This is a very simple utility to help users find deprecated Kubernetes apiVersions in their code repositories and their helm releases.
Want to learn more? Reach out on the Slack channel (request invite), send an email to opensource@fairwinds.com
, or join us for office hours on Zoom
Kubernetes sometimes deprecates apiVersions. Most notably, a large number of deprecations happened in the 1.16 release. This is fine, and it's a fairly easy thing to deal with. However, it can be difficult to find all the places where you might have used a version that will be deprecated in your next upgrade.
You might think, "I'll just ask the api-server to tell me!", but this is fraught with danger. If you ask the api-server to give you deployments.v1.apps
, and the deployment was deployed as deployments.v1beta1.extensions
, the api-server will quite happily convert the api version and return a manifest with apps/v1
. This is fairly well outlined in the discussion in this issue.
So, long story short, finding the places where you have deployed a deprecated apiVersion can be challenging. This is where pluto
comes in. You can use pluto to check a couple different places where you might have placed a deprecated version:
- Infrastructure-as-Code repos: Pluto can check both static manifests and Helm charts for deprecated apiVersions
- Live Helm releases: Pluto can check both Helm 2 and Helm 3 releases running in your cluster for deprecated apiVersions
You can read the full policy here
Long story short, apiVersions get deprecated, and then they eventually get removed entirely. Pluto differentiates between these two, and will tell you if a version is DEPRECATED
or REMOVED
We have an asdf plugin here. You can install with:
asdf plugin-add pluto
asdf list-all pluto
asdf install pluto <latest version>
Install the binary from our releases page.
brew install FairwindsOps/tap/pluto
First, follow the install instructions to install pluto.
Run pluto detect-files -d <DIRECTORY YOU WANT TO SCAN>
You should see an output something like:
$ pluto detect-files -d pkg/finder/testdata
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED
utilities Deployment extensions/v1beta1 apps/v1 true true
utilities Deployment extensions/v1beta1 apps/v1 true true
This indicates that we have two files in our directory that have deprecated apiVersions. This will need to be fixed prior to a 1.16 upgrade.
$ pluto detect-helm --helm-version 3 -owide
NAME NAMESPACE KIND VERSION REPLACEMENT DEPRECATED DEPRECATED IN REMOVED REMOVED IN
cert-manager/cert-manager-webhook cert-manager MutatingWebhookConfiguration admissionregistration.k8s.io/v1beta1 admissionregistration.k8s.io/v1 true v1.16.0 false v1.19.0
This indicates that the StatefulSet audit-dashboard-prod-rabbitmq-ha was deployed with apps/v1beta1 which is deprecated in 1.16
You can also use Pluto with helm 2:
$ pluto detect-helm --helm-version=2 -A
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED
invincible-zebu-metrics-server Deployment extensions/v1beta1 apps/v1 true true
lunging-bat-metrics-server Deployment apps/v1 false false
In case you have configured helm 2 with --storage=secret
, you can add the optional --helm-store secrets
. Default configuration for helm 2 is configmaps.
If you only have access to a certain namespace (helm 3), or if you only want to see information for a single namespace, you can pass the --namespace
or -n
flag to restrict the output. Due to the way that helm2 stores configmaps, you will still need access to the tiller namespace if you are using helm 2.
$ pluto detect-helm -n cert-manager -owide
NAME NAMESPACE KIND VERSION REPLACEMENT DEPRECATED DEPRECATED IN REMOVED REMOVED IN
cert-manager/cert-manager-webhook cert-manager MutatingWebhookConfiguration admissionregistration.k8s.io/v1beta1 admissionregistration.k8s.io/v1 true v1.16.0 false v1.19.0
You can run helm template <chart-dir> | pluto detect --show-all -
This will output something like so:
$ helm template e2e/tests/assets/helm3chart | pluto detect --show-all -
KIND VERSION DEPRECATED DEPRECATED IN RESOURCE NAME
Deployment extensions/v1beta1 true v1.16.0 RELEASE-NAME-helm3chart-v1beta1
Deployment apps/v1 false n/a RELEASE-NAME-helm3chart
In addition to the standard output, Pluto can output yaml, json, or wide.
