Introduction to Kubent (Kube No Trouble)

 

Kubent (Kube No Trouble)  [this link was the original repo, see comments below] is a tool which scans k8s cluster and reports resources that use deprecated or removed Kubernetes APIs, based on the target Kubernetes version. It’s especially useful before upgrading (e.g., EKS 1.32 → 1.33)

WARNING: Development at project's original repo (https://github.com/doitintl/kube-no-trouble) is not active anymore as the last commit was in January 2025. The original author announced here that they would be moving development to https://github.com/dark0dave/kube-no-trouble and that repo is ssemingly active as of today (last change was ) BUT https://github.com/dark0dave/kube-no-trouble/tree/301e5783904de5966f79b217a956651146630f50/pkg/rules/rego shows that rulesets only up to v1.32 were added (!).

Kube No Trouble relies on static Rego rule files in the repo. If new Kubernetes versions (e.g., >1.32) don’t have updated rules, then:

• It won’t know about newly deprecated APIs
• It won’t know about newly removed APIs
• --target-version becomes unreliable for newer releases

For modern upgrades (especially 1.32 → 1.33+), kubent is no longer the safest tool.

To install it:

% sh -c "$(curl -sSL https://git.io/install-kubent)"

>>> kubent installation script <<<

> Detecting latest version

> Downloading version 0.7.3

Target directory (/usr/local/bin) is not writable, trying to use sudo

Password:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

100 12.4M  100 12.4M    0     0  14.7M      0 --:--:-- --:--:-- --:--:-- 13.2M

> Done. kubent was installed to /usr/local/bin/.

To verify installation:

% kubent --version

7:48AM INF version 0.7.3 (git sha 57480c07b3f91238f12a35d0ec88d9368aae99aa)

To check CLI arguments:

% kubent --help   

Usage of kubent:

  -A, --additional-annotation strings   additional annotations that should be checked to determine the last applied config

  -a, --additional-kind strings         additional kinds of resources to report in Kind.version.group.com format

  -c, --cluster                         enable Cluster collector (default true)

  -x, --context string                  kubeconfig context

  -e, --exit-error                      exit with non-zero code when issues are found

  -f, --filename strings                manifests to check, use - for stdin

      --helm3                           enable Helm v3 collector (default true)

  -k, --kubeconfig string               path to the kubeconfig file

  -l, --log-level string                set log level (trace, debug, info, warn, error, fatal, panic, disabled) (default "info")

  -o, --output string                   output format - [text|json|csv] (default "text")

  -O, --output-file string              output file, use - for stdout (default "-")

  -t, --target-version string           target K8s version in SemVer format (autodetected by default)

  -v, --version                         prints the version of kubent and exits

pflag: help requested

It looks at default ~/.kube/config file in order to find the current context, otherwise use -k to specify kubeconfig at non-default location.

% kubent                       

7:59AM INF >>> Kube No Trouble `kubent` <<<

7:59AM INF version 0.7.3 (git sha 57480c07b3f91238f12a35d0ec88d9368aae99aa)

7:59AM INF Initializing collectors and retrieving data

7:59AM INF Target K8s version is 1.32.11-eks-ac2d5a0

7:59AM INF Retrieved 12 resources from collector name=Cluster

8:00AM INF Retrieved 361 resources from collector name="Helm v3"

8:00AM INF Loaded ruleset name=custom.rego.tmpl

8:00AM INF Loaded ruleset name=deprecated-1-16.rego

8:00AM INF Loaded ruleset name=deprecated-1-22.rego

8:00AM INF Loaded ruleset name=deprecated-1-25.rego

8:00AM INF Loaded ruleset name=deprecated-1-26.rego

8:00AM INF Loaded ruleset name=deprecated-1-27.rego

8:00AM INF Loaded ruleset name=deprecated-1-29.rego

8:00AM INF Loaded ruleset name=deprecated-1-32.rego

8:00AM INF Loaded ruleset name=deprecated-future.rego

Running kubent with no other arguments:

• Connects to your current kube-context
• Detects your cluster version automatically
• Scans all namespaces
• Compares resources against deprecations for that version

Before the upgrade to v1.33, we want kubent to scan the resources against that next k8s version so we need to specify it with --target-version:

% kubent --target-version=1.33

8:02AM INF >>> Kube No Trouble `kubent` <<<

8:02AM INF version 0.7.3 (git sha 57480c07b3f91238f12a35d0ec88d9368aae99aa)

8:02AM INF Initializing collectors and retrieving data

8:02AM INF Target K8s version is 1.33.0

8:02AM INF Retrieved 12 resources from collector name=Cluster

8:03AM INF Retrieved 361 resources from collector name="Helm v3"

8:03AM INF Loaded ruleset name=custom.rego.tmpl

8:03AM INF Loaded ruleset name=deprecated-1-16.rego

8:03AM INF Loaded ruleset name=deprecated-1-22.rego

8:03AM INF Loaded ruleset name=deprecated-1-25.rego

8:03AM INF Loaded ruleset name=deprecated-1-26.rego

8:03AM INF Loaded ruleset name=deprecated-1-27.rego

8:03AM INF Loaded ruleset name=deprecated-1-29.rego

8:03AM INF Loaded ruleset name=deprecated-1-32.rego

8:03AM INF Loaded ruleset name=deprecated-future.rego

---