There could be security risks with these images due to potential flaws. To remove security risks in your clusters, you can clean these unreferenced images. Manually cleaning images can be time intensive. Image Cleaner performs automatic image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up.
Prerequisites
- An Azure subscription. If you don’t have an Azure subscription, you can create a free account.
- Azure CLI version 2.49.0 or later. Run
az --versionto find your version. If you need to install or upgrade, see Install Azure CLI.
Constraints
Image Cleaner doesn’t yet support Windows node pools or AKS virtual nodes.
How Image Cleaner functions
After you enable Image Cleaner, there will be a controller manager pod named eraser-controller-manager deployed to your cluster.
You have the opportunity to select between the following setup parameters and the manual or automatic mode with Image Cleaner:
Automatic mode
Once eraser-controller-manager is deployed, the following steps will be taken automatically:
- It immediately starts the cleanup process and creates
eraser-aks-xxxxxworker pods for each node. - There are three containers in each worker pod:
- A collector, which collects unused images
- A trivy-scanner, which leverages trivy to scan image vulnerabilities.
- A remover, which removes unused images with vulnerabilities.
- After the cleanup process completes, the worker pod is deleted and the next scheduled cleanup happens according to the
--image-cleaner-interval-hoursyou define.
Manual mode
You can manually trigger the cleanup by defining a CRD object,ImageList. This triggers the eraser-contoller-manager to create eraser-aks-xxxxx worker pods for each node and complete the manual removal process.
Enable Image Cleaner on your AKS cluster
Set up a new cluster with Image Cleaner enabled.
Enable Image Cleaner on a new AKS cluster using the az aks create command with the --enable-image-cleaner parameter.
az aks create --resource-group myResourceGroup --name myManagedCluster --enable-image-cleaner
Enable Image Cleaner on an existing cluster
Enable Image Cleaner on an existing AKS cluster using the az aks update command.
az aks update --resource-group myResourceGroup --name myManagedCluster --enable-image-cleanerManually remove images using Image Cleaner
Manually remove an image using the following kubectl apply command. This example removes the docker.io/library/alpine:3.7.3 image if it’s unused.
cat <<EOF | kubectl apply -f -
apiVersion: eraser.sh/v1
kind: ImageList
metadata:
name: imagelist
spec:
images:
- docker.io/library/alpine:3.7.3
EOFRefer Image Cleaner
