Detect removed Kubernetes APIs

There are several Kubernetes releases that have deprecated and removed APIs. If you upgrade a GKE on Bare Metal cluster to a new Kubernetes version, and your workloads use any APIs that have been removed, your workloads can be disrupted. Follow the steps in this document to determine whether your workloads use any of the removed APIs for a given Kubernetes version before you upgrade your cluster.

For a list of removed APIs by Kubernetes release, see Deprecated API Migration Guide in the Kubernetes documentation.

Determine if the API deletion affects you

The following steps require that your GKE on Bare Metal clusters have cluster audit logging enabled and that audit logs are streamed to Google Cloud's operations suite, which is the default behavior.

To determine if the Kubernetes Service Accounts you use make calls to any deleted APIs, run the supplied query in Logs Explorer:

  1. In the Google Cloud console, go to the Logs Explorer page in the Logging menu.

    Go to Logs Explorer

  2. In the Query field, enter the following query:

    resource.labels.cluster_name = "CLUSTER_NAME" AND
    logName = "projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" AND
    protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:kube-system:") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:cert-manager:") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system:") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system:") AND
    protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system-webhook:") AND
    labels."k8s.io/removed-release"="KUBERNETES_MINOR_VERSION"
    

    Replace the following:

    • CLUSTER_NAME: the name of the cluster that contains the workloads that you're checking.

    • PROJECT_ID: the ID of the Google Cloud project that your cluster uses for logs and metrics (clusterOperations.projectID).

    • KUBERNETES_MINOR_VERSION: the minor Kubernetes version, such as 1.25, that has removed APIs.

    The output from this query shows if any of your Kubernetes Service Accounts make calls to API that have been removed for the given Kubernetes minor release.