policies
This commit is contained in:
Danijel Simeunovic
28
cluster-resources/policies/bare-pod-cleaner.yaml
Normal file
28
cluster-resources/policies/bare-pod-cleaner.yaml
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
apiVersion: kyverno.io/v2
|
||||||
|
kind: ClusterCleanupPolicy
|
||||||
|
metadata:
|
||||||
|
name: clean-bare-pods
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/title: Cleanup Bare Pods
|
||||||
|
policies.kyverno.io/category: Other
|
||||||
|
policies.kyverno.io/severity: medium
|
||||||
|
policies.kyverno.io/subject: Pod
|
||||||
|
kyverno.io/kyverno-version: 1.11.1
|
||||||
|
policies.kyverno.io/minversion: 1.10.0
|
||||||
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
kyverno.io/kubernetes-version: "1.27"
|
||||||
|
policies.kyverno.io/description: A bare Pod is any Pod created directly and not owned by a controller such as a Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot an issue. If left in the cluster, they create clutter, increase cost, and can be a security risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds and removes all bare Pods across the cluster.
|
||||||
|
spec:
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ target.metadata.ownerReferences[] || `[]` }}"
|
||||||
|
operator: Equals
|
||||||
|
value: []
|
||||||
|
schedule: "*/5 * * * *"
|
||||||
|
cleanup:
|
||||||
|
message: "This Pod has no controller and has been removed by the clean-bare-pods ClusterCleanupPolicy."
|
||||||
35
cluster-resources/policies/replicaset-cleaner.yaml
Normal file
35
cluster-resources/policies/replicaset-cleaner.yaml
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
apiVersion: kyverno.io/v2
|
||||||
|
kind: ClusterCleanupPolicy
|
||||||
|
metadata:
|
||||||
|
name: cleanup-empty-replicasets
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/title: Cleanup Empty ReplicaSets
|
||||||
|
policies.kyverno.io/category: Other
|
||||||
|
policies.kyverno.io/severity: medium
|
||||||
|
policies.kyverno.io/subject: ReplicaSet
|
||||||
|
kyverno.io/kyverno-version: 1.11.1
|
||||||
|
policies.kyverno.io/minversion: 1.9.0
|
||||||
|
kyverno.io/kubernetes-version: "1.27"
|
||||||
|
policies.kyverno.io/description: ReplicaSets serve as an intermediate controller for various Pod controllers like Deployments. When a new version of a Deployment is initiated, it generates a new ReplicaSet with the specified number of replicas and scales down the current one to zero. Consequently, numerous empty ReplicaSets may accumulate in the cluster, leading to clutter and potential false positives in policy reports if enabled. This cleanup policy is designed to remove empty ReplicaSets across the cluster within a specified timeframe, for instance, ReplicaSets created 7 days ago, ensuring the ability to rollback to previous ReplicaSets in case of deployment issues
|
||||||
|
spec:
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- ReplicaSet
|
||||||
|
exclude:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
namespaces:
|
||||||
|
- kube-system
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ target.spec.replicas }}"
|
||||||
|
operator: Equals
|
||||||
|
value: 0
|
||||||
|
- key: "{{ time_diff('{{target.metadata.creationTimestamp}}','{{ time_now_utc() }}') }}"
|
||||||
|
operator: GreaterThan
|
||||||
|
value: 0h0m30s
|
||||||
|
schedule: "*/7 * * * *"
|
||||||
|
cleanup:
|
||||||
|
message: "This ReplicaSet has no replicas and has been removed by the cleanup-empty-replicasets ClusterCleanupPolicy."
|
||||||
Reference in New Issue
Block a user