Compatibility Risks

Check Items

Read the version compatibility differences and ensure that they are not affected. The patch upgrade does not involve version compatibility differences.

Version compatibility

Upgrade Path

Version Difference

Self-Check

v1.23 or v1.25

Upgraded to v1.27

Docker is no longer recommended. Use containerd instead. For details, see Container Engines.

This item has been included in the pre-upgrade check.

v1.23 to v1.25

Since Kubernetes v1.25, PodSecurityPolicy has been replaced by pod Security Admission. For details, see Configuring Pod Security Admission.

  • To migrate PodSecurityPolicy capabilities to pod Security Admission, perform the following steps:

    1. Ensure that the cluster is of the latest CCE v1.23 version.

    2. Migrate PodSecurityPolicy capabilities to pod Security Admission. For details, see Configuring Pod Security Admission.

    3. After confirming that the functions are running properly after the migration, upgrade the CCE cluster to v1.25.

  • If you no longer need PodSecurityPolicy, delete PodSecurityPolicy from the cluster and upgrade the cluster to v1.25.

v1.19 to v1.21

The bug of exec probe timeouts is fixed in Kubernetes 1.21. Before this bug is fixed, the exec probe does not consider the timeoutSeconds field. Instead, the probe will run indefinitely, even beyond its configured deadline. It will stop until the result is returned. If this field is not specified, the default value 1 is used. This field takes effect after the upgrade. If the probe runs over 1 second, the application health check may fail and the application may restart frequently.

Before the upgrade, check whether the timeout is properly set for the exec probe.

kube-apiserver of CCE v1.19 or later requires that the Subject Alternative Names (SANs) field be configured for the certificate of your webhook server. Otherwise, kube-apiserver fails to call the webhook server after the upgrade, and containers cannot be started properly.

Root cause: X.509 CommonName is discarded in Go v1.15. kube-apiserver of CCE v1.19 is compiled using Go v1.15. If your webhook certificate does not have SANs, kube-apiserver does not process the CommonName field of the X.509 certificate as the host name by default. As a result, the authentication fails.

Before the upgrade, check whether the SAN field is configured in the certificate of your webhook server.

  • If you do not have your own webhook server, you can skip this check.

  • If the field is not set, use the SAN field to specify the IP address and domain name supported by the certificate.

Table 1 QoS class changes before and after the upgrade

Init Container (Calculated Based on spec.initContainers)

Service Container (Calculated Based on spec.containers)

Pod (Calculated Based on spec.containers and spec.initContainers)

Impacted or Not

Guaranteed

Besteffort

Burstable

Yes

Guaranteed

Burstable

Burstable

No

Guaranteed

Guaranteed

Guaranteed

No

Besteffort

Besteffort

Besteffort

No

Besteffort

Burstable

Burstable

No

Besteffort

Guaranteed

Burstable

Yes

Burstable

Besteffort

Burstable

Yes

Burstable

Burstable

Burstable

No

Burstable

Guaranteed

Burstable

Yes