This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Due to the detection of deprecated APIs, the automatic upgrade to v1.25 isn't being executed.

Posted on 09-13-2023 02:54 AM
NaoSaino
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm using GKE's standard cluster. Because of the detection of deprecated APIs, the automatic upgrade from v1.24 to v1.25 isn't taking place. The detected deprecated API version is policy/v1beta1 of PodSecurityPolicy.

When I checked inside the cluster, I indeed found the presence of PodSecurityPolicy using this API version.

kubectl get psp -A -o=jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name} : {.apiVersion}{"\n"}{end}'
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
/gce.gke-metrics-agent : policy/v1beta1
/gce.gke-workload-metrics : policy/v1beta1

However, none of these are resources I deployed. They are managed by GKE. In this case, how can I stop the call to the deprecated APIs and make sure the automatic upgrade is executed?"

0 4 2,077
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
hnajib
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello,

Google has the automatic safe net for removed APIs   , we noticed those PSP in GKE 1.24 before manually upgrading  to 1.25 and they were gone ,perhaps upgrade manually first or delete these PSP if you really want the automatic upgrade ( backup their YAML first)

 

Posted on --/--/---- --:-- AM
ShifaliG
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

We are also facing the exact issue and have connected with the Google Support Team as well. Below document was shared by them. https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy. There are multiple steps which we can use for this upgrade like Migrating psp to PodSecurity Admission Controller etc.

I hope it will help you to understand the process. 

 

0 Likes

Posted on --/--/---- --:-- AM
ShifaliG
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Below are some additional document for reference:

https://cloud.google.com/kubernetes-engine/docs/deprecations/apis-1-25

https://cloud.google.com/kubernetes-engine/docs/deprecations/apis-1-26

https://cloud.google.com/kubernetes-engine/docs/deprecations/apis-1-27

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-25

https://cloud.google.com/kubernetes-engine/docs/deprecations/podsecuritypolicy

As suggested earlier, below two links are the alternatives for pod security policy.

1. https://kubernetes.io/docs/concepts/security/pod-security-admission/

2. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

0 Likes

Posted on --/--/---- --:-- AM
ShifaliG
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello NaoSaino,

For above issue, we can resolve it using below two points.

1. Do we require the pod security policy in your cluster? If not, you can disable it using the below command.

gcloud beta container clusters update CLUSTER_NAME \
    --no-enable-pod-security-policy

2. If you require the pod security policy in your cluster, then you need to migrate it to Pod Admission Controller (PAC). Below is the document for your understanding and reference. It is having the process to be followed.

https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy 

https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ 

Let me know if it helps... Thanks!

0 Likes
Top Labels in this Space
Top Solution Authors
View all