🧭 Introduction
In Kubernetes environments, it’s standard practice for CI/CD pipelines to build and deploy container images. However, what’s often overlooked is the cleanup of these images once they’re no longer in use.
Over time, this can lead to an accumulation of:
- Unused images
- Outdated versions
- Vulnerable containers
Kubernetes does offer native garbage collection, but it only triggers based on disk usage thresholds, ignoring the security posture of the images.
Eraser addresses this gap by intelligently scanning and cleaning up container images that meet specific criteria — like being unused, outdated, or vulnerable.
🏗️ Architecture
AKS Image cleaner architecture
Eraser supports two operational modes for container image cleanup:
Manual Mode
You define a list of images to be removed via a custom resource called ImageList. Eraser then deploys cleanup pods that remove these specific images across all cluster nodes.
Perfect when you already know which images are unnecessary or risky.
Automated Mode
This runs on a scheduled timer and, by default, uses a vulnerability scanner (Trivy) to determine which images to remove.
Options:
- Replace Trivy with another scanner
- Disable scanning entirely (acts as traditional GC)
Eraser ensures:
- Continuous hygiene
- Automated image cleanup
- Compliance with security standards
🧩 Eraser Components (Pod-Level Breakdown)
eraser-controller-manager
- Listens for new cleanup requests (manual or automated)
- Schedules cleanup pods dynamically across cluster nodes
eraser Worker Pods (per node)
Each pod contains 3 containers:
- Collector — Gathers data on all container images per node
- Trivy Scanner — Identifies known vulnerabilities in each image
- Remover — Deletes images that are both unused and vulnerable
🔧 Enabling Image Cleaner in AKS
1. Using Bicep Template
Enable Image Cleaner by setting it in the securityProfile section:
securityProfile: {
imageCleaner: {
enabled: true
intervalHours: 168 // 7 Days
}
}2. Using Azure CLI
To enable on a new AKS cluster:
az aks create \
- name <your-cluster-name> \
- resource-group <your-resource-group> \
- enable-image-cleanerTo enable on an existing AKS cluster:
az aks update \
- name <your-cluster-name> \
- resource-group <your-resource-group> \
- enable-image-cleaner🚀 How Automated Cleanup Works
Once deployed, eraser-controller-manager takes over with no manual input required:
- Worker pods (eraser-aks-xxxxx) are created per node
- Each worker runs the Collector, Scanner, and Remover lifecycle
- Vulnerable and unused images are cleaned up
Scheduling:
- Once cleanup is done, worker pods self-destruct
- Next cleanup auto-triggers based on — image-cleaner-interval-hours
✋ Manual Mode Walkthrough
Objective
Demonstrate manual cleanup of an unused image (alpine:3.7.3) using Eraser.
Step 1: Deploy DaemonSet
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: alpine
spec:
selector:
matchLabels:
app: alpine
template:
metadata:
labels:
app: alpine
spec:
containers:
- name: alpine
image: docker.io/library/alpine:3.7.3
EOFStep 2: Delete DaemonSet (Image remains on nodes)
kubectl delete daemonset alpineStep 3: Create ImageList CRD
cat <<EOF | kubectl apply -f -
apiVersion: eraser.sh/v1
kind: ImageList
metadata:
name: imagelist
spec:
images:
- docker.io/library/alpine:3.7.3
EOFEraser then cleans the unused alpine:3.7.3 image from all nodes.
Retrying Manual Cleanup
Manual cleanup is one-time and triggered only when:
- A new ImageList is created
- An existing ImageList is updated
💡 To re-remove the same image: create a new ImageList.
✅ Conclusion
Eraser bridges a critical gap in Kubernetes operations by offering automated and secure cleanup of container images. Whether you want to:
- Maintain compliance
- Enhance security posture
- Keep nodes lean
…Eraser is a must-have utility for modern Kubernetes workloads.
👉 Start integrating it today and take the hassle out of image hygiene!
Microsoft