Examples of how to test the impact of the v1.16 API deprecations and ways to test and debug early!

If this is the first time you're hearing of these deprecations, STOP and read this blog post (thanks @vllry!).

• This file of rego rules (deprek8)

  curl https://raw.githubusercontent.com/naquada/deprek8/master/policy/deprek8.rego > deprek8.rego
  

• This binary (conftest): https://github.com/instrumenta/conftest#installation

kubectl get networkpolicy,psp,ds,deployment,statefulset,rs,ing -A -o yaml | conftest test -p deprek8.rego -

apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
  name: config
apiServer:
  extraArgs:
    runtime-config: "apps/v1beta1=false,apps/v1beta2=false,extensions/v1beta1/daemonsets=false,extensions/v1beta1/deployments=false,extensions/v1beta1/replicasets=false,extensions/v1beta1/networkpolicies=false,extensions/v1beta1/podsecuritypolicies=false"

# kubeadm init <...> --config <ClusterConfig>.yaml

# validate with:
# kubectl exec -it <APISERVER-NAME> -n kube-system | ps -ef | grep runtime-config

Good (should pass)

# generic apps/v1 deployment
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: devnull
        name: devnull
EOF

# Now with more with rego!
cat <<EOF | conftest test -p deprek8.rego -
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: devnull
        name: devnull
EOF

Bad (should fail)

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: devnull
        name: devnull
EOF

# Now with more with rego!
cat <<EOF | conftest test -p deprek8.rego -
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: devnull
        name: devnull
EOF

cat <<EOF | kubectl convert -f - | kubectl apply -f -
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: devnull
        name: devnull
EOF

If you haven't heard about KinD, start here: https://kind.sigs.k8s.io/

cat <<EOF > kind-config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |
  apiVersion: kubeadm.k8s.io/v1beta2
  kind: ClusterConfiguration
  metadata:
    name: config
  apiServer:
    extraArgs:
      runtime-config: "apps/v1beta1=false,apps/v1beta2=false,extensions/v1beta1/daemonsets=false,extensions/v1beta1/deployments=false,extensions/v1beta1/replicasets=false,extensions/v1beta1/networkpolicies=false,extensions/v1beta1/podsecuritypolicies=false"
EOF

# using v1.15.6 since the APIs are gone in v1.16.0
kind create cluster --image=kindest/node:v1.15.6@sha256:18c4ab6b61c991c249d29df778e651f443ac4bcd4e6bdd37e0c83c0d33eaae78 --config kind-config.yaml