AzureFeeds

🧭 Introduction

In Kubernetes environments, it’s standard practice for CI/CD pipelines to build and deploy container images. However, what’s often overlooked is the cleanup of these images once they’re no longer in use.

Over time, this can lead to an accumulation of:

• Unused images


• Outdated versions


• Vulnerable containers

Kubernetes does offer native garbage collection, but it only triggers based on disk usage thresholds, ignoring the security posture of the images.

Eraser addresses this gap by intelligently scanning and cleaning up container images that meet specific criteria — like being unused, outdated, or vulnerable.

🏗️ Architecture

AKS Image cleaner architecture

 

Eraser supports two operational modes for container image cleanup:

Manual Mode

You define a list of images to be removed via a custom resource called ImageList. Eraser then deploys cleanup pods that remove these specific images across all cluster nodes.

Perfect when you already know which images are unnecessary or risky.

Automated Mode

This runs on a scheduled timer and, by default, uses a vulnerability scanner (Trivy) to determine which images to remove.

Options:

• Replace Trivy with another scanner


• Disable scanning entirely (acts as traditional GC)

Eraser ensures:

• Continuous hygiene


• Automated image cleanup


• Compliance with security standards

🧩 Eraser Components (Pod-Level Breakdown)

eraser-controller-manager

• Listens for new cleanup requests (manual or automated)


• Schedules cleanup pods dynamically across cluster nodes

eraser Worker Pods (per node)

Each pod contains 3 containers:

1. Collector — Gathers data on all container images per node


2. Trivy Scanner — Identifies known vulnerabilities in each image


3. Remover — Deletes images that are both unused and vulnerable

🔧 Enabling Image Cleaner in AKS

 1. Using Bicep Template

Enable Image Cleaner by setting it in the securityProfile section:

securityProfile: {
imageCleaner: {
enabled: true
intervalHours: 168 // 7 Days
}
}

2. Using Azure CLI

To enable on a new AKS cluster:

az aks create
– name
– resource-group
– enable-image-cleaner

To enable on an existing AKS cluster:

az aks update
– name
– resource-group
– enable-image-cleaner

🚀 How Automated Cleanup Works

Once deployed, eraser-controller-manager takes over with no manual input required:

• Worker pods (eraser-aks-xxxxx) are created per node


• Each worker runs the Collector, Scanner, and Remover lifecycle


• Vulnerable and unused images are cleaned up

Scheduling:

• Once cleanup is done, worker pods self-destruct


• Next cleanup auto-triggers based on — image-cleaner-interval-hours

✋ Manual Mode Walkthrough

Objective

Demonstrate manual cleanup of an unused image (alpine:3.7.3) using Eraser.

Step 1: Deploy DaemonSet

cat <<EOF | kubectl apply -f –
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: alpine
spec:
selector:
matchLabels:
app: alpine
template:
metadata:
labels:
app: alpine
spec:
containers:
– name: alpine
image: docker.io/library/alpine:3.7.3
EOF

Step 2: Delete DaemonSet (Image remains on nodes)

kubectl delete daemonset alpine

Step 3: Create ImageList CRD

cat <<EOF | kubectl apply -f –
apiVersion: eraser.sh/v1
kind: ImageList
metadata:
name: imagelist
spec:
images:
– docker.io/library/alpine:3.7.3
EOF

Eraser then cleans the unused alpine:3.7.3 image from all nodes.

Retrying Manual Cleanup

Manual cleanup is one-time and triggered only when:

• A new ImageList is created


• An existing ImageList is updated

💡 To re-remove the same image: create a new ImageList.

✅ Conclusion

Eraser bridges a critical gap in Kubernetes operations by offering automated and secure cleanup of container images. Whether you want to:

• Maintain compliance


• Enhance security posture


• Keep nodes lean

…Eraser is a must-have utility for modern Kubernetes workloads.

👉 Start integrating it today and take the hassle out of image hygiene!