From 56f784d6287bc9cf82a2c04f81065116686ed786 Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Tue, 5 Nov 2024 10:38:14 +0530 Subject: [PATCH 01/12] Added documentation for DeletionPropagationPolicy for cleanupPolicy and TTL-based cleanup resources Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 73 +++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index ac858b68d..575134451 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -66,6 +66,48 @@ rules: - delete ``` +### Deletion Propagation Policy + +The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy` and `ClusterCleanupPolicy` that specifies how Kubernetes should handle the deletion of dependent resources. The available options are: + +- **Foreground**: Deletes the resource and waits until all of its dependent resources are also deleted. +- **Background**: Deletes the resource immediately, and its dependents are deleted asynchronously. +- **Orphan**: Deletes the resource without deleting its dependents, leaving them orphaned. + +> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior, which typically aligns with the **Background** deletion policy. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings. + +An example `ClusterCleanupPolicy` with `deletionPropagationPolicy` is shown below. This cleanup policy removes Deployments with the label `canremove: "true"` if they have fewer than two replicas, on a schedule of every 5 minutes, and deletes dependents in the **Foreground** mode. + +```yaml +apiVersion: kyverno.io/v2 +kind: ClusterCleanupPolicy +metadata: + name: cleandeploy +spec: + match: + any: + - resources: + kinds: + - Deployment + selector: + matchLabels: + canremove: "true" + conditions: + any: + - key: "{{ target.spec.replicas }}" + operator: LessThan + value: 2 + schedule: "*/5 * * * *" + deletionPropagationPolicy: "Foreground" +``` +{{% alert title="Note" color="info" %}} Since cleanup policies always operate against existing resources in a cluster, policies created with subjects, Roles, or ClusterRoles in the match/exclude block are not allowed since this information is only known at admission time. Additionally, operations[], while permitted, are ignored as the only trigger is schedule based. {{% /alert %}} + +Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules. + +Because Kyverno follows the principle of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the Customizing Permissions section for more details. + +An example ClusterRole which allows Kyverno to cleanup Pods is shown below. This may need to be customized based on the values used to deploy Kyverno. + ## Cleanup Label In addition to policies which can declaratively define what resources to remove and when to remove them, the second option for cleanup involves assignment of a reserved label called `cleanup.kyverno.io/ttl` to the exact resource(s) which should be removed. The value of this label can be one of two supported formats. Any unrecognized formats will trigger a warning. @@ -96,3 +138,34 @@ spec: Although labeled resources are watched by Kyverno, the cleanup interval (the time resolution at which any cleanup can be performed) is controlled by a flag passed to the cleanup controller called `ttlReconciliationInterval`. This value is set to `1m` by default and can be changed if a longer resolution is required. Because this is a label, there is opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the `infra-ops` group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition. + +### Deletion Propagation Policy in TTL-based Cleanup + +The deletionPropagationPolicy can also be specified for resources with a TTL-based cleanup label. This field provides flexibility in handling dependent resources when a resource reaches its expiration. For example: + +- **Foreground**: Ensures that all dependent resources are deleted before the resource itself is removed. +- **Background**: Deletes the resource first, while dependents are removed asynchronously. +- **Orphan**: Deletes the resource but leaves its dependents in place. + +An example of a Pod with a TTL label and deletionPropagationPolicy: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + labels: + cleanup.kyverno.io/ttl: 2m + name: foo +spec: + containers: + - args: + - sleep + - 1d + image: busybox:1.35 + name: foo +deletionPropagationPolicy: "Orphan" +``` + +In this example, the TTL is set to 2m, which removes the Pod after two minutes but leaves any dependent resources because of the Orphan policy. + +Although labeled resources are watched by Kyverno, the cleanup interval (the time resolution at which any cleanup can be performed) is controlled by a flag passed to the cleanup controller called ttlReconciliationInterval. This value is set to 1m by default and can be changed if a longer resolution is required. From c0a774ef814b14a2508efaff56b68721a8fe9b92 Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Wed, 13 Nov 2024 12:28:14 +0530 Subject: [PATCH 02/12] Updated the doc Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index 575134451..d412faea8 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -74,11 +74,12 @@ The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy` - **Background**: Deletes the resource immediately, and its dependents are deleted asynchronously. - **Orphan**: Deletes the resource without deleting its dependents, leaving them orphaned. -> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior, which typically aligns with the **Background** deletion policy. