AKS image cleaner vulnerable images are detected and removed
By: Date: 05/10/2023 Categories: azure Tags:

There could be security risks with these images due to potential flaws.  To remove security risks in your clusters, you can clean these unreferenced images. Manually cleaning images can be time intensive. Image Cleaner performs automatic image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up.


  • An Azure subscription. If you don’t have an Azure subscription, you can create a free account.
  • Azure CLI version 2.49.0 or later. Run az --version to find your version. If you need to install or upgrade, see Install Azure CLI.


Image Cleaner doesn’t yet support Windows node pools or AKS virtual nodes.

How Image Cleaner functions

After you enable Image Cleaner, there will be a controller manager pod named eraser-controller-manager deployed to your cluster.

You have the opportunity to select between the following setup parameters and the manual or automatic mode with Image Cleaner:

Automatic mode

Once eraser-controller-manager is deployed, the following steps will be taken automatically:

  • It immediately starts the cleanup process and creates eraser-aks-xxxxx worker pods for each node.
  • There are three containers in each worker pod:
    • collector, which collects unused images
    • trivy-scanner, which leverages trivy to scan image vulnerabilities.
    • remover, which removes unused images with vulnerabilities.
  • After the cleanup process completes, the worker pod is deleted and the next scheduled cleanup happens according to the --image-cleaner-interval-hours you define.

Manual mode

You can manually trigger the cleanup by defining a CRD object,ImageList. This triggers the eraser-contoller-manager to create eraser-aks-xxxxx worker pods for each node and complete the manual removal process.

Enable Image Cleaner on your AKS cluster

Set up a new cluster with Image Cleaner enabled.

Enable Image Cleaner on a new AKS cluster using the az aks create command with the --enable-image-cleaner parameter.

az aks create --resource-group myResourceGroup --name myManagedCluster --enable-image-cleaner

Enable Image Cleaner on an existing cluster
Enable Image Cleaner on an existing AKS cluster using the az aks update command.
az aks update --resource-group myResourceGroup --name myManagedCluster --enable-image-cleaner

Manually remove images using Image Cleaner

Manually remove an image using the following kubectl apply command. This example removes the docker.io/library/alpine:3.7.3 image if it’s unused.

cat <<EOF | kubectl apply -f -
apiVersion: eraser.sh/v1
kind: ImageList
  name: imagelist
    - docker.io/library/alpine:3.7.3

Refer Image Cleaner