Compatibility Risks
Check Items
Read the version compatibility differences and ensure that they are not affected. The patch upgrade does not involve version compatibility differences.
Version compatibility
Upgrade Path |
Version Difference |
Self-Check |
---|---|---|
v1.23 or v1.25 Upgraded to v1.27 |
Docker is no longer recommended. Use containerd instead. For details, see Container Engines. |
This item has been included in the pre-upgrade check. |
v1.21 or v1.19 Upgraded to v1.23 |
For the NGINX Ingress Controller of an earlier version (community version v0.49 or earlier, or CCE nginx-ingress version v1.x.x), the created ingresses can be managed by the NGINX Ingress Controller even if kubernetes.io/ingress.class: nginx is not set in the ingress annotations. However, for the NGINX Ingress Controller of a later version (community version v1.0.0 or later, or CCE nginx-ingress version v2.x.x), the ingresses created without specifying the Nginx type will not be managed by the NGINX Ingress Controller, and ingress rules will become invalid, which interrupts services. |
This item has been included in the pre-upgrade check. You can also perform the self-check by referring to nginx-ingress. |
v1.19 to v1.21 |
The bug of exec probe timeouts is fixed in Kubernetes 1.21. Before this bug is fixed, the exec probe does not consider the timeoutSeconds field. Instead, the probe will run indefinitely, even beyond its configured deadline. It will stop until the result is returned. If this field is not specified, the default value 1 is used. This field takes effect after the upgrade. If the probe runs over 1 second, the application health check may fail and the application may restart frequently. |
Before the upgrade, check whether the timeout is properly set for the exec probe. |
kube-apiserver of CCE v1.19 or later requires that the Subject Alternative Names (SANs) field be configured for the certificate of your webhook server. Otherwise, kube-apiserver fails to call the webhook server after the upgrade, and containers cannot be started properly. Root cause: X.509 CommonName is discarded in Go v1.15. kube-apiserver of CCE v1.19 is compiled using Go v1.15. If your webhook certificate does not have SANs, kube-apiserver does not process the CommonName field of the X.509 certificate as the host name by default. As a result, the authentication fails. |
Before the upgrade, check whether the SAN field is configured in the certificate of your webhook server.
|
Init Container (Calculated Based on spec.initContainers) |
Service Container (Calculated Based on spec.containers) |
Pod (Calculated Based on spec.containers and spec.initContainers) |
Impacted or Not |
---|---|---|---|
Guaranteed |
Besteffort |
Burstable |
Yes |
Guaranteed |
Burstable |
Burstable |
No |
Guaranteed |
Guaranteed |
Guaranteed |
No |
Besteffort |
Besteffort |
Besteffort |
No |
Besteffort |
Burstable |
Burstable |
No |
Besteffort |
Guaranteed |
Burstable |
Yes |
Burstable |
Besteffort |
Burstable |
Yes |
Burstable |
Burstable |
Burstable |
No |
Burstable |
Guaranteed |
Burstable |
Yes |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.