policies

2026-03-06 08:58:04 +01:00
parent 2da39f7c67
commit 1f772ef7f5
2 changed files with 63 additions and 0 deletions
--- a/cluster-resources/policies/bare-pod-cleaner.yaml
+++ b/cluster-resources/policies/bare-pod-cleaner.yaml
@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: clean-bare-pods
+  annotations:
+    policies.kyverno.io/title: Cleanup Bare Pods
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.1
+    policies.kyverno.io/minversion: 1.10.0
+    pod-policies.kyverno.io/autogen-controllers: none
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/description: A bare Pod is any Pod created directly and not owned by a controller such as a Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot an issue. If left in the cluster, they create clutter, increase cost, and can be a security risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds and removes all bare Pods across the cluster.
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+  conditions:
+    all:
+    - key: "{{ target.metadata.ownerReferences[] || `[]` }}"
+      operator: Equals
+      value: []
+  schedule: "*/5 * * * *"
+  cleanup:
+    message: "This Pod has no controller and has been removed by the clean-bare-pods ClusterCleanupPolicy."