Kubernetes 1.22 deprecated APIs

This page explains how to prepare clusters for upgrades to GKEversion 1.22. You can find API clients making calls todeprecated APIs removedin1.22and update those clients to use GA APIs. For more detailed information, see theKubernetes deprecated API migrationguide.

Removed APIs in 1.22

Most of the deprecated APIs in Kubernetes version 1.22 are former Beta APIs thathave since graduated from Beta (v1beta1) to GA (v1). The GA APIs providelonger-termcompatibility guaranteesand should be used in place of the deprecated Beta APIs.

All existing objects can be interacted with by using the GA APIs.

Important: Before upgrading to 1.22, you should update API clients andmanifests to use the GA APIs.

Webhook resources

The Beta API version ofMutatingWebhookConfiguration andValidatingWebhookConfiguration is no longer served as of version 1.22.

  • Migrate manifests and API clients to use theadmissionregistration.k8s.io/v1API version.

  • Refer to the following table that describes the notable changes in the GA API version:

    FieldChange
    webhooks[*].failurePolicyDefault changed fromIgnore toFail.
    webhooks[*].matchPolicyDefault changed fromExact toEquivalent.
    webhooks[*].timeoutSecondsDefault changed from30s to10s.
    webhooks[*].sideEffectsDefault value is removed, and the field is now required. OnlyNone andNoneOnDryRun are permitted.
    webhooks[*].admissionReviewVersionsDefault value is removed and the field is now required (supported versions forAdmissionReview arev1 andv1beta1).
    webhooks[*].nameMust be unique in the list for objects created viaadmissionregistration.k8s.io/v1.

CustomResourceDefinition

The Beta API version ofCustomResourceDefinition is no longer served as of version 1.22.

  • Migrate manifests and API clients to use theapiextensions.k8s.io/v1API version.

  • Refer to the following table that describes the notable changes in the GA API version:

    FieldChange
    spec.scopeNo longer defaulted toNamespaced. The value must be explicitly specified.
    spec.versionRemoved. Usespec.versions instead.
    spec.validationRemoved. Usespec.versions[*].schema instead.
    spec.subresourcesRemoved. Usespec.versions[*].subresources instead.
    spec.additionalPrinterColumnsRemoved. Usespec.versions[*].additionalPrinterColumns instead.
    spec.conversion.webhookClientConfigMoved tospec.conversion.webhook.clientConfig.
    spec.conversion.conversionReviewVersionsMoved tospec.conversion.webhook.conversionReviewVersions.
    spec.versions[*].schema.openAPIV3SchemaNow required when creating v1CustomResourceDefinition objects, and must be astructural schema.
    spec.preserveUnknownFieldsValuetrue is disallowed when creating v1CustomResourceDefinition objects. The value must be specified within schema definitions asx-kubernetes-preserve-unknown-fields: true.
    additionalPrinterColumnsInadditionalPrinterColumns items, theJSONPath field was renamed tojsonPath.

APIService

The Beta API version ofAPIService is no longer served as of version 1.22.Migrate manifests and API clients to use theapiregistration.k8s.io/v1 APIversion.

TokenReview

The Beta API version ofTokenReview is no longer served as of version 1.22.Migrate manifests and API clients to use theauthentication.k8s.io/v1 APIversion.

SubjectAccessReview resources

The Beta API version ofLocalSubjectAccessReview,SelfSubjectAccessReview,andSubjectAccessReview is no longer served as of version 1.22.

  • Migrate manifests and API clients to use theauthorization.k8s.io/v1API version.

  • Refer to the following table that describes the notable changes in the GA API version:

    FieldChange
    spec.groupRenamed tospec.groups.

CertificateSigningRequest

The Beta API version ofCertificateSigningRequest is no longer served as of version 1.22.

  • Migrate manifests and API clients to use thecertificates.k8s.io/v1 API version.

  • Refer to the following table that describes the notable changes in the GA API version:

    FieldChange
    spec.signerNameFor API clients requesting certificates, this field is required (seeknown Kubernetes signers), and requests forkubernetes.io/legacy-unknown are not allowed to be created via thecertificates.k8s.io/v1 API.
    spec.usagesFor API clients requesting certificates, this field is required. This field cannot contain duplicate values, and must only contain known usages.
    status.conditionsFor API clients approving or signing certificates, this field cannot contain duplicate types.
    status.conditions[*].statusFor API clients approving or signing certificates, this field is now required.
    status.certificateFor API clients approving or signing certificates, this field must be PEM-encoded, and contain onlyCERTIFICATE blocks.

Lease

The Beta API version ofLease is no longer served as of version 1.22. Migratemanifests and API clients to use thecoordination.k8s.io/v1 API version.

Ingress (available until 1.23 for clusters created on 1.21 or earlier)

The Beta API versions (extensions/v1beta1 andnetworking.k8s.io/v1beta1) ofIngress are no longer served for GKE clusters running version1.22 or later if the cluster was created on version 1.22 or later.

However, for clusters created on GKE version 1.21 or earlier andupgraded to 1.22 on the patch version 1.22.7-gke.300 or later, you can still usethe Beta API versions until the cluster is upgraded to version 1.23. This is aone-time exception for older clusters to give you more time to migrate yourclusters from using these API versions which are removed from the open-sourceKubernetes in version 1.22.

Any clusters running GKE version 1.23 and later will no longerserve the deprecatedIngress beta APIs. Manifests using those API versions canno longer be applied. Previously persisted objects remain functional and can beviewed and updated using the new API versions, before and after upgrading to1.23.

  • Migrate manifests and API clients to use thenetworking.k8s.io/v1 API version.

