Stay organized with collections
Save and categorize content based on your preferences.
There are several Kubernetes releases that have deprecated and removed APIs. If
you upgrade a Google Distributed Cloud cluster to a new Kubernetes version, and
your workloads use any APIs that have been removed, your workloads can be
disrupted. Follow the steps in this document to determine whether your workloads
use any of the removed APIs for a given Kubernetes version before you upgrade
your cluster.
The following steps require that your Google Distributed Cloud clusters have
cluster audit logging enabled and that
audit logs are streamed to Google Cloud Observability, which is the
default behavior.
To determine if the Kubernetes Service Accounts you use make calls to any
deleted APIs, run the supplied query in
Logs Explorer:
In the Google Cloud console, go to the Logs Explorer page in the
Logging menu.
CLUSTER_NAME: the name of the cluster that contains
the workloads that you're checking.
PROJECT_ID: the ID of the Google Cloud project that
your cluster uses for logs and metrics (clusterOperations.projectID).
KUBERNETES_MINOR_VERSION: the minor Kubernetes
version, such as 1.25, that has removed APIs.
The output from this query shows if any of your Kubernetes Service Accounts
make calls to API that have been removed for the given Kubernetes minor
release.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["There are several Kubernetes releases that have deprecated and removed APIs. If\nyou upgrade a Google Distributed Cloud cluster to a new Kubernetes version, and\nyour workloads use any APIs that have been removed, your workloads can be\ndisrupted. Follow the steps in this document to determine whether your workloads\nuse any of the removed APIs for a given Kubernetes version before you upgrade\nyour cluster.\n\nFor a list of removed APIs by Kubernetes release, see [Deprecated API Migration\nGuide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) in the\nKubernetes documentation.\n\nDetermine if the API deletion affects you\n\nThe following steps require that your Google Distributed Cloud clusters have\ncluster [audit logging](/kubernetes-engine/distributed-cloud/bare-metal/docs/how-to/audit-logging) enabled and that\naudit logs are streamed to [Google Cloud Observability](/stackdriver/docs), which is the\ndefault behavior.\n\nTo determine if the Kubernetes Service Accounts you use make calls to any\ndeleted APIs, run the supplied query in\n[Logs Explorer](/logging/docs/view/logs-explorer-interface):\n\n1. In the Google Cloud console, go to the **Logs Explorer** page in the\n **Logging** menu.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. In the **Query** field, enter the following query:\n\n resource.labels.cluster_name = \"\u003cvar label=\"name of the cluster\" translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e\" AND\n logName = \"projects/\u003cvar label=\"the project ID\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/logs/externalaudit.googleapis.com%2Factivity\" AND\n protoPayload.authenticationInfo.principalEmail:(\"system:serviceaccount\" OR \"@\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:kube-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:cert-manager:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-kubeadm-bootstrap-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-system-webhook:\") AND\n labels.\"k8s.io/removed-release\"=\"\u003cvar label=\"k8s minor version\" translate=\"no\"\u003eKUBERNETES_MINOR_VERSION\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster that contains\n the workloads that you're checking.\n\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the Google Cloud project that\n your cluster uses for logs and metrics (`clusterOperations.projectID`).\n\n - \u003cvar translate=\"no\"\u003eKUBERNETES_MINOR_VERSION\u003c/var\u003e: the minor Kubernetes\n version, such as 1.25, that has removed APIs.\n\n The output from this query shows if any of your Kubernetes Service Accounts\n make calls to API that have been removed for the given Kubernetes minor\n release."]]
