From 96ac5be3b58c6bdf5e681f67570f174ae835ae6c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 13 Oct 2025 09:54:20 -0500 Subject: [PATCH] r/kubelet: Schedule automatic image prune As pods move around between nodes, applications are updated, etc., nodes tend to accumulate images in their container stores that are no longer used. These take up space unnecessarily, eventually triggering disk usage alarms. From now, the _kubelet_ role installs a systemd timer and service unit to periodically clean up these unused images. --- .../kubelet/files/crictl-image-prune.service | 38 ++++++++++++++++++ roles/kubelet/files/crictl-image-prune.timer | 6 +++ roles/kubelet/handlers/main.yml | 5 +++ roles/kubelet/tasks/main.yml | 39 +++++++++++++++++++ 4 files changed, 88 insertions(+) create mode 100644 roles/kubelet/files/crictl-image-prune.service create mode 100644 roles/kubelet/files/crictl-image-prune.timer diff --git a/roles/kubelet/files/crictl-image-prune.service b/roles/kubelet/files/crictl-image-prune.service new file mode 100644 index 0000000..b71de3e --- /dev/null +++ b/roles/kubelet/files/crictl-image-prune.service @@ -0,0 +1,38 @@ +[Unit] +Description=Prune unused container images +After=crio.service +Requires=crio.service +StartLimitBurst=10 +StartLimitIntervalSec=10s + +[Service] +Type=oneshot +ExecStart=/usr/bin/crictl rmi --prune +Restart=on-failure +RestartSec=2s +CapabilityBoundingSet= +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged diff --git a/roles/kubelet/files/crictl-image-prune.timer b/roles/kubelet/files/crictl-image-prune.timer new file mode 100644 index 0000000..82e1c8e --- /dev/null +++ b/roles/kubelet/files/crictl-image-prune.timer @@ -0,0 +1,6 @@ +[Unit] +Description=periodically prune unused container images + +[Timer] +OnCalendar=daily +RandomizedDelaySec=8h diff --git a/roles/kubelet/handlers/main.yml b/roles/kubelet/handlers/main.yml index 7525c9a..18c8b86 100644 --- a/roles/kubelet/handlers/main.yml +++ b/roles/kubelet/handlers/main.yml @@ -14,3 +14,8 @@ service: name: kubelet state: restarted + +- name: restart crictl-image-prune.timer + systemd: + name: crictl-image-prune.timer + state: restarted diff --git a/roles/kubelet/tasks/main.yml b/roles/kubelet/tasks/main.yml index 27b4ca6..19d6421 100644 --- a/roles/kubelet/tasks/main.yml +++ b/roles/kubelet/tasks/main.yml @@ -112,3 +112,42 @@ enabled: true tags: - service + +- block: + - name: ensure crictl-image-prune systemd timer unit file is in place + copy: + src: crictl-image-prune.timer + dest: /etc/systemd/system/ + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart crictl-image-prune.timer + tags: + - systemd + - name: ensure crictl-image-prune systemd service unit file is in place + copy: + src: crictl-image-prune.service + dest: /etc/systemd/system/ + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + tags: + - systemd + - name: ensure crictl-image-prune timer starts automatically + systemd: + name: crictl-image-prune.timer + enabled: true + tags: + - timer + - name: ensure crictl-image-prune timer is running + systemd: + name: crictl-image-prune.timer + state: started + tags: + - timer + tags: + - auto-prune-images