Cleanup

Automate the resource cleanup process by using a CleanupPolicy.

Warning

Cleanup policies are an alpha feature. It is not ready for production usage and there may be breaking changes. Normal semantic versioning and compatibility rules will not apply.

Kyverno has the ability to cleanup (i.e., delete) existing resources in a cluster defined in a new policy called a CleanupPolicy. Cleanup policies come in both cluster-scoped and Namespaced flavors; a ClusterCleanupPolicy being cluster scoped and a CleanupPolicy being Namespaced. A cleanup policy uses the familiar match/exclude block to select and exclude resources which are subjected to the cleanup process. A conditions{} block (optional) uses common expressions similar to those found in preconditions and deny rules to query the contents of the selected resources in order to refine the selection process. And, lastly, a schedule field defines, in cron format, when the rule should run.

Note

Since cleanup policies always operate against existing resources in a cluster, policies created with subjects, Roles, or ClusterRoles in the match/exclude block are not allowed since this information is only known at admission time.

The cleanup controller runs decoupled from Kyverno in a separate Deployment. Cleanup is executed by a CronJob which is automatically created and managed by the cleanup controller. Each cleanup policy maps to one CronJob. When the scheduled time occurs, the CronJob calls to the cleanup controller to execute the cleanup process defined in the policy.

An example ClusterCleanupPolicy is shown below.

This cleanup policy removes Deployments which have the label canremove: "true" if they have less than two replicas on a schedule of every 5 minutes.

 1apiVersion: kyverno.io/v2alpha1
 2kind: ClusterCleanupPolicy
 3metadata:
 4  name: cleandeploy
 5spec:
 6  match:
 7    any:
 8    - resources:
 9        kinds:
10          - Deployment
11        selector:
12          matchLabels:
13            canremove: "true"
14  conditions:
15    any:
16    - key: "{{ target.spec.replicas }}"
17      operator: LessThan
18      value: 2
19  schedule: "*/5 * * * *"

Values from resources to be evaluated during a policy may be referenced with target.*.

Because Kyverno follows the principal of least privilege, it may be necessary to grant the privileges needed in your case to the cleanup controller’s ClusterRole. Role aggregation is supported allowing a separate ClusterRole to be created rather than editing an existing one. Creation of a (Cluster)CleanupPolicy will cause Kyverno to evaluate the permissions it needs and will warn if they are insufficient to successfully execute the desired cleanup.

1Error from server: error when creating "ncleanpol.yaml": admission webhook "kyverno-cleanup-controller.kyverno.svc" denied the request: cleanup controller has no permission to delete kind Ingress

Warning

Be mindful of the validate policies in Enforce mode in your cluster as the CronJobs and their spawned Jobs/Pods may be subjected to and potentially blocked. You may wish to exclude based on the label app.kubernetes.io/managed-by.

As cleanup policies are either updated or removed, the CronJobs are updated accordingly.

Last modified February 01, 2023 at 12:54 PM PST: 1.9 updates - contributor guideline proposal (#754) (c040dfd)