Automate the resource cleanup process by using a CleanupPolicy.

Kyverno has the ability to cleanup (i.e., delete) existing resources in a cluster defined in a new policy called a CleanupPolicy. Cleanup policies come in both cluster-scoped and Namespaced flavors; a ClusterCleanupPolicy being cluster scoped and a CleanupPolicy being Namespaced. A cleanup policy uses the familiar match/exclude block to select and exclude resources which are subjected to the cleanup process. A conditions{} block (optional) uses common expressions similar to those found in preconditions and deny rules to query the contents of the selected resources in order to refine the selection process. And, lastly, a schedule field defines, in cron format, when the rule should run.

The cleanup controller runs decoupled from Kyverno in a separate Deployment. Cleanup is executed by a CronJob which is automatically created and managed by the cleanup controller. Each cleanup policy maps to one CronJob. When the scheduled time occurs, the CronJob calls to the cleanup controller to execute the cleanup process defined in the policy.

An example ClusterCleanupPolicy is shown below.

This cleanup policy removes Deployments which have the label canremove: "true" if they have less than two replicas on a schedule of every 5 minutes.

 2kind: ClusterCleanupPolicy
 4  name: cleandeploy
 6  match:
 7    any:
 8    - resources:
 9        kinds:
10          - Deployment
11        selector:
12          matchLabels:
13            canremove: "true"
14  conditions:
15    any:
16    - key: "{{ target.spec.replicas }}"
17      operator: LessThan
18      value: 2
19  schedule: "*/5 * * * *"

Values from resources to be evaluated during a policy may be referenced with target.*.

Because Kyverno follows the principal of least privilege, it may be necessary to grant the privileges needed in your case to the cleanup controller’s ClusterRole. Role aggregation is supported allowing a separate ClusterRole to be created rather than editing an existing one. Creation of a (Cluster)CleanupPolicy will cause Kyverno to evaluate the permissions it needs and will warn if they are insufficient to successfully execute the desired cleanup.

1Error from server: error when creating "ncleanpol.yaml": admission webhook "kyverno-cleanup-controller.kyverno.svc" denied the request: cleanup controller has no permission to delete kind Ingress

As cleanup policies are either updated or removed, the CronJobs are updated accordingly.

Last modified February 01, 2023 at 12:54 PM PST: 1.9 updates - contributor guideline proposal (#754) (c040dfd)