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings. +> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings. An example `ClusterCleanupPolicy` with `deletionPropagationPolicy` is shown below. This cleanup policy removes Deployments with the label `canremove: "true"` if they have fewer than two replicas, on a schedule of every 5 minutes, and deletes dependents in the **Foreground** mode. ```yaml +# ClusterCleanupPolicy with deletionPropagationPolicy apiVersion: kyverno.io/v2 kind: ClusterCleanupPolicy metadata: @@ -100,6 +101,7 @@ spec: schedule: "*/5 * * * *" deletionPropagationPolicy: "Foreground" ``` + {{% alert title="Note" color="info" %}} Since cleanup policies always operate against existing resources in a cluster, policies created with subjects, Roles, or ClusterRoles in the match/exclude block are not allowed since this information is only known at admission time. Additionally, operations[], while permitted, are ignored as the only trigger is schedule based. {{% /alert %}} Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules. @@ -147,9 +149,10 @@ The deletionPropagationPolicy can also be specified for resources with a TTL-bas - **Background**: Deletes the resource first, while dependents are removed asynchronously. - **Orphan**: Deletes the resource but leaves its dependents in place. -An example of a Pod with a TTL label and deletionPropagationPolicy: +For example, consider a Pod with the TTL label cleanup.kyverno.io/ttl: 2m. After two minutes, the Pod will be deleted, but the dependents will be handled according to the specified deletionPropagationPolicy. If the policy is set to Orphan, the Pod will be deleted, but its dependent resources will remain in the cluster. ```yaml +# TTL-based cleanup with deletionPropagationPolicy apiVersion: v1 kind: Pod metadata: From 5247e12a735babf0011690a2e4dcd28bd3f71e44 Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Mon, 25 Nov 2024 15:50:44 +0530 Subject: [PATCH 03/12] Minor fixes Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index d412faea8..dbe9b7a3f 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -68,11 +68,7 @@ rules: ### Deletion Propagation Policy -The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy` and `ClusterCleanupPolicy` that specifies how Kubernetes should handle the deletion of dependent resources. The available options are: - -- **Foreground**: Deletes the resource and waits until all of its dependent resources are also deleted. -- **Background**: Deletes the resource immediately, and its dependents are deleted asynchronously. -- **Orphan**: Deletes the resource without deleting its dependents, leaving them orphaned. +The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy` and `ClusterCleanupPolicy` that specifies how Kubernetes should handle the deletion of dependent resources. > **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings. @@ -149,7 +145,7 @@ The deletionPropagationPolicy can also be specified for resources with a TTL-bas - **Background**: Deletes the resource first, while dependents are removed asynchronously. - **Orphan**: Deletes the resource but leaves its dependents in place. -For example, consider a Pod with the TTL label cleanup.kyverno.io/ttl: 2m. After two minutes, the Pod will be deleted, but the dependents will be handled according to the specified deletionPropagationPolicy. If the policy is set to Orphan, the Pod will be deleted, but its dependent resources will remain in the cluster. +For example, consider a Pod with the TTL label `cleanup.kyverno.io/ttl: 2m`. After two minutes, the Pod will be deleted, but the dependents will be handled according to the specified deletionPropagationPolicy. If the policy is set to Orphan, the Pod will be deleted, but its dependent resources will remain in the cluster. ```yaml # TTL-based cleanup with deletionPropagationPolicy From 930e5ad4316410caf6136de2effe9a2fd84ff505 Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Mon, 25 Nov 2024 16:16:40 +0530 Subject: [PATCH 04/12] Added link to the Customizing Permissions section Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index dbe9b7a3f..ea69d317c 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -102,7 +102,7 @@ spec: Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules. -Because Kyverno follows the principle of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the Customizing Permissions section for more details. +Because Kyverno follows the principle of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the [Customizing Permissions](../installation/customization.md#customizing-permissions) section for more details. An example ClusterRole which allows Kyverno to cleanup Pods is shown below. This may need to be customized based on the values used to deploy Kyverno. From 49a21ee0faf59ffc42c2f756432e0c15611799cf Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Mon, 25 Nov 2024 18:41:03 +0530 Subject: [PATCH 05/12] Updated the doc Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 98 ++++++++++----------- 1 file changed, 47 insertions(+), 51 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index ea69d317c..b3b67a808 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -66,46 +66,6 @@ rules: - delete ``` -### Deletion Propagation Policy - -The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy` and `ClusterCleanupPolicy` that specifies how Kubernetes should handle the deletion of dependent resources. - -> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings. - -An example `ClusterCleanupPolicy` with `deletionPropagationPolicy` is shown below. This cleanup policy removes Deployments with the label `canremove: "true"` if they have fewer than two replicas, on a schedule of every 5 minutes, and deletes dependents in the **Foreground** mode. - -```yaml -# ClusterCleanupPolicy with deletionPropagationPolicy -apiVersion: kyverno.io/v2 -kind: ClusterCleanupPolicy -metadata: - name: cleandeploy -spec: - match: - any: - - resources: - kinds: - - Deployment - selector: - matchLabels: - canremove: "true" - conditions: - any: - - key: "{{ target.spec.replicas }}" - operator: LessThan - value: 2 - schedule: "*/5 * * * *" - deletionPropagationPolicy: "Foreground" -``` - -{{% alert title="Note" color="info" %}} Since cleanup policies always operate against existing resources in a cluster, policies created with subjects, Roles, or ClusterRoles in the match/exclude block are not allowed since this information is only known at admission time. Additionally, operations[], while permitted, are ignored as the only trigger is schedule based. {{% /alert %}} - -Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules. - -Because Kyverno follows the principle of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the [Customizing Permissions](../installation/customization.md#customizing-permissions) section for more details. - -An example ClusterRole which allows Kyverno to cleanup Pods is shown below. This may need to be customized based on the values used to deploy Kyverno. - ## Cleanup Label In addition to policies which can declaratively define what resources to remove and when to remove them, the second option for cleanup involves assignment of a reserved label called `cleanup.kyverno.io/ttl` to the exact resource(s) which should be removed. The value of this label can be one of two supported formats. Any unrecognized formats will trigger a warning. @@ -137,23 +97,60 @@ Although labeled resources are watched by Kyverno, the cleanup interval (the tim Because this is a label, there is opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the `infra-ops` group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition. -### Deletion Propagation Policy in TTL-based Cleanup +## DeletionPropagationPolicy (Common to both) -The deletionPropagationPolicy can also be specified for resources with a TTL-based cleanup label. This field provides flexibility in handling dependent resources when a resource reaches its expiration. For example: +The deletionPropagationPolicy field is an optional setting available in both CleanupPolicy and TTL-based cleanup configurations. It determines how Kubernetes handles the deletion of dependent resources when the primary resource is deleted. -- **Foreground**: Ensures that all dependent resources are deleted before the resource itself is removed. -- **Background**: Deletes the resource first, while dependents are removed asynchronously. -- **Orphan**: Deletes the resource but leaves its dependents in place. +Supported values: -For example, consider a Pod with the TTL label `cleanup.kyverno.io/ttl: 2m`. After two minutes, the Pod will be deleted, but the dependents will be handled according to the specified deletionPropagationPolicy. If the policy is set to Orphan, the Pod will be deleted, but its dependent resources will remain in the cluster. +- **Foreground**: Ensures dependent resources are deleted before the primary resource is removed. +- **Background**: Deletes the primary resource first, while dependents are removed