Cleanup Rules

Remove Kubernetes resources.

Kyverno has the ability to cleanup (i.e., delete) existing resources in a cluster defined in a new policy called a CleanupPolicy. Cleanup policies come in both cluster-scoped and Namespaced flavors; a ClusterCleanupPolicy being cluster scoped and a CleanupPolicy being Namespaced. A cleanup policy uses the familiar match/exclude block to select and exclude resources which are subjected to the cleanup process. A conditions{} block (optional) uses common expressions similar to those found in preconditions and deny rules to query the contents of the selected resources in order to refine the selection process. And, lastly, a schedule field defines, in cron format, when the rule should run.

The cleanup controller runs decoupled from Kyverno in a separate Deployment. Cleanup is executed by a CronJob which is automatically created and managed by the cleanup controller. Each cleanup policy maps to one CronJob. When the scheduled time occurs, the CronJob calls to the cleanup controller to execute the cleanup process defined in the policy. As cleanup policies are either updated or removed, the CronJobs are updated accordingly.

An example ClusterCleanupPolicy is shown below. This cleanup policy removes Deployments which have the label canremove: "true" if they have less than two replicas on a schedule of every 5 minutes.

 2kind: ClusterCleanupPolicy
 4  name: cleandeploy
 6  match:
 7    any:
 8    - resources:
 9        kinds:
10          - Deployment
11        selector:
12          matchLabels:
13            canremove: "true"
14  conditions:
15    any:
16    - key: "{{ target.spec.replicas }}"
17      operator: LessThan
18      value: 2
19  schedule: "*/5 * * * *"

Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules.

Because Kyverno follows the principal of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the Customizing Permissions section for more details.

Last modified July 17, 2023 at 7:53 AM PST: Cherry Pick #913 (#920) (6c9edd3)