Cleanup Bare Pods

A bare Pod is any Pod created directly and not owned by a controller such as a Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot an issue. If left in the cluster, they create clutter, increase cost, and can be a security risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds and removes all bare Pods across the cluster.

Policy Definition

/cleanup/cleanup-bare-pods/cleanup-bare-pods.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterCleanupPolicy
 3metadata:
 4  name: clean-bare-pods
 5  annotations:
 6    policies.kyverno.io/title: Cleanup Bare Pods
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.11.1
11    policies.kyverno.io/minversion: 1.10.0
12    pod-policies.kyverno.io/autogen-controllers: none
13    kyverno.io/kubernetes-version: "1.27"
14    policies.kyverno.io/description: >-
15      A bare Pod is any Pod created directly and not owned by a controller such as a
16      Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot
17      an issue. If left in the cluster, they create clutter, increase cost, and can be a security
18      risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds
19      and removes all bare Pods across the cluster.      
20spec:
21  match:
22    any:
23    - resources:
24        kinds:
25          - Pod
26  conditions:
27    all:
28    - key: "{{ target.metadata.ownerReferences[] || `[]` }}"
29      operator: Equals
30      value: []
31  schedule: "*/5 * * * *"

Create policy issue