  • Refer to the following table that describes the notable changes in the GA API version:

    FieldChange
    spec.backendRenamed tospec.defaultBackend.
    backendserviceNameRenamed toservice.name.
    servicePortNumeric backendservicePort fields are renamed toservice.port.number. String backendservicePort fields are renamed toservice.port.name.
    pathTypeNow required for each specified path. The value can be:Prefix,Exact, orImplementationSpecific. To match the undefinedv1beta1 behavior, useImplementationSpecific.

The following manifests describe the same Ingress inv1 andv1beta1:

v1beta1 manifest

apiVersion:networking.k8s.io/v1beta1kind:Ingressmetadata:name:examplespec:backend:serviceName:default-backendservicePort:80rules:-http:paths:-path:/testpathbackend:serviceName:testservicePort:80

v1 manifest

apiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:examplespec:defaultBackend:service:name:default-backendport:number:80rules:-http:paths:-path:/testpathpathType:ImplementationSpecificbackend:service:name:testport:number:80

You can use the following query for clusters with Google Cloud Observability enabled toidentify clients that access the Ingressv1beta1 APIs:

resource.type="k8s_cluster"resource.labels.cluster_name="$CLUSTER_NAME"protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")protoPayload.request.apiVersion=("extensions/v1beta1" OR "networking.k8s.io/v1beta1")protoPayload.request.kind="Ingress"NOT ("kube-system")

IngressClass

The Beta API version ofIngressClass is no longer served as of version 1.22.Migrate manifests and API clients to use thenetworking.k8s.io/v1 APIversion.

RBAC resources

The Beta API version ofClusterRole,ClusterRoleBinding,Role, andRoleBinding is no longer served as of version 1.22. Migrate manifests and APIclients to use therbac.authorization.k8s.io/v1 API version.

PriorityClass

The Beta API version ofPriorityClass is no longer served as of version 1.22.Migrate manifests and API clients to use thescheduling.k8s.io/v1 APIversion.

Storage resources

The Beta API version ofCSIDriver,CSINode,StorageClass, andVolumeAttachment is no longer served as of version 1.22. Migrate manifests andAPI clients to use thestorage.k8s.io/v1 API version.

Find clusters using deprecated APIs

You can find which clusters are using deprecated APIs fromdeprecation insights. Deprecationinsights also provide information such as which API clients are callingthe deprecated APIs in your cluster.

You can also use audit logs to find which clients are making calls to deprecatedAPIs.

Locate API clients making write calls to deprecated APIs

For clusters with Google Cloud Observability enabled, you can use the followingAdmin Activity audit logquery to show the use of deprecated APIs by user agents that are notGoogle-managed:

resource.type="k8s_cluster"labels."k8s.io/removed-release"="DEPRECATED_API_MINOR_VERSION"protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:kube-system:")

ReplaceDEPRECATED_API_MINOR_VERSION with the minorversion where the deprecated API is removed, for example1.22.

Admin Activity audit logs are automatically enabled for GKEclusters. With this query, the logs show user agents making write calls to thedeprecated APIs.

Locate API clients making read calls to deprecated APIs

By default, audit logs show only write calls to the deprecated APIs. To alsoshow read calls to deprecated APIs, configure Data Access audit logs.

Caution: If you enable additional audit logs, this might incur additionallogging costs. The volume of ingested Data Access auditlogs counts toward the Cloud Logginglogs ingestion quota.

Follow the instructions toConfigure Data Access audit logs with the Google Cloud console. In the Google Cloud console, select the Kubernetes Engine API. In the Log Types tab in the information panel,selectAdmin Read andData Read.

With these logs enabled, you can now use the original query to see both readcalls and write calls to the deprecated APIs.

Upgrading third-party components

Deprecation insightsmight display results for third-party agents that make calls to deprecated APIsin your cluster.

To resolve these insights, try the following steps:

  1. Check with your third-party software provider for an updated version.
  2. Upgrade the third-party software to the latest version. If you cannot upgradethe software, you should test whether upgrading GKE to theversion with the removed deprecated APIs would break your service.

We recommend that you perform this upgrade and the GKE versionupgrade on a staging cluster to monitor for disruptions before you upgrade yourproduction clusters.

Preparing to upgrade to version 1.22

You do not need to delete and recreate any of your API objects. All existingpersisted API objects can already be read and updated using the new API versions.However, we recommend that you migrate your clients and manifests beforeupgrading to Kubernetes 1.22. Learn more in the"What to do" section of theKubernetes Deprecated API Migration Guide.

You canview deprecation insights and recommendationsto determine if your cluster is using a Kubernetes feature or API that isdeprecated. Deprecation insights are based on observed API calls to deprecatedAPIs by user agents, not the configuration of your Kubernetes objects.

Warning: If you do not update a client or manifest before the 1.22 upgrade, itwill not be able to read/modify existing objects or create new objects. Theclient or manifest will only be able to read, modify, or create objects once youupdate it.

Update clusters impacted by deprecations

To upgrade clusters impacted by deprecations, perform the following steps:

  1. Check which user agents use the deprecated APIs in thedeprecation insightorlogs.
  2. Update the user agents that use the deprecated APIs to use supported APIversions.
  3. Update any third-party software that calls deprecated APIs to the latestversions.
  4. Upgrade a test cluster and test your application in a testing environmentbefore upgrading your production cluster to reduce the risk of disruptionswhen deprecated APIs are no longer available.
  5. After you update all of the user agents, GKE waits until ithas no longer observed use of deprecated APIs for 30 days, and then unblocksautomatic upgrades. Automatic upgrades proceed according to therelease schedule.
  6. If you can't update an affected user agent, upgrade a separate test clusterto check whether the upgrade causes disruptions. If the upgrade doesn't causedisruptions, you canupgrade your cluster manually.

Resources

More information is available in the OSS Kubernetes documentation:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.