asynchronously. +- **Orphan**: Deletes the primary resource but leaves its dependents untouched. + +{{% alert title="Note" color="info" %}} +If deletionPropagationPolicy is not set, Kyverno defers to the Kubernetes API server's default behavior, which typically handles dependents based on cluster settings. +{{% /alert %}} + +### Cleanup Policy Example with deletionPropagationPolicy ### + +A ClusterCleanupPolicy can include deletionPropagationPolicy to control the cleanup of dependents. Here's an example: + +```yaml +apiVersion: kyverno.io/v2 +kind: ClusterCleanupPolicy +metadata: + name: cleandeploy +spec: + match: + any: + - resources: + kinds: + - Deployment + selector: + matchLabels: + canremove: "true" + conditions: + any: + - key: "{{ target.spec.replicas }}" + operator: LessThan + value: 2 + schedule: "*/5 * * * *" + deletionPropagationPolicy: "Foreground" +``` +This policy schedules the deletion of Deployments labeled canremove: "true" with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. + +### TTL-Based Cleanup Example with deletionPropagationPolicy ### + +Resources with a cleanup.kyverno.io/ttl label can also use the deletionPropagationPolicy to manage dependent resources: ```yaml -# TTL-based cleanup with deletionPropagationPolicy apiVersion: v1 kind: Pod metadata: labels: cleanup.kyverno.io/ttl: 2m + annotations: + deletionPropagationPolicy: "Orphan" name: foo spec: containers: @@ -162,9 +159,8 @@ spec: - 1d image: busybox:1.35 name: foo -deletionPropagationPolicy: "Orphan" ``` +In this example: -In this example, the TTL is set to 2m, which removes the Pod after two minutes but leaves any dependent resources because of the Orphan policy. - -Although labeled resources are watched by Kyverno, the cleanup interval (the time resolution at which any cleanup can be performed) is controlled by a flag passed to the cleanup controller called ttlReconciliationInterval. This value is set to 1m by default and can be changed if a longer resolution is required. +The TTL label specifies that the Pod will be deleted 2 minutes after creation. +The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted. \ No newline at end of file From 632b3d159c36cf7a6a3f9ded3770614dfb026ad4 Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Mon, 25 Nov 2024 18:49:08 +0530 Subject: [PATCH 06/12] Fix minor changes Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index b3b67a808..e25f996ee 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -145,7 +145,7 @@ Resources with a cleanup.kyverno.io/ttl label can also use the deletionPropagati ```yaml apiVersion: v1 -kind: Pod +kind: CleanupPolicy metadata: labels: cleanup.kyverno.io/ttl: 2m From 5fb8659b67a8fdd3f897bf24f49b9aaa3892f2ba Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Mon, 25 Nov 2024 19:19:56 +0530 Subject: [PATCH 07/12] Minor changes in ttl Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index e25f996ee..9cc3a0883 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -97,9 +97,9 @@ Although labeled resources are watched by Kyverno, the cleanup interval (the tim Because this is a label, there is opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the `infra-ops` group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition. -## DeletionPropagationPolicy (Common to both) +## DeletionPropagationPolicy (Common to both ClusterCleanupPolicy and TTL based Cleanup) -The deletionPropagationPolicy field is an optional setting available in both CleanupPolicy and TTL-based cleanup configurations. It determines how Kubernetes handles the deletion of dependent resources when the primary resource is deleted. +The `deletionPropagationPolicy` field is an optional setting available in both CleanupPolicy and TTL-based cleanup configurations. It determines how Kubernetes handles the deletion of dependent resources when the primary resource is deleted. Supported values: @@ -111,7 +111,7 @@ Supported values: If deletionPropagationPolicy is not set, Kyverno defers to the Kubernetes API server's default behavior, which typically handles dependents based on cluster settings. {{% /alert %}} -### Cleanup Policy Example with deletionPropagationPolicy ### +### Cleanup Policy Example with deletionPropagationPolicy A ClusterCleanupPolicy can include deletionPropagationPolicy to control the cleanup of dependents. Here's an example: @@ -137,15 +137,16 @@ spec: schedule: "*/5 * * * *" deletionPropagationPolicy: "Foreground" ``` -This policy schedules the deletion of Deployments labeled canremove: "true" with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. -### TTL-Based Cleanup Example with deletionPropagationPolicy ### +This policy schedules the deletion of Deployments labeled `canremove: "true"` with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. -Resources with a cleanup.kyverno.io/ttl label can also use the deletionPropagationPolicy