GoogleCloudPlatform / gcr-cleaner

Delete untagged image refs in Google Container Registry or Artifact Registry
Apache License 2.0
805 stars 112 forks source link
artifact-registry cloud-run cloud-scheduler container-registry google-cloud-run google-cloud-scheduler google-container-registry

GCR Cleaner

[!CAUTION]

The functionality provied by this tool is now built directly into Artifact Registry! We are no longer accepting bug reports or feature requests.

GCR Cleaner deletes old container images in Docker Hub, Container Registry, Artifact Registry, or any Docker v2 registries. This can help reduce storage costs, especially in CI/CD environments where images are created and pushed frequently.

There are multiple deployment options for GCR Cleaner. Click on your preferred deployment option for a detailed guide:

For one-off tasks, you can also run GCR Cleaner locally:

docker run -it us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner-cli

If you want gcr-cleaner to inherit the authentication from your local gcloud installation, you must mount the gcloud directory into the container:

docker run -v "${HOME}/.config/gcloud:/.config/gcloud" -it us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner-cli

This is not an official Google product.

Container images

Pre-built container images are available at the following locations. We do not offer versioned container images.

asia-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner
europe-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner
us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner

Server Payload & parameters

⚠️ This section is for the server payload. If you are using the CLI tool, run gcr-cleaner -h to see the list of flags and their descriptions.

The payload is expected to be JSON with the following fields:

Permissions

This section lists the minimum required permissions depending on the target cleanup system.

Artifact Registry

The service account running GCR cleaner must have roles/artifactregistry.repoAdmin or greater on the Artifact Registry repositories. Here is an example for setting that permissions via gcloud:

gcloud artifacts repositories add-iam-policy-binding "my-repo" \
  --project "my-project" \
  --location "us" \
  --member "serviceAccount:gcr-cleaner@my-project.iam.gserviceaccount.com" \
  --role "roles/artifactregistry.repoAdmin"

Container Registry

Container Registry stores images in Google Cloud Storage, so the service account running GCR Cleaner must have read and write permissions on the underlying Cloud Storage bucket. Here is an example for setting that permission via gsutil:

gsutil acl ch -u gcr-cleaner@my-project.iam.gserviceaccount.com:W gs://artifacts.my-project.appspot.com

To clean up Container Registry images hosted in specific regions, update the bucket name to include the region:

gs://eu.artifacts.my-project.appspot.com

If you plan on using the recursive functionality, you must also grant the service account "Browser" permissions:

gcloud projects add-iam-policy-binding "my-project" \
  --member "serviceAccount:gcr-cleaner@my-project.iam.gserviceaccount.com" \
  --role "roles/browser"

Debugging

By default, GCR Cleaner only emits user-level logging at the "info" level. More logs are available at the "debug" level. To configure the log level, set the GCRCLEANER_LOG environment variable to the desired log value:

export GCRCLEANER_LOG=debug

In debug mode, GCR Cleaner will print a lot of information, including its entire decision process for candidate deletion. If you open an issue, please include these debug logs as they are very helpful in finding and fixing any bugs.

Concurrency

By default, GCR Cleaner will attempt to perform operations in parallel. You can customize the concurrency with -concurrency on the CLI or by setting the environment variable GCRCLEANER_CONCURRENCY on the server. It defaults to 20.