r/kubelet: Schedule automatic image prune

As pods move around between nodes, applications are updated, etc., nodes tend to accumulate images in their container stores that are no longer used. These take up space unnecessarily, eventually triggering disk usage alarms. From now, the _kubelet_ role installs a systemd timer and service unit to periodically clean up these unused images.
2025-10-13 09:54:20 -05:00
parent 142682ce2f
commit 96ac5be3b5
4 changed files with 88 additions and 0 deletions
--- a/roles/kubelet/files/crictl-image-prune.service
+++ b/roles/kubelet/files/crictl-image-prune.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Prune unused container images
+After=crio.service
+Requires=crio.service
+StartLimitBurst=10
+StartLimitIntervalSec=10s
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/crictl rmi --prune
+Restart=on-failure
+RestartSec=2s
+CapabilityBoundingSet=
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
--- a/roles/kubelet/files/crictl-image-prune.timer
+++ b/roles/kubelet/files/crictl-image-prune.timer
@@ -0,0 +1,6 @@
+[Unit]
+Description=periodically prune unused container images
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=8h
--- a/roles/kubelet/handlers/main.yml
+++ b/roles/kubelet/handlers/main.yml
@@ -14,3 +14,8 @@
  service:
    name: kubelet
    state: restarted
+
+- name: restart crictl-image-prune.timer
+  systemd:
+    name: crictl-image-prune.timer
+    state: restarted
--- a/roles/kubelet/tasks/main.yml
+++ b/roles/kubelet/tasks/main.yml
@@ -112,3 +112,42 @@
    enabled: true
  tags:
  - service
+
+- block:
+  - name: ensure crictl-image-prune systemd timer unit file is in place
+    copy:
+      src: crictl-image-prune.timer
+      dest: /etc/systemd/system/
+      owner: root
+      group: root
+      mode: u=rw,go=r
+    notify:
+    - reload systemd
+    - restart crictl-image-prune.timer
+    tags:
+    - systemd
+  - name: ensure crictl-image-prune systemd service unit file is in place
+    copy:
+      src: crictl-image-prune.service
+      dest: /etc/systemd/system/
+      owner: root
+      group: root
+      mode: u=rw,go=r
+    notify:
+    - reload systemd
+    tags:
+    - systemd
+  - name: ensure crictl-image-prune timer starts automatically
+    systemd:
+      name: crictl-image-prune.timer
+      enabled: true
+    tags:
+    - timer
+  - name: ensure crictl-image-prune timer is running
+    systemd:
+      name: crictl-image-prune.timer
+      state: started
+    tags:
+    - timer
+  tags:
+  - auto-prune-images