There are several Kubernetes releases that have deprecated and removed APIs. If you upgrade a Google Distributed Cloud cluster to a new Kubernetes version, and your workloads use any APIs that have been removed, your workloads can be disrupted. Follow the steps in this document to determine whether your workloads use any of the removed APIs for a given Kubernetes version before you upgrade your cluster.
For a list of removed APIs by Kubernetes release, see Deprecated API Migration Guide in the Kubernetes documentation.
Determine if the API deletion affects you
The following steps require that your Google Distributed Cloud clusters have cluster audit logging enabled and that audit logs are streamed to Google Cloud Observability, which is the default behavior.
To determine if the Kubernetes Service Accounts you use make calls to any deleted APIs, run the supplied query in Logs Explorer:
In the Google Cloud console, go to the Logs Explorer page in the Logging menu.
In the Query field, enter the following query:
resource.labels.cluster_name = "CLUSTER_NAME" AND logName = "projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" AND protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:kube-system:") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:cert-manager:") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system:") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system:") AND protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:capi-system-webhook:") AND labels."k8s.io/removed-release"="KUBERNETES_MINOR_VERSION"Replace the following:
CLUSTER_NAME: the name of the cluster that contains the workloads that you're checking.PROJECT_ID: the ID of the Google Cloud project that your cluster uses for logs and metrics (clusterOperations.projectID).KUBERNETES_MINOR_VERSION: the minor Kubernetes version, such as 1.25, that has removed APIs.
The output from this query shows if any of your Kubernetes Service Accounts make calls to API that have been removed for the given Kubernetes minor release.