Hunt Unused Resources In Kubernetes.

Release History

Release 0.35

  • Refactored to work as a service inside Kubernetes and exporting metrics in Prometheus which can be viewed from Grafana dashboard
  • Added Grafana dashboard
  • Fixed external services as false positive. Refer issue 6

Release 0.31

  • Added Deployment
  • Added Stateful Set
  • Added support for env_from to resolve issue. Refer issue 4

Release 0.3

  • Added Ingress
  • Added Services Account
  • Adding RoleBindding
  • Removed deletion capability. Refer issue 3

NAQ (Nobody asked Question).

  1. What this script do?

This will find all unused resources and show them in a nice format.

  1. Why you need this?

When we add a new application or Microservices it is simple as installing a chart or kubectl -f on a big manifest but when we want to remove we don't know what are resources it created. Many times we can't remove them fully because we have 10's or 100's such resources and don’t have enough time to hunt and kill or many times we just inherited a cluster. Having an unused item in the cluster is not good practice as the Etcd DB size grows the performance starts degrading. Also many times it possed a security risk(unknown SA and rolebinding).

Lastly most dear to us saving cost in case of PVC we are paying for them to cloud provider.

  1. Is this cause any effect on my cluster?

This will just list the unused resources according to predefined criteria which are mentioned after NAQ. This will just give the list of resources that are Potentially unused so you can focus on them an only instant of looking for a needle in the haystack.

Note:- You should not trust strangers' words on the internet so browse the script as it is under apache 2 License and try on dummy cluster.

  1. How this work? Can I just use the kubectl command to do the same?

The kubectl does not directly give these details you have to invest a lot of time. If you know a short way, Please let me know via raising the issue (sharing is caring). This script will get all pods in all namespaces and scan them for these resources and make a list and then get the resource in Kubernetes and just give you the difference.

  1. So if I understood correctly it will scan the pod only. what if I have deployment/StatefullSet which has zero replica set?

Yes, in that case, the resource will be shown as unused. If you have zero replicas means you are not using that resource.

  1. Why PVC why not PV?

Normally we use PVC to manage PV and when we delete claims, PV will be deleted or retained as per storage-class configuration. To avoid any potential data loss I choose to work with PVC only.

  1. What if I hit a bug or required any feature?

You can raise an issue. I will try to fix the bug. The feature has to look into how much time is required.

Selection Criteria

  • Secret -> If the secret is not mounted on any running pod via env variable or as volume
  • ConfigMap -> If ConfigMap is not mounted on any running pod via env variable or as volume
  • PVC -> Is PVC is not mounted on any running pod
  • Services -> If services do not any endpoint
  • ServiceAccount -> If no running pod use that service account
  • Ingress -> If ingress pointing to any services which either do not exist or do not have any endpoint
  • RoleBinding -> If RoleBindding to any Services account which does not exist or that Services account is not used by any running pod.
  • Deployment -> If deployment have zero replica.
  • StateFullset -> If StateFullset have zero replica.

Exclusion:- All objects in kube-system and kube-system are excluded also all secrets which are token or type TLS are excluded to avoid the high list of false positive.

Installation and Configuration

Installing in Kubernetes

Deploy manifest in kubernetes and prometheus should scrape all the metrics.

NOTE :- Service will scan for unused resources every 15 minutes which you can changing by setting REFRESH_INTERVAL(in second) in deployment.yaml

git clone https://github.com/yogeshkk/K8sPurger
cd K8sPurger
kubectl apply -f deploy/manifest.yaml

Then you can import the k8sPurger Dashboard from deploy folder to create dashbaord like below.


Running From shell

This script use Python client for Kuberntes. We need to install that first Make sure you have kubeconfig in ~/.kube/conf or in KUBECONFIG env variable before runing script.

pip install kubernetes
python K8sPurger.py

Output Will look like below

yogesh$ ~/p/K8sPurger> python K8sPurger.py

This script is created to find unused resource in Kubernetes.

Getting unused secret it may take couple of minute..

Extra Secrets are 6 which are as below

| Secrets         | Namespace   |
| app1-secret     | my-apps     |
| app2-secret     | my-apps     |
| app2-new-secret | my-apps     |
| postgresql      | default     |
| dex-b94455424g  | kube-addons |
| dex-dbh8fmk699  | kube-addons |

Getting unused ConfigMap it may take couple of minute..

Extra ConfigMap are 6 which are as below

| ConfigMap                 | Namespace   |
| app1-configmap            | my-apps     |
| app2-configmap            | my-apps     |
| app2-new-configmap        | my-apps     |
| ss-cm                     | default     |
| cluster-autoscaler-status | kube-addons |
| fluent-bit-config         | logging     |

Getting unused PVC it may take couple of minute..

Extra PV Claim are 5 which are as below
| PV Claim          | Namespace |
| data-postgresql-0 | default   |
| data-0            | default   |
| redis-master-0    | default   |
| redis-slave-0     | default   |
| redis-slave-1     | default   |

Getting unused services it may take couple of minute..

Extra Services are 3 which are as below

| Services      | Namespace |
| app1-services | my-apps   |
| app2-services | my-apps   |
| app2-headless | my-apps   |

Getting unused Ingress it may take couple of minute..

Extra Ingress are 4 which are as below

| Ingress                  | Namespace |
| app1-ingress             | my-apps   |
| app2-ingress             | my-apps   |
| app2-ingress-api-gateway | my-apps   |
| router                   |default    |

Getting unused service account it may take couple of minute..

Extra Service Account are 6 which are as below
| Service Account | Namespace    |
| app1-svc        | my-apps      |
| cert-svc        | cert-manager |
| log-svc         | logging      |
| monitor-svc     | monitoring   |
| default         | my-registry  |
| default         | tools        |

Getting unused Roles Binding it may take couple of minute..

Extra Role Binding are 1 which are as below

| Role Binding |Namespace |
| app1-rb      |my-apps   |

Extra Deployment are 1 which are as below

| Deployment         |Namespace |
| busybox-deployment |default   |

Extra Stateful Sets are 1 which are as below

| Stateful Sets  |Namespace |
| nginx-sts-test |default   |

NOTE:- You can browse code and if like idea provides star for encouragement or provide feedback to me one below social networks.