Hi!
In this article, I will show you how you can clean unreferenced images stored at the nodes level. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
ImageCleaner does not support the following:
- Windows node pools
- ARM64 node pools
When enabled, an eraser-controller-manager pod is deployed on each agent node, which will use an ImageList CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged.
An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually. Once an ImageList is generated, ImageCleaner will remove all the images in the list from node VMs.
To enable Image Cleaner on an existing AKS cluster:
az aks update -g MyResourceGroup -n MyManagedCluster --enable-image-cleaner
To enable Image Cleaner with an interval of hours:
az aks update -g MyResourceGroup -n MyManagedCluster --image-cleaner-interval-hours 48
Based on your configuration, ImageCleaner will generate an ImageList containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.
Source: https://docs.microsoft.com/en-us/azure/aks/image-cleaner
Maxime.