README ¶
GCR Cleaner
GCR Cleaner deletes untagged images in Google Cloud Container Registry or Google Cloud Artifact Registry. This can help reduce costs and keep your container images list in order.
GCR Cleaner is designed to be deployed as a Cloud Run service and invoked periodically via Cloud Scheduler.
+-------------------+ +-------------+ +-------+
| Cloud Scheduler | -> | Cloud Run | -> | GCR |
+-------------------+ +-------------+ +-------+
This is not an official Google product.
Setup
-
Install the Cloud SDK for your operating system. Alternatively, you can run these commands from Cloud Shell, which has the SDK and other popular tools pre-installed.
-
Export your project ID as an environment variable. The rest of this setup assumes this environment variable is set.
export PROJECT_ID="my-project"
Note this is your project ID, not the project number or name.
-
Enable the Google APIs - this only needs to be done once per project:
gcloud services enable --project "${PROJECT_ID}" \ appengine.googleapis.com \ cloudscheduler.googleapis.com \ run.googleapis.com
This operation can take a few minutes, especially for recently-created projects.
-
Create a service account which will be assigned to the Cloud Run service:
gcloud iam service-accounts create "gcr-cleaner" \ --project "${PROJECT_ID}" \ --display-name "gcr-cleaner"
-
Deploy the
gcr-cleaner
container on Cloud Run running as the service account just created:gcloud --quiet run deploy "gcr-cleaner" \ --async \ --project ${PROJECT_ID} \ --platform "managed" \ --service-account "gcr-cleaner@${PROJECT_ID}.iam.gserviceaccount.com" \ --image "us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner" \ --region "us-central1" \ --timeout "60s"
-
Grant the service account access to delete references in Google Container Registry (which stores container image laters in a Cloud Storage bucket):
gsutil acl ch -u gcr-cleaner@${PROJECT_ID}.iam.gserviceaccount.com:W gs://artifacts.${PROJECT_ID}.appspot.com
To cleanup refs in other GCP projects, replace
PROJECT_ID
with the target project ID. For example, if the Cloud Run service was running in "project-a" and you wanted to grant it permission to cleanup refs in "gcr.io/project-b/image", you would need to grant the Cloud Run service account in project-a permission onartifacts.projects-b.appspot.com
.To clean up Container Registry images hosted in specific regions, update the bucket name to include the region:
gs://eu.artifacts.${PROJECT_ID}.appspot.com
If you plan on using the
recursive
functionality, you must also grant the service account "Browser" permissions:gcloud projects add-iam-policy-binding "${PROJECT_ID}" \ --member "gcr-cleaner@${PROJECT_ID}.iam.gserviceaccount.com" \ --role "roles/browser"
-
Create a service account with permission to invoke the Cloud Run service:
gcloud iam service-accounts create "gcr-cleaner-invoker" \ --project "${PROJECT_ID}" \ --display-name "gcr-cleaner-invoker"
gcloud run services add-iam-policy-binding "gcr-cleaner" \ --project "${PROJECT_ID}" \ --platform "managed" \ --region "us-central1" \ --member "serviceAccount:gcr-cleaner-invoker@${PROJECT_ID}.iam.gserviceaccount.com" \ --role "roles/run.invoker"
-
Create a Cloud Scheduler HTTP job to invoke the function every week:
gcloud app create \ --project "${PROJECT_ID}" \ --region "us-central" \ --quiet
# Replace this with the full name of the repository for which you # want to cleanup old references, for example: export REPO="gcr.io/${PROJECT_ID}/my-image" export REPO="us-docker-pkg.dev/${PROJECT_ID}/my-repo/my-image"
# Capture the URL of the Cloud Run service: export SERVICE_URL=$(gcloud run services describe gcr-cleaner --project "${PROJECT_ID}" --platform "managed" --region "us-central1" --format 'value(status.url)')
gcloud scheduler jobs create http "gcrclean-myimage" \ --project ${PROJECT_ID} \ --description "Cleanup ${REPO}" \ --uri "${SERVICE_URL}/http" \ --message-body "{\"repos\":[\"${REPO}\"]}" \ --oidc-service-account-email "gcr-cleaner-invoker@${PROJECT_ID}.iam.gserviceaccount.com" \ --schedule "0 8 * * 2" \ --time-zone="US/Eastern"
You can create specify multiple repositories in the list to clean more than one repository.
-
(Optional) Run the scheduled job now:
gcloud scheduler jobs run "gcrclean-myimage" \ --project "${PROJECT_ID}"
Note: for initial job deployments, you must wait a few minutes before invoking.
Payload & Parameters
The payload is expected to be JSON with the following fields:
-
repos
- List of the full names of the repositories to clean (e.g.["gcr.io/project/repo"]
. This field is required. -
grace
- Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted). -
allow_tagged
- If set to true, will check all images including tagged. If unspecified, the default will only delete untagged images. -
keep
- If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside thegrace
duration. -
tag_filter
- Used for tags regexp definition to define pattern to clean, requiresallow_tagged
must be true. For example: use-tag-filter "^dev.+$"
to limit cleaning only on the tags with beginning with isdev
. The default is no filtering. The regular expression is parsed according to the Go regexp package syntax. -
dry_run
- If set to true, will not delete anything and outputs what would have been deleted. -
recursive
- If set to true, will recursively search all child repositories.NOTE! On Container Registry, you must grant additional permissions to the service account in order to query the registry. The most minimal permissions are
roles/browser
.WARNING! If you have access to many Container Registry repos, this will be very slow! This is because the Docker v2 API does not support server-side filtering, meaning GCR Cleaner must download a manifest of all repositories to which you have access and then do client-side filtering.
Running locally
In addition to the server, you can also run GCR Cleaner locally for one-off tasks using cmd/gcr-cleaner-cli
:
docker run -it us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner-cli
I just want the container!
You can build the container yourself using the included Dockerfile. Alternatively, you can source a pre-built container from Artifact Registry or Container Registry. All of the following URLs provide an equivalent image:
gcr.io/gcr-cleaner/gcr-cleaner
asia-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner
europe-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner
us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner
What about using Terraform!
📦 You can deploy the stack using the community-supported Terraform module gcr-cleaner:
FAQ
Does it work with Cloud Pub/Sub?
Yes! Just change the endpoint from /http
to /pubsub
!
What was your inspiration?
GCR Cleaner is largely inspired by ahmetb's
gcrgc.sh, but it is written in Go and is designed to be run as a
service.
License
This library is licensed under Apache 2.0. Full license text is available in LICENSE.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
gcr-cleaner-cli
Package main defines the CLI interface for GCR Cleaner.
|
Package main defines the CLI interface for GCR Cleaner. |
gcr-cleaner-server
Package main defines the server interface for GCR Cleaner.
|
Package main defines the server interface for GCR Cleaner. |
pkg
|
|
gcrcleaner
Package gcrcleaner cleans up stale images from a container registry.
|
Package gcrcleaner cleans up stale images from a container registry. |