UNCLASSIFIED - NO CUI

Skip to content

Enable and set the Disallow Deprecated APIs policy to Audit

Daniel Chenrequested to merge
disallow-deprecated-apis into main

General MR

Summary

Starting with how to test this policy, and the summary was moved to the comments below.

Local K3d deploy and test successfully. Deployed with all packages with no issues.

After deploy and test successfully, enable and set to Audit mode.

Relevant logs/screenshots

Only pass test is included for passing the pipeline.

  1. pass test
bash-5.2$ cat flowschema-pass.yaml 
# Test 1: APIs not deprecated and removed in 1.32 are allowed
apiVersion: flowcontrol.apiserver.k8s.io/v1
kind: FlowSchema
metadata:
  name: disallow-deprecated-apis-1
  annotations:
    kyverno-policies-bbtest/type: validate
    kyverno-policies-bbtest/expected: pass
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
    - nonResourceRules:
      - nonResourceURLs:
          - "/healthz"
          - "/livez"
          - "/readyz"
        verbs:
          - "*"
      subjects:
        - kind: Group
          group:
            name: "system:unauthenticated"
bash-5.2$ kubectl get flowschema -A|grep -i deprecated
bash-5.2$ kubectl apply -f flowschema-pass.yaml 
flowschema.flowcontrol.apiserver.k8s.io/disallow-deprecated-apis-1 created
bash-5.2$ kubectl get flowschema -A|grep -i deprecated
disallow-deprecated-apis-1     exempt            1000                 <none>                5s      False
bash-5.2$
  1. fail test:
bash-5.2$ cat flowschema-fail.yaml 
# Test 2: APIs deprecated and removed in 1.32 are not allowed 
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: disallow-deprecated-apis-2
  annotations:
    kyverno-policies-bbtest/type: validate
    kyverno-policies-bbtest/expected: fail 
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
    - nonResourceRules:
      - nonResourceURLs:
          - "/healthz"
          - "/livez"
          - "/readyz"
        verbs:
          - "*"
      subjects:
        - kind: Group
          group:
            name: "system:unauthenticated"
bash-5.2$ kubectl apply -f flowschema-fail.yaml 
error: resource mapping not found for name: "disallow-deprecated-apis-2" namespace: "" from "flowschema-fail.yaml": no matches for kind "FlowSchema" in version "flowcontrol.apiserver.k8s.io/v1beta3"
ensure CRDs are installed first
bash-5.2$

Linked Issue

issue

Upgrade Notices

A new Kyverno Policy "Disallow Depreciated APIs" is enabled and set to Audit mode. Please monitor the logs for related policy violations and address them, as this is a serious security warning. Enforce mode will be set in two releases after.

Edited by Daniel Chen

Merge request reports

UNCLASSIFIED - NO CUI