👋 Welcome to my upgrade guide to EKS version 1.22.
EKS has recently started supporting version 1.22 of Kubernetes. If you want to upgrade, you should know this: Version 1.22 has LOTS of REMOVED APIs. Previously they were deprecated, now they are outright REMOVED, so any workload trying to run using those removed versions will simply fail to run. This means that this upgrade is very dangerous for your production environment.
NEW! Now you can use Datree to prevent the use of deprecated APIs in your resources. Find the policy here.
In this tutorial we will learn how to upgrade correctly. We will:
- Identify the removed APIs in the target cluster.
- Convert the removed APIs to new versions.
- Upgrade the EKS Control Plane to version 1.22.
- Upgrade Node Groups to AMI version 1.22.6.
⏳Identify the removed APIs in the target cluster
So let’s scan our cluster to see if we are currently running any of those removed APIs. You can find the full list of removed APIs at the bottom of this blog post.
First, we will fetch all of the manifests for the following namespace hn-app and output it as YAML
Now, in order to find those removed APIs we have two options. One, manually cross-referencing the output with the list of removed APIs. Or two, using Datree to automatically identify those removed APIs.
Datree is an open source project built by me and by a bunch of talented engineers in order to prevent misconfigurations in Kubernetes environments, and it has a Kubectl plugin that can come in handy in this case. The plugin connects to our kubectl configured cluster, pulls the currently running manifests, and checks to see if their version is compatible with the future version that we will upgrade our cluster to.
In order to use the plugin we will first install it using Krew (the package manager for Kubectl plugins)
Now we will scan the hn-app workspace using the Datree with the target version 1.22.6
And here are the results:
As you can see, we have an issue with our Ingress controller as it is using the networking.k8s.io/v1beta1 version.
And indeed, if we’ll check the manifest we’ll see the removed API in line #2:
If we try to use this API Version after we’ve upgraded the cluster to version 1.22 we will get the following error:
🔁 Converting the removed API versions to new versions
Now that we have identified the removed API version using Datree’s Kubectl plugin, we will use an official Kubernetes kubectl plugin called convert in order to migrate our API version
Now let's convert the file to the new API networking.k8s.io/v1
Now we have the up-to-date and supported API versions! 🎉 We are safe to perform the upgrade 🔥
🤞 Upgrading the EKS cluster:
In order to perform the upgrade process for the Control Plane and Node Groups, we will use the EKSCTL toolkit
Upgrading the Control Plane:
Upgrading the node group:
⛔️ Removed APIs:
- Beta versions of the ValidatingWebhookConfiguration and MutatingWebhookConfiguration API (the admissionregistration.k8s.io/v1beta1 API versions)
error: unable to recognize "deployment.yaml": no matches for kind "ValidatingWebhookConfiguration" in version "apiregistration.k8s.io/v1beta1"
error: unable to recognize "deployment.yaml": no matches for kind "MutatingWebhookConfiguration" in version "apiregistration.k8s.io/v1beta1" - The beta CustomResourceDefinition API (apiextensions.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "CustomResourceDefinition" in version "apiregistration.k8s.io/v1beta1" - The beta APIService API (apiregistration.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "APIService" in version "apiregistration.k8s.io/v1beta1" - The beta TokenReview API (authentication.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "TokenReview" in version "networking.k8s.io/v1beta1" - Beta API versions of SubjectAccessReview, LocalSubjectAccessReview, SelfSubjectAccessReview (API versions from authorization.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "SubjectAccessReview" in version "networking.k8s.io/v1beta1"
error: unable to recognize "deployment.yaml": no matches for kind "LocalSubjectAccessReview" in version "networking.k8s.io/v1beta1
error: unable to recognize "deployment.yaml": no matches for kind "SelfSubjectAccessReview" in version "networking.k8s.io/v1beta1" - The beta CertificateSigningRequest API (certificates.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "CertificateSigningRequest" in version "networking.k8s.io/v1beta1" - The beta Lease API (coordination.k8s.io/v1beta1)
error: unable to recognize "deployment.yaml": no matches for kind "Lease" in version "coordination.k8s.io/v1beta1" - All beta Ingress APIs (the extensions/v1beta1 and networking.k8s.io/v1beta1 API versions)
error: unable to recognize "deployment.yaml": no matches for kind "Ingress" in version "networking.k8s.io/v1beta1"
error: unable to recognize "deployment.yaml": no matches for kind "Ingress" in version "extensions/v1beta1"
Additional Resources:
Learn from Nana, AWS Hero & CNCF Ambassador, how to enforce K8s best practices with Datree
Headingajsdajk jkahskjafhkasj khfsakjhf
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.