kube-janitor/example.yaml at main · webdevops/kube-janitor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#################################################
## TTL rule
## goes throw all defined ttl.resources and tries to checks for ttl.annotation and/or ttl.label.
## if annotation/value is set, janitor will try to parse it and checks against the metadata.creationTimestamp.
## if expired, resource will be deleted.
ttl:
  ## checks all resources by annotation
  annotation: janitor/ttl

  ## checks all resources by label
  # label: janitor/ttl

  resources:
    # definition of resources by group, version, kind (GVR)
    # a wildcard ("*") will try to match as many possible resources
    # from the serverside GVK list, BE CAREFUL with wildcards!
    - {group: "", version: "v1", kind: "pods"}
    - {group: "", version: v1, kind: secrets}
    - {group: "", version: v1, kind: configmaps}
    - {group: apps, version: "*", kind: "*"}
    # this rule will match ALL resources, !BE CAREFUL!
    # - {group: "*", version: "*", kind: "*"}

  ## delete options, optional
  deleteOptions:
    propagationPolicy: Background # Foreground, Background, Orphan or empty
    gracePeriodSeconds: 120 # seconds

#################################################
## static rules
## applies a fixed TTLs against resources metadata.creationTimestamp (or JMESpath timestampPath)
## doesn't use an annotation/ttl for TTL calculation.
## useful to remove resources which should only exists for a centrally defined time.
## if namespaceSelector is used only namespaced resources will be processed.
rules:
  # cleanup of completed/failed pods which are not yet removed by the Kubernetes control plane
  - id: CleanupCompletedPods
    ## ttl, calculated against terminated.finishedAt (in this example)
    ttl: 1h
    resources:
      - group: ""
        version: v1
        kind: pods

        ## get timestampo from containerStatuses if pod is terminated
        timestampPath: |-
          max(status.containerStatuses[*].state.terminated.finishedAt)

        ## filter only pods which are in phase "Failed" or "Succeeded"
        filterPath: |-
          status.phase == 'Failed' || status.phase == 'Succeeded'

        selector:
          matchExpressions:
            # exclude kubernetes jobs
            - { key: "batch.kubernetes.io/job-name", operator: DoesNotExist }

    ## run on all namespaces
    namespaceSelector: {}

  # cleanup of evicted pods which are not yet removed by the Kubernetes control plane
  - id: CleanupEvictedPods
    ## ttl, calculated against terminated.finishedAt
    ttl: 15m
    resources:
      - group: ""
        version: v1
        kind: pods

        ## get timestampo from containerStatuses if pod is terminated
        timestampPath: |-
          max(status.containerStatuses[*].lastState.terminated.finishedAt)

        ## filter only pods which are in phase "Failed" or "Succeeded"
        filterPath: |-
          status.reason == 'Evicted'

        selector: {}

    ## run on all namespaces
    namespaceSelector: {}

  - id: example
    # resources expires 1 hour after creation
    ttl: 1h
    resources:
      - group: ""
        version: v1
        kind: configmaps

        # JMESpath where to get the timestamp from, if empty the janitor uses metadata.creationTimestamp
        timestampPath: ~

        # JMESpath for additional selector, should return true if resource should be used for TTL checks, optional
        filterPath: |-
          !(metadata.annotations."kubernetes.io/description")

        # kubernetes selector (matchLabels, matchExpressions), optional
        selector:
          matchLabels:
            foo: bar

    ## delete options, optional
    deleteOptions:
      propagationPolicy: Foreground # Foreground, Background, Orphan or empty
      gracePeriodSeconds: 120 # seconds

    # kubernetes selector (matchLabels, matchExpressions), optional
    # if a namespaceSelector is active only namespaced resources will be checked
    # !! be careful !!
    # to force this behaviour for all namespaces try
    #   namespaceSelector:
    #     matchExpressions:
    #       - { key: "kubernetes.io/metadata.name", operator: Exists }

    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: default