You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: content/en/docs/writing-policies/cleanup.md
+5-2
Original file line number
Diff line number
Diff line change
@@ -74,11 +74,12 @@ The `deletionPropagationPolicy` field is an optional setting in `CleanupPolicy`
74
74
- **Background**: Deletes the resource immediately, and its dependents are deleted asynchronously.
75
75
- **Orphan**: Deletes the resource without deleting its dependents, leaving them orphaned.
76
76
77
-
> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior, which typically aligns with the **Background** deletion policy. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings.
77
+
> **Note**: If `deletionPropagationPolicy` is not set, Kyverno defaults to the API server’s behavior. This default allows Kyverno to delete the primary resource asynchronously, giving the API server the flexibility to manage the deletion of dependents as per cluster settings.
78
78
79
79
An example `ClusterCleanupPolicy` with `deletionPropagationPolicy` is shown below. This cleanup policy removes Deployments with the label `canremove: "true"` if they have fewer than two replicas, on a schedule of every 5 minutes, and deletes dependents in the **Foreground** mode.
80
80
81
81
```yaml
82
+
# ClusterCleanupPolicy with deletionPropagationPolicy
82
83
apiVersion: kyverno.io/v2
83
84
kind: ClusterCleanupPolicy
84
85
metadata:
@@ -100,6 +101,7 @@ spec:
100
101
schedule: "*/5 * * * *"
101
102
deletionPropagationPolicy: "Foreground"
102
103
```
104
+
103
105
{{% alert title="Note" color="info" %}} Since cleanup policies always operate against existing resources in a cluster, policies created with subjects, Roles, or ClusterRoles in the match/exclude block are not allowed since this information is only known at admission time. Additionally, operations[], while permitted, are ignored as the only trigger is schedule based. {{% /alert %}}
104
106
105
107
Values from resources to be evaluated during a policy may be referenced with target.* similar to mutate existing rules.
@@ -147,9 +149,10 @@ The deletionPropagationPolicy can also be specified for resources with a TTL-bas
147
149
- **Background**: Deletes the resource first, while dependents are removed asynchronously.
148
150
- **Orphan**: Deletes the resource but leaves its dependents in place.
149
151
150
-
An example of a Pod with a TTL label and deletionPropagationPolicy:
152
+
For example, consider a Pod with the TTL label cleanup.kyverno.io/ttl: 2m. After two minutes, the Pod will be deleted, but the dependents will be handled according to the specified deletionPropagationPolicy. If the policy is set to Orphan, the Pod will be deleted, but its dependent resources will remain in the cluster.
151
153
152
154
```yaml
155
+
# TTL-based cleanup with deletionPropagationPolicy
0 commit comments