✨ Adds "deprecated apis" auditor

[jerr]

Description

Fixes #408

Adds a new command deprecatedapis to find deprecated APIs of resources. It reports for all resources defined with a deprecated API the version since when it is deprecated the deprecated version, the version where is removed and suggests the recommended API.

Here's a sample result:

$ kubeaudit deprecatedapis -f "auditors/deprecatedapis/fixtures/cronjob.yml"

---------------- Results for ---------------
  apiVersion: batch/v1beta1
  kind: CronJob
  metadata:
    name: hello
--------------------------------------------
-- [warning] DeprecatedAPIUsed
   Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
   Metadata:
      DeprecatedMajor: 1
      DeprecatedMinor: 21
      RemovedMajor: 1
      RemovedMinor: 25
      ReplacementKind: CronJob
      ReplacementGroup: batch/v1

This PR also brings the possibility to audit any type of resource using the dynamic client.

Type of change

• New feature ✨
• This change requires a documentation update 📖

How Has This Been Tested?

• Automated tests
• Manual tests (local mode and manifest files)

Checklist:

• I have 🎩 my changes (A 🎩 specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• The test coverage did not decrease
• I have signed the appropriate Contributor License Agreement

[jerr]

👆 rebased on the main branch

[jerr]

🎩 Manually tested with a file and a cluster with the local mode

- The help message:

$ ./kubeaudit deprecatedapis --help                                              
This command determines which resource is defined with a deprecated API version.

An ERROR result is generated for API version not available in the targeted version
A WARN result is generated for API version deprecated in the current version
An INFO result is generated for API version not yet deprecated in the current version

Example usage:
kubeaudit deprecatedapis
kubeaudit deprecatedapis --current-k8s-version 1.22 --targeted-k8s-version 1.24

Usage:
  kubeaudit deprecatedapis [flags]

Flags:
      --current-k8s-version string    Kubernetes current version (eg 1.22)
  -h, --help                          help for deprecatedapis
      --targeted-k8s-version string   Kubernetes version to migrate to (eg 1.24)

Global Flags:
  -e, --exitcode int         Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default 2)
  -p, --format string        The output format to use (one of "pretty", "logrus", "json") (default "pretty")
  -g, --includegenerated     Include generated resources in scan  (eg. pods generated by deployments).
  -c, --kubeconfig string    Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config)
  -f, --manifest string      Path to the yaml configuration to audit. Only used in manifest mode.
  -m, --minseverity string   Set the lowest severity level to report (one of "error", "warning", "info") (default "info")
  -n, --namespace string     Only audit resources in the specified namespace. Not currently supported in manifest mode.

- Audit of a file

$ ./kubeaudit deprecatedapis   -f auditors/deprecatedapis/fixtures/cronjob.yml

---------------- Results for ---------------

  apiVersion: batch/v1beta1
  kind: CronJob
  metadata:
    name: hello

--------------------------------------------

-- [warning] DeprecatedAPIUsed
   Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
   Metadata:
      ReplacementKind: CronJob
      DeprecatedMajor: 1
      DeprecatedMinor: 21
      RemovedMajor: 1
      RemovedMinor: 25
      ReplacementGroup: batch/v1

- Audit a file with the json output format option

$ ./kubeaudit deprecatedapis   -f auditors/deprecatedapis/fixtures/cronjob.yml -p json | jq 
{
  "AuditResultName": "DeprecatedAPIUsed",
  "DeprecatedMajor": "1",
  "DeprecatedMinor": "21",
  "RemovedMajor": "1",
  "RemovedMinor": "25",
  "ReplacementGroup": "batch/v1",
  "ReplacementKind": "CronJob",
  "ResourceApiVersion": "batch/v1beta1",
  "ResourceKind": "CronJob",
  "ResourceName": "hello",
  "level": "warning",
  "msg": "batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob",
  "time": "2022-06-08T11:51:52-04:00"
}

- Audit a file for a specific targeted Kubernetes versions:

The API version is not available on for the targeted version, an error is reported.

$  ./kubeaudit deprecatedapis --targeted-k8s-version 1.25 -f auditors/deprecatedapis/fixtures/cronjob.yml

---------------- Results for ---------------

  apiVersion: batch/v1beta1
  kind: CronJob
  metadata:
    name: hello

--------------------------------------------

-- [error] DeprecatedAPIUsed
   Message: batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
   Metadata:
      RemovedMajor: 1
      RemovedMinor: 25
      ReplacementGroup: batch/v1
      ReplacementKind: CronJob
      DeprecatedMajor: 1
      DeprecatedMinor: 21

- Audit a cluster with the local mode:

$ ./kubeaudit deprecatedapis 

---------------- Results for ---------------

  apiVersion: v1
  kind: ComponentStatus
  metadata:
    name: scheduler

--------------------------------------------

-- [warning] DeprecatedAPIUsed
   Message: v1 ComponentStatus is deprecated in v1.19+
   Metadata:
      DeprecatedMinor: 19
      DeprecatedMajor: 1
...