The wide output provides more information about when an apiVersion was removed or deprecated.
$ pluto detect-helm --helm-version 3 -owide
└─ pluto detect-helm -owide
NAME NAMESPACE KIND VERSION REPLACEMENT DEPRECATED DEPRECATED IN REMOVED REMOVED IN
cert-manager/cert-manager-webhook cert-manager MutatingWebhookConfiguration admissionregistration.k8s.io/v1beta1 admissionregistration.k8s.io/v1 true v1.16.0 false v1.19.0
$ pluto detect-helm --helm-version 3 -ojson | jq .
{
"items": [
{
"name": "cert-manager/cert-manager-webhook",
"namespace": "cert-manager",
"api": {
"version": "admissionregistration.k8s.io/v1beta1",
"kind": "MutatingWebhookConfiguration",
"deprecated-in": "v1.16.0",
"removed-in": "v1.19.0",
"replacement-api": "admissionregistration.k8s.io/v1",
"component": "k8s"
},
"deprecated": true,
"removed": false
}
],
"target-versions": {
"cert-manager": "v0.15.1",
"istio": "v1.6.0",
"k8s": "v1.16.0"
}
}
items:
- name: cert-manager/cert-manager-webhook
namespace: cert-manager
api:
version: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
deprecated-in: v1.16.0
removed-in: v1.19.0
replacement-api: admissionregistration.k8s.io/v1
component: k8s
deprecated: true
removed: false
target-versions:
cert-manager: v0.15.1
istio: v1.6.0
k8s: v1.16.0
Pluto has specific exit codes that is uses to indicate certain results:
- Exit Code 1 - An error. A message will be displayed
- Exit Code 2 - A deprecated apiVersion has been found.
- Exit Code 3 - A removed apiVersion has been found.
If you wish to bypass the generation of exit codes 2 and 3, you may do so with two different flags:
--ignore-deprecations Ignore the default behavior to exit 2 if deprecated apiVersions are found.
--ignore-removals Ignore the default behavior to exit 3 if removed apiVersions are found.
By default, Pluto was designed with deprecations related to Kubernetes v1.16.0. However, as more deprecations are introduced, we will try to keep it updated.
You can target the version you are concerned with by using the --target-versions
or -t
flag. You must pass the component=version
, and the version must begin with a v
(this is a limitation of the semver library we are using to verify).
For example:
$ pluto detect-helm --target-version k8s=v1.15.0 --show-all
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED
cert-manager/cert-manager-webhook MutatingWebhookConfiguration admissionregistration.k8s.io/v1beta1 admissionregistration.k8s.io/v1 false false
$ echo $?
0
Notice that there is a deprecated version, but it was reported as non-deprecated because it has not yet been deprecated in v1.15.0. This particular run exited 0.
If you want to check additional apiVersions and/or types, you can pass an additional file with the --additional-versions
or -f
flag.
The file should look something like this:
target-versions:
custom: v1.0.0
deprecated-versions:
- version: someother/v1beta1
kind: AnotherCRD
deprecated-in: v1.9.0
removed-in: v1.16.0
replacement-api: apps/v1
component: custom
You can test that it's working by using list-versions
:
$ pluto list-versions -f new.yaml
KIND NAME DEPRECATED IN REMOVED IN REPLACEMENT COMPONENT
AnotherCRD someother/v1beta1 v1.9.0 v1.16.0 apps/v1 custom
NOTE: This output is truncated to show only the additional version. Normally this will include the defaults as well
The target-versions
field in this custom file will set the default target version for that component. You can still override this with --target-versions custom=vX.X.X
when you run Pluto.
Please note that we do not allow overriding anything contained in the default versions.yaml that Pluto uses.