to manage dependent resources: +### TTL-Based Cleanup Example with deletionPropagationPolicy + +Resources with a `cleanup.kyverno.io/ttl` label can also use the deletionPropagationPolicy to manage dependent resources: ```yaml apiVersion: v1 -kind: CleanupPolicy +kind: Pod metadata: labels: cleanup.kyverno.io/ttl: 2m @@ -160,7 +161,7 @@ spec: image: busybox:1.35 name: foo ``` -In this example: +In this example: The TTL label specifies that the Pod will be deleted 2 minutes after creation. The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted. \ No newline at end of file From 4dbf0cc471a13fb5adde54223faf9a28c29cd65a Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Tue, 26 Nov 2024 13:44:22 +0530 Subject: [PATCH 08/12] fix/doc Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index 9cc3a0883..6015535b3 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -135,7 +135,7 @@ spec: operator: LessThan value: 2 schedule: "*/5 * * * *" - deletionPropagationPolicy: "Foreground" + deleteOptions: "Foreground" ``` This policy schedules the deletion of Deployments labeled `canremove: "true"` with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. @@ -151,7 +151,7 @@ metadata: labels: cleanup.kyverno.io/ttl: 2m annotations: - deletionPropagationPolicy: "Orphan" + deleteOptions: "Orphan" name: foo spec: containers: From f5e587bd68135280f81399767ab90c4746a44e7a Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Tue, 26 Nov 2024 14:01:15 +0530 Subject: [PATCH 09/12] fix/doc Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index 6015535b3..f534e7328 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -151,7 +151,7 @@ metadata: labels: cleanup.kyverno.io/ttl: 2m annotations: - deleteOptions: "Orphan" + determinePropagationPolicy: "Orphan" name: foo spec: containers: From d7364e0beb883aecc144f6836c1d2b6b80b2a11e Mon Sep 17 00:00:00 2001 From: ShivamJha2436 Date: Tue, 26 Nov 2024 16:06:51 +0530 Subject: [PATCH 10/12] made a small fix Signed-off-by: ShivamJha2436 --- content/en/docs/writing-policies/cleanup.md | 82 ++++++++++----------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index f534e7328..4be2417ca 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -25,17 +25,17 @@ metadata: spec: match: any: - - resources: - kinds: - - Deployment - selector: - matchLabels: - canremove: "true" + - resources: + kinds: + - Deployment + selector: + matchLabels: + canremove: "true" conditions: any: - - key: "{{ target.spec.replicas }}" - operator: LessThan - value: 2 + - key: "{{ target.spec.replicas }}" + operator: LessThan + value: 2 schedule: "*/5 * * * *" ``` @@ -55,23 +55,23 @@ metadata: app.kubernetes.io/part-of: kyverno name: kyverno:cleanup-pods rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list - - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete ``` ## Cleanup Label In addition to policies which can declaratively define what resources to remove and when to remove them, the second option for cleanup involves assignment of a reserved label called `cleanup.kyverno.io/ttl` to the exact resource(s) which should be removed. The value of this label can be one of two supported formats. Any unrecognized formats will trigger a warning. -* An absolute time specified in ISO 8601 format (ex., `2023-10-04T003000Z` or `2023-10-04`) -* A remaining time calculated from when the label was observed (ex., `5m`, `4h`, or `1d`) +- An absolute time specified in ISO 8601 format (ex., `2023-10-04T003000Z` or `2023-10-04`) +- A remaining time calculated from when the label was observed (ex., `5m`, `4h`, or `1d`) This label can be assigned to any resource and so long as Kyverno has the needed permissions to delete the resource (see above section for an example), it will be removed at the designated time. @@ -86,11 +86,11 @@ metadata: name: foo spec: containers: - - args: - - sleep - - 1d - image: busybox:1.35 - name: foo + - args: + - sleep + - 1d + image: busybox:1.35 + name: foo ``` Although labeled resources are watched by Kyverno, the cleanup interval (the time resolution at which any cleanup can be performed) is controlled by a flag passed to the cleanup controller called `ttlReconciliationInterval`. This value is set to `1m` by default and can be changed if a longer resolution is required. @@ -123,17 +123,17 @@ metadata: spec: match: any: - - resources: - kinds: - - Deployment - selector: - matchLabels: - canremove: "true" + - resources: + kinds: + - Deployment + selector: + matchLabels: + canremove: "true" conditions: any: - - key: "{{ target.spec.replicas }}" - operator: LessThan - value: 2 + - key: "{{ target.spec.replicas }}" + operator: LessThan + value: 2 schedule: "*/5 * * * *" deleteOptions: "Foreground" ``` @@ -151,17 +151,17 @@ metadata: labels: cleanup.kyverno.io/ttl: 2m annotations: - determinePropagationPolicy: "Orphan" + PropagationPolicy: "Orphan" name: foo spec: containers: - - args: - - sleep - - 1d - image: busybox:1.35 - name: foo + - args: + - sleep + - 1d + image: busybox:1.35 + name: foo ``` In this example: The TTL label specifies that the Pod will be deleted 2 minutes after creation. -The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted. \ No newline at end of file +The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted. From 9124ea0fc860f4272a43914e9a86fd651c771e50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 3 Dec 2024 20:18:25 +0100 Subject: [PATCH 11/12] finalise doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- content/en/docs/writing-policies/cleanup.md | 43 +++++++++++++-------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index 4be2417ca..fba0d7661 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -97,7 +97,7 @@ Although labeled resources are watched by Kyverno, the cleanup interval (the tim Because this is a label, there is opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the `infra-ops` group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition. -## DeletionPropagationPolicy (Common to both ClusterCleanupPolicy and TTL based Cleanup) +## DeletionPropagationPolicy The `deletionPropagationPolicy` field is an optional setting available in both CleanupPolicy and TTL-based cleanup configurations. It determines how Kubernetes handles the deletion of dependent resources when the primary resource is deleted. @@ -108,12 +108,12 @@ Supported values: - **Orphan**: Deletes the primary resource but leaves its dependents untouched. {{% alert title="Note" color="info" %}} -If deletionPropagationPolicy is not set, Kyverno defers to the Kubernetes API server's default behavior, which typically handles dependents based on cluster settings. +If `deletionPropagationPolicy` is not set, Kyverno defers to the Kubernetes API server's default behavior, which typically handles dependents based on cluster settings. {{% /alert %}} ### Cleanup Policy Example with deletionPropagationPolicy -A ClusterCleanupPolicy can include deletionPropagationPolicy to control the cleanup of dependents. Here's an example: +A ClusterCleanupPolicy can include `deletionPropagationPolicy` to control the cleanup of dependents. Here's an example: ```yaml apiVersion: kyverno.io/v2 @@ -135,33 +135,42 @@ spec: operator: LessThan value: 2 schedule: "*/5 * * * *" - deleteOptions: "Foreground" + # use Foreground deletion propagation policy + deletionPropagationPolicy: Foreground ``` This policy schedules the deletion of Deployments labeled `canremove: "true"` with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. ### TTL-Based Cleanup Example with deletionPropagationPolicy -Resources with a `cleanup.kyverno.io/ttl` label can also use the deletionPropagationPolicy to manage dependent resources: +Resources with a `cleanup.kyverno.io/ttl` label can also specify a deletion propagation policy to manage dependent resources: ```yaml -apiVersion: v1 -kind: Pod +apiVersion: apps/v1 +kind: Deployment metadata: + name: nginx-server labels: cleanup.kyverno.io/ttl: 2m annotations: - PropagationPolicy: "Orphan" - name: foo + # use Foreground deletion propagation policy + cleanup.kyverno.io/propagation-policy: Foreground spec: - containers: - - args: - - sleep - - 1d - image: busybox:1.35 - name: foo + replicas: 2 + selector: + matchLabels: + app: nginx-server + template: + metadata: + labels: + app: nginx-server + spec: + containers: + - name: nginx-server + image: nginx ``` In this example: -The TTL label specifies that the Pod will be deleted 2 minutes after creation. -The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted. + +- The TTL label specifies that the resource will be deleted 2 minutes after creation. +- The deletion propagation policy `Foreground` ensures that any dependent resources in the cluster are deleted before the resource itself. From 352a38f000a96e0459e89b028b16afa8629169a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 4 Dec 2024 08:43:24 +0100 Subject: [PATCH 12/12] review comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- content/en/docs/writing-policies/cleanup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md index fba0d7661..abb0db34e 100644 --- a/content/en/docs/writing-policies/cleanup.md +++ b/content/en/docs/writing-policies/cleanup.md @@ -139,7 +139,7 @@ spec: deletionPropagationPolicy: Foreground ``` -This policy schedules the deletion of Deployments labeled `canremove: "true"` with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself. +This policy schedules the deletion of Deployments labeled `canremove: "true"` with fewer than two replicas every 5 minutes, using the `Foreground` deletion propagation policy, ensuring dependent resources are deleted before the Deployment itself. ### TTL-Based Cleanup Example with deletionPropagationPolicy