Use Pluto to identify deprecated or removed Kubernetes APIs in your manifests and Helm charts before upgrading, ensuring smooth and predictable cluster upgrade.
Kubernetes moves fast, and it deprecates just as fast. One release you’re fine, the next you’re staring at a broken CI pipeline or a failed Helm upgrade wondering what changed.
If you’ve ever seen this and panicked:
You know what I’m talking about.
I faced this during an upgrade to Kubernetes v1.25. Our Helm deployment crashed because policy/v1beta1 was removed, not just deprecated. It had been deprecated for several releases, but because Kubernetes auto-converts deprecated resources when queried, we missed it entirely in our pre-upgrade checks. I documented the full breakdown here: Helm Upgrade Failed After v1.25 Due to PDB API.
That incident led me to Pluto, a utility that now sits at the front of all my upgrade workflows.
Pluto is a command-line tool developed by Fairwinds that scans your Kubernetes manifests, Helm charts, and live cluster resources to detect deprecated and removed apiVersions.
Think of it as a linter, but for your cluster’s long-term health. Instead of warning you about indentation or typos, it warns you about objects that will break silently once you cross a certain Kubernetes version.
The Kubernetes API server is designed to be backward-compatible. When you kubectl get or inspect objects, it quietly translates older APIs into their latest supported versions. That means even if you deployed a resource using extensions/v1beta1, you’ll likely see it returned as apps/v1.
That’s great for smooth operation, but it makes it extremely hard to audit for upcoming breakage.
Helm doesn’t throw warnings for deprecated APIs. If your template renders fine, it assumes it’s valid. But that rendered manifest might use an API that’s already been removed in your target version. The deploy will fail, and you’ll only find out after rollout starts.
Unless you explicitly add tools like Pluto to your CI, your pipeline won’t catch these issues until they’re too late.
Pluto works in three major modes:
It tells you:
apiVersion is deprecated or removedTo test Pluto’s effectiveness, I spun up an older Kubernetes cluster and scanned it using Pluto v5.21.4.
Here’s what I found with live resource detection:
And then I scanned a Helm release, targeting Kubernetes v1.32.0:
In both cases, Pluto detected deprecated resources, showed whether a replacement was available, and indicated the version where the removal occurs.
This is exactly the sort of signal I wish I had before my Helm upgrade failed.
Here’s the real value: Pluto isn’t just a manual tool. You can wire it into your CI/CD pipelines to block pull requests or Helm deployments that introduce deprecated APIs.
--only-show-removed if you only care about breakage.--output json to generate reports that can be uploaded to artifact storage or dashboards.--ignore-deprecations in lower environments but block removals in staging and prod.Cluster upgrades are risky not because of the upgrade itself, but because of the hidden deprecations that lie in wait.
Pluto is the upgrade audit tool Kubernetes never gave us.
Add it to your workflow if:
kubeadm upgradeI run it before every major version bump, and now I never go in blind.
Pluto detects deprecated or removed apiVersions in Kubernetes manifests, Helm charts, and live clusters, issues the API server masks by auto-converting versions.
Because the API server auto-converts older versions (e.g., extensions/v1beta1) to newer ones (e.g., apps/v1) on read, hiding deprecated usage during inspection.
Pluto flags deprecated or removed APIs used in Helm charts before deployment, preventing runtime failures caused by missing or outdated apiVersions.
Yes. Pluto supports non-zero exit codes for deprecated or removed APIs, making it easy to fail CI jobs and enforce compatibility checks before merging or deploying.
Pluto can scan static YAML files, rendered Helm charts, live Helm releases in clusters, and active API resources like PodDisruptionBudgets or Ingress objects.
Get new posts, tools, and tips delivered straight to your inbox.
Follow along with walkthroughs and tutorials, especially on Rancher and DevOps topics.
A small act of support goes a long way. You're helping me stay consistent and keep the content flowing.
Error: UPGRADE FAILED: [unable to recognize "": no matches for kind "PodDisruptionBudget" in version "policy/v1beta1"]$ ./pluto detect-api-resources
W0525 01:23:19.448885 warnings.go:70] v1 ComponentStatus is deprecated in v1.19+
W0525 01:23:29.541324 warnings.go:70] extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+
W0525 01:23:30.167640 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED REPL AVAIL
calico-kube-controllers PodDisruptionBudget policy/v1beta1 policy/v1 true true true
$ ./pluto detect-helm --target-versions k8s=v1.32.0
NAME KIND VERSION REPLACEMENT REMOVED DEPRECATED REPL AVAIL
kube-state-metrics/kube-state-metrics-kube-system PodSecurityPolicy policy/v1beta1 true true falsename: Check Deprecated Kubernetes APIs
on:
pull_request:
paths:
- '**/*.yaml'
- 'charts/**'
jobs:
deprecations:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Pluto
run: |
curl -sLO https://github.com/FairwindsOps/pluto/releases/download/v5.21.4/pluto_5.21.4_linux_amd64.tar.gz
tar -xzf pluto_5.21.4_linux_amd64.tar.gz
sudo mv pluto /usr/local/bin/
- name: Run Pluto on Helm charts
run: |
helm template ./charts | pluto detect --target-versions k8s=v1.32.0 || exit_code=$?
if [[ "$exit_code" -eq 2 || "$exit_code" -eq 3 ]]; then
echo "::error ::Deprecated or removed APIs found. Fix before merge."
exit 1
fi
CVE-2025-1767 exposes root-level access on nodes via a deprecated volume plugin; Kubernetes 1.33 will disable it by default
Enhance Kubernetes pod scheduling with dynamic affinity using matchLabelKeys and mismatchLabelKeys for safer rollouts and tenant isolation.
Pods can now exclude tainted nodes during topology spread calculations, improving placement predictability.
FeaturedKubernetes 1.34 brings GA features, scheduler speedups, kubelet and networking updates, plus security and performance boosts for production clusters.
FeaturedStep-by-step guide to RKE2 autoscaler setup with Rancher. Learn cluster autoscaler Helm deployment, scaling benefits, limits & troubleshooting.
FeaturedKubernetes 1.34 brings GA features, scheduler speedups, kubelet and networking updates, plus security and performance boosts for production clusters.
Stop waiting for schedules to debug CronJobs. Learn how to trigger them immediately, validate specs, and streamline testing in Kubernetes.
Helm upgrade failed due to Kubernetes managedFields conflict. Learn why spec looked fine, yet patching caused errors, and how to fix it.
