Deprecated Kubernetes 1.22 APIs

Google Distributed Cloud version 1.11 runs on Kubernetes 1.22. Kubernetes 1.22 has deprecated certain APIs, and a list of these deprecated APIs can be found in Kubernetes 1.22 deprecated APIs.

In version 1.11, of Google Distributed Cloud, all clusters have cluster audit logging enabled and audit logs are streamed to Google Cloud's operations suite. To determine if Kubernetes Service Accounts (SA) you use make calls to any deprecated APIs, go to Cloud Operation Log Explorer and run the query below. Output from this query will show if any of your Kubernetes SAs make deprecated API calls:

resource.labels.cluster_name = "<cluster_name>" AND
logName = "projects/<project>/logs/externalaudit.googleapis.com%2Factivity" AND
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:kube-system:") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:cert-manager:") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system:") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system:") AND
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system-webhook:") AND
(protoPayload.methodName:"io.k8s.apiextensions.v1beta1.CustomResourceDefinition" OR
protoPayload.methodName:"io.k8s.admissionregistration.v1beta1.MutatingWebhookConfiguration" OR
protoPayload.methodName:"io.k8s.admissionregistration.v1beta1.ValidatingWebhookConfiguration" OR
protoPayload.methodName:"io.k8s.apiregistration.v1beta1.APIService" OR
protoPayload.methodName:"io.k8s.authentication.v1beta1.TokenReview" OR
protoPayload.methodName:"io.k8s.authentication.v1beta1.LocalSubjectAccessReview" OR
protoPayload.methodName:"io.k8s.authentication.v1beta1.SelfSubjectAccessReview" OR
protoPayload.methodName:"io.k8s.authentication.v1beta1.SubjectAccessReview" OR
protoPayload.methodName:"io.k8s.certificates.v1beta1.CertificateSigningRequest" OR
protoPayload.methodName:"io.k8s.coordination.v1beta1.Lease" OR
protoPayload.methodName:"io.k8s.networking.v1beta1.Ingress" OR
protoPayload.methodName:"io.k8s.networking.v1beta1.IngressClass" OR
protoPayload.methodName:"io.k8s.authorization.rbac.v1beta1.ClusterRole" OR
protoPayload.methodName:"io.k8s.authorization.rbac.v1beta1.ClusterRoleBinding" OR
protoPayload.methodName:"io.k8s.authorization.rbac.v1beta1.Role" OR
protoPayload.methodName:"io.k8s.authorization.rbac.v1beta1.RoleBinding" OR
protoPayload.methodName:"io.k8s.scheduling.v1beta1.PriorityClass" OR
protoPayload.methodName:"io.k8s.storage.v1beta1.CSIDriver" OR
protoPayload.methodName:"io.k8s.storage.v1beta1.CSINode" OR
protoPayload.methodName:"io.k8s.storage.v1beta1.StorageClass" OR
protoPayload.methodName:"io.k8s.storage.v1beta1.VolumeAttachment"
)