[jerr]

This will hide warning messages such as the following:

W0608 12:04:51.010357   30221 warnings.go:70] v1 ComponentStatus is deprecated in v1.19+
W0608 12:04:54.355517   30221 warnings.go:70] extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

Kubeaudit has to use the deprecated APIs to include them in the deprecatedapis reports.
See https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling

[genevieveluyt]

No major concerns though I would like to put this in the next release, so will approve / merge when the current release it out!

[genevieveluyt]

The description looks copy/pasted from the capabilities auditor

Finds containers that do not drop the recommended capabilities or add new ones.

[genevieveluyt]

Could we maybe add a comment with a reference link for these functions? I assume they're defined somewhere in the kubernetes codebase?

[genevieveluyt]

Is this interface used anywhere?

[genevieveluyt]

Suggested change

	// Audit checks that the resource API version is not deprecetated
	// Audit checks that the resource API version is not deprecated

[genevieveluyt]

Why are we ignoring this error?

[genevieveluyt]

Suggested change

	Finds any resource defined with adeprecated API version.
	Finds any resource defined with a deprecated API version.

[genevieveluyt]

I think this sentence is easier to understand if it's broken up a bit

Suggested change

	The `deprecatedapis` auditor allows to find the deprecated APIs in use and indicates the versions where they will be removed and replacement APIs.
	The `deprecatedapis` auditor finds the deprecated APIs in use, reports the versions where they will be removed, and recommends replacement APIs.

[genevieveluyt]

Suggested change

	The `deprecatedapis` auditor can be used `--targeted-k8s-version` flag. If the API is not yet deprecated for this version the auditor will produce an `info` otherwise a `warning`.
	The `deprecatedapis` auditor can be used with the `--targeted-k8s-version` flag. If the API is not yet deprecated for this version the auditor will produce an `info` otherwise a `warning`.

[genevieveluyt]

Suggested change

	The `deprecatedapis` auditor can be used `--targeted-k8s-version` flag. If the API is not available for the targeted version the auditor will produce an `error` otherwise a `warning` or `info` if the API is not yet deprecated for this version.
	The `deprecatedapis` auditor can be used with the `--targeted-k8s-version` flag. If the API is not available for the targeted version the auditor will produce an `error` otherwise a `warning` or `info` if the API is not yet deprecated for this version.

[genevieveluyt]

I'm a bit unclear why there is a flag for both current and target version. Maybe I'm misunderstanding the use case, but to me it sounds easier to reason about if we had just the target version:

• ERROR if the resource API is removed in the target version
• WARN if the resource API is deprecated in the target version
• INFO if the resource API is not deprecated in the target version but will be deprecated in a future version

We could default to the current version in local and cluster mode since kubeaudit should be able to look that up automatically?

[jerr]

If we specify a current version or this information is retrieved from the cluster without a targeted version we can have the following cases:

• ERROR if the resource API is removed in the current version
• WARN if the resource API is deprecated in the current version
• INFO if the resource API is not deprecated in the current version but will be deprecated in a future version

If we use a targeted version the message level takes precedence over the current version.

But maybe we can remove this option and only use the current version in the local or in cluster mode 🤔

[genevieveluyt]

Ah I see from your flag description

--targeted-k8s-version string   Kubernetes version to migrate to (eg 1.24)

The use case for this auditor is for doing Kubernetes version migrations?

Based on the description of the auditor "This command determines which resource is defined with a deprecated API version." I was thinking of "target version" as "check Kubernetes resources against this version", hence it didn't make sense to me to have both "current" and "target" versions. Did you have a specific workflow in mind where you would benefit from passing both current and target versions (eg. running against a live cluster as a one-off before doing a migration)? If so, I think we should document it (eg. as an example) to make the use of the flags more clear. Nothing (other than the target flag description) says anything about migrations.

[jerr]

Many APIs have been declared deprecated since the 1.16 but are removed from the version 1.22. If the current version is before the 1.16 we can keep the API as it is but if it is not the case, it is better to migrate the API as soon as possible. That is why a warning is generated from the version 1.16.

But as currently kubeaudit does not retrieve the current version from the cluster we can remove this option in a first time.