Skip to content

Pre-upgrade Application Checks

To avoid unexpected downtime or broken functionality during a Kubernetes upgrade, it's important to verify that your applications are compatible with the target version. This checklist focuses on validating application-level configurations, deprecated API usage, and security controls.

1. API Deprecation Impact

Review deprecated Kubernetes API usage in applications

Check whether your applications rely on Kubernetes APIs or features that are deprecated or removed in the target version. Deprecated APIs can cause workloads to fail on startup or behave unexpectedly.

Steps:

1 Scan for deprecated APIs using tools like pluto or kubent:

pluto detect-helm -o wide
kubent

2 Review your Ingress manifests for outdated annotations:

  • Example: nginx.ingress.kubernetes.io/rewrite-target is sometimes replaced or changed in behavior.
  • Check for use of extensions/v1beta1, networking.k8s.io/v1beta1, or similar deprecated API versions.

3 Validate RBAC and service account configurations, especially in tools like Jenkins or GitLab runners. Changes to default service account mounting or token handling can silently break authentication.

Examples:

  • Ingress annotations that are no longer supported can cause issues with NGINX Ingress Controllers.
  • Deprecated service account behavior can break CI/CD tools like Jenkins or applications using legacy RBAC patterns.

2. Probe Configuration

Validate readiness and liveness probes

Kubernetes uses readiness and liveness probes to decide when your app is healthy and ready to receive traffic. If these probes are too strict, misconfigured, or based on outdated behaviors, a Kubernetes upgrade can cause your pods to restart repeatedly—or even fail to deploy.

New Kubernetes versions may handle timing or edge cases differently, making fragile probe settings suddenly problematic. Fixing these before the upgrade helps prevent app downtime.

Steps:

1 Audit all applications for readiness and liveness probes:

kubectl get pods -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[*].readinessProbe.httpGet.path}{"\n"}{end}'

2 Check for

  • Missing initialDelaySeconds or overly aggressive failureThreshold.
  • Use of deprecated or invalid ports and paths.

3 Update

Adjust your probe settings and validate that applications start cleanly and stay healthy.

Tip: Pay extra attention to probes in ingress controllers and applications with slow startup times.