpha.yaml
error: resource mapping not found for name: "hello" namespace: "" from "cronjob-alpha.yaml": no matches for kind "CronJob" in version "batch/v1beta1"
ensure CRDs are installed first

Deprecated and Removed Features in Kubernetes

The Kubernetes 1.27 release stopped serving some API versions that were marked as deprecated in previous releases. The following table contains a short list of the deprecated and removed API versions.

Resource	Removed API Group	Current API Group
CSIStorageCapacity	storage.k8s.io/v1beta1	storage.k8s.io/v1

Note

For more information about the API versions that are deprecated and removed in Kubernetes, consult Kubernetes Deprecated API Migration Guide in the references section.

Identifying Deprecated APIs

You can identify from the API request count whether a workload uses a deprecated API version. The API request count output contains four columns. A value in the REMOVEDINRELEASE column indicates that the API version is deprecated and specifies the Kubernetes version that will remove it.

[user@host ~]$ oc get apirequestcounts | awk '{if(NF==4){print $0}}'
NAME
                    REMOVEDINRELEASE   REQUESTSINCURRENTHOUR   REQUESTSINLAST24H
...output omitted...
cronjobs.v1beta1.batch
                    1.25               15                      44
horizontalpodautoscalers.v2beta2.autoscaling
                    1.26               6                       30
podsecuritypolicies.v1beta1.policy
                    1.25               28                      77
...output omitted...

If the REMOVEDINRELEASE column is blank, then it indicates that the current API version is not deprecated, and that version will be kept in future releases.

Note

You can use a JSONPath filter to retrieve the results. The FILTER variable is written on a single line.

[user@host ~]$ FILTER='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.status.requestCount}{"\t"}{.metadata.name}{"\n"}{end}'
[user@host ~]$ oc get apirequestcounts -o jsonpath="${FILTER}" | \
  column -t -N "RemovedInRelease,RequestCount,Name"
RemovedInRelease  RequestCount  Name
1.25              44            cronjobs.v1beta1.batch
...output omitted...

If the command does not retrieve any information, then it indicates that none of the installed APIs are deprecated.

You can use a JSONPath filter for a list of actions for that resource and who did them.

[user@host ~]$ FILTER='{range .status.currentHour..byUser[*]}{..byVerb[*].verb}{","}{.username}{","}{.userAgent}{"\n"}{end}'
[user@host ~]$ TYPE=apirequestcount.apiserver.openshift.io/cronjobs.v1.batch
[user@host ~]$ echo ${TYPE} ; oc get ${TYPE} -o jsonpath="${FILTER}" | \
  column -t -s ',' -N "Verbs,Username,UserAgent"

apirequestcount.apiserver.openshift.io/cronjobs.v1.batch
Verbs        Username    				  UserAgent
get update   system:serviceaccount:kube-system:cronj...   kube-controller-manager/v1...
watch        system:kube-controller-manager               kube-controller-manager/v1...
...output omitted...

Deprecated and Removed Features in OpenShift

Red Hat OpenShift Container Platform (RHOCP) is a set of modular components and services that are built on top of a Kubernetes container infrastructure.

Some features that were available in previous OpenShift releases are deprecated or removed. A deprecated feature is not recommended for new deployments, because a future release will remove it. The following table contains a short list of the deprecated and removed features in OpenShift.

OpenShift 4.12	OpenShift 4.13	OpenShift 4.14	Feature
General Availability	General Availability	Deprecated	Operator lifecycle and development deprecated
Deprecated	Deprecated	Deprecated	CoreDNS wildcard queries for the `cluster.local` domain
Deprecated	Deprecated	Deprecated	Persistent storage that uses FlexVolume
Not Available	General Availability	Removed	`--include-local-oci-catalogs` parameter for `oc-mirror`
General Availability	General Availability	Deprecated	`DeploymentConfig` objects

Note

For more information about the deprecated and removed API versions in Kubernetes, consult the OpenShift Container Platform 4.14 release notes in the references section.

Deprecated API Alerts in OpenShift

OpenShift includes two alerts that are triggered when a workload uses a deprecated API version:

APIRemovedInNextReleaseInUse: This alert is triggered for APIs that OpenShift Container Platform will remove in the next release.
APIRemovedInNextEUSReleaseInUse: This alert is triggered for APIs that OpenShift Container Platform Extended Update Support (EUS) will remove in the next release.

The alert describes the situation with context to identify the affected workload.

Figure 9.8: Deprecated API alert

You can extract the alerts in JSON format from the Prometheus stateful set, and then filter the result to retrieve the deprecated API alerts.

[user@host ~]$ oc exec -it statefulset/prometheus-k8s -c prometheus \
  -n openshift-monitoring -- \
    curl -fsSL 'http://localhost:9090/api/v1/alerts' | jq . > alerts.json

[user@host ~]$ jq '[.data.alerts[] |
  select(.labels.alertname=="APIRemovedInNextReleaseInUse" or
         .labels.alertname=="APIRemovedInNextEUSReleaseInUse")]' < alerts.json
[
  {
    "labels": {
      "alertname": "APIRemovedInNextReleaseInUse",
...output omitted...
    },
    "state": "firing",
...output omitted...
  },
  {
    "labels": {
      "alertname": "APIRemovedInNextEUSReleaseInUse",
...output omitted...
    },
    "state": "firing",
...output omitted...
  }
]

Note

If the output of the jq command is an empty JSON array [], then the alerts were not reported.

Explicit Acknowledgment Before Cluster Updates

OpenShift Container Platform 4.14 uses Kubernetes 1.27, which removed deprecated v1beta1 APIs.

OpenShift Container Platform requires an administrator to provide a manual acknowledgment before the cluster can be upgraded from version 4.13 to 4.14. This requirement helps to prevent issues after upgrading to OpenShift Container Platform 4.14, where workloads, tools, or other components that run on or interact with the cluster still use removed APIs.

Administrators must evaluate their cluster for workloads that use removed APIs, and migrate the affected components to the appropriate new API version. After migration, the administrator can provide an acknowledgment.

[user@host ~]$ oc patch configmap admin-acks -n openshift-config --type=merge \
  --patch '{"data":{"ack-4.13-kube-1.27-api-removals-in-4.14":"true"}}'
configmap/admin-acks patched

References

For more information about the removed features in OpenShift, refer to the Deprecated and Removed Features section in the Red Hat OpenShift Container Platform 4.14 release notes at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/release_notes/index#ocp-4-14-deprecated-removed-features

For more information about what version of the Kubernetes API is included with each OpenShift 4.x release, visit the following page in the customer portal: https://access.redhat.com/solutions/4870701

For more information about the Kubernetes API deprecations and removals, visit the following page in the customer portal: https://access.redhat.com/articles/6955985

For more information about the deprecated APIs in OpenShift Container Platform 4.14, visit the following page in the customer portal: https://access.redhat.com/articles/6955381

For more information about how to get fired alerts on OpenShift by using the command-line, visit the following page in the customer portal: https://access.redhat.com/solutions/4250221

What's New in Red Hat OpenShift 4.14

Preparing to Update to OpenShift Container Platform 4.14

Kubernetes Deprecation Policy

Kubernetes Deprecated API Migration Guide

Kubernetes Removals and Deprecations in 1.27

Kubernetes 1.27 release announcement

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1