search

GoogleCloudPlatform / gcr-cleaner

Delete untagged image refs in Google Container Registry or Artifact Registry
Apache License 2.0
805 stars 112 forks source link

Feature Request: Integrate with GCP Cloud Asset Inventory ListAssets to filter images currently being used #106

Closed somethingnew2-0 closed 2 years ago

somethingnew2-0 commented 2 years ago

TL;DR

GCP Cloud Asset Inventory allows you to list all container image urls currently being used by Pods in GKE and potentially other services (Cloud Run and App Engine?) in a GCP organization or individual GCP project. Much like the ability to filter out images in gcr-cleaner by allowlisted tags, this integration would allow for the option of filtering out images currently being used in GKE, Cloud Run, etc.

Expected behavior

No response

Observed behavior

No response

Debug log output

No response

Additional information

Here’s a simple gcloud command to demonstrate listing all currently used container image urls for all GKE Pods in your organization. Take this data, put it in a simple hash set, and filter out the container images from gcr-cleaner that should be preserved.

gcloud beta asset list --organization=$ORGANIZATION_ID --asset-types='k8s.io/Pod' --content-type='resource' --format="value(resource.data.spec.containers.image)"

Useful Cloud Asset Inventory API links to get started

https://cloud.google.com/asset-inventory/docs/libraries#client-libraries-usage-go https://pkg.go.dev/cloud.google.com/go/asset/apiv1#Client.ListAssets https://cloud.google.com/asset-inventory/docs/supported-asset-types

sethvargo commented 2 years ago

Hi @somethingnew2-0

Thank you for opening an issue. This sounds like a really cool feature, but it's beyond the scope of what I'd like to support in gcr-cleaner. gcr-cleaner is intentionally scoped to only use the "Docker" APIs so that it works with other registries like DockerHub and Artifactory to support a broad set of customer use cases. Tightly coupling to CAIS would go against that vision.

I think it's a cool feature, but I would suggest that it should be a completely different tool. It's also worth noting that there's some careful edge cases around CAIS' consistency and delay, which could cause a container image to be marked as "unused" when it just hasn't appeared in the set yet.

somethingnew2-0 commented 2 years ago

In that case, I’ll probably fork and add this functionality myself eventually as this is useful for my purposes. Writing an entirely new tool for this single GCP CAIS option is probably significantly more effort. Ideally it’s opt-in and doesn’t require any additional GCP IAM permissions unless you enable the functionality explicitly.

I can kinda understand not wanting to include GCP API library dependencies in this tool and only using vanilla Docker APIs even it’s in the GoogleCloudPlatform GitHub org and named gcr-cleaner 😉

Good call out on CAIS consistency issues though, I’d imagine that can be mostly avoided with the keep count and grace period options as a best effort.

somethingnew2-0 commented 2 years ago

Added the functionality in our fork

https://github.com/GoogleCloudPlatform/gcr-cleaner/compare/main...discord:gcr-cleaner:main

sethvargo commented 2 years ago

Looks awesome!