Artifact Lifecycle Policies

Artifact Lifecycle Policies are instruction sets which perform lifecycle events on certain types of artifacts.

Each policy can perform an action on a given artifact_type based on configured policy_conditions (rules/selectors).

As an example, a system administrator may create an Artifact Lifecycle Policy that will automatically delete any image that has an analysis date older than 180 days.

WARNING ⚠️

  • ⚠️ These policies have the ability to delete data without archive/backup. Proceed with caution!
  • ⚠️ These policies are GLOBAL they will impact every account on the system.
  • ⚠️ These policies can only be created and managed by a system administrator.

Policy Components

Artifact Lifecycle Policies are global policies that will execute on a schedule defined by a cycle_timer within the catalog service. services.catalog.cycle_timers.artifact_lifecycle_policy_tasks has a default time of every 12 hours.

The policy is constructed with the following parameters:

  • Artifacts Types - The type of artifacts the policy will consider. The current supported type is image.

  • Inclusion Rules - The set of criteria which will be used to determine the set of artifacts to work on.
    All criteria must be satisfied for the policy to enact on an artifact.

    • days_since_analyzed
      • Selects artifacts whose analyzed_at date is n days old.
      • If this value is set to less than zero, this rule is disabled.
      • An artifact that has not been analyzed, either because it failed analysis or the analysis is pending, will not be included.
    • even_if_exists_in_runtime_inventory
      • When true, an artifact will be included even if it exists in the Runtime Inventory.
      • When false, an artifact will not be included if it exists in the Runtime Inventory. Essentially protecting artifacts found in your runtime inventory. Please review the Inventory Time-To-Live for information on how to prune the Runtime Inventory.
    • include_base_images
      • When true, images that have ancestral children will be included.
      • When false, images that have ancestral children will not be included.
      • Note: These are evaluated per run. As children are deleted, a previously excluded parent image may too become eligible for deletion.
  • Policy Actions - After the policy determines a set of artifacts that satisfy the Inclusion Rules, this is the action which will be performed on them. The current supported action is delete. Actioned artifacts will have a matching system Event created for audit and notification purposes.

Policy Interaction

If more than one policy is enabled, each policy will work independently, using its set of rules to determine if any artifacts satisfy its criteria. Each policy will apply its action on the set of artifacts.

Creating a new Artifact Lifecycle Policy

Due to the potentially destructive nature of these policies every parameter must be explicitly declared when creating a new policy. This means all policy rules must be explicitly configured or explicitly disabled.

# anchorectl system artifact-lifecycle-policy add --action=delete --artifact-type=image --name="example policy" --description=example --enabled=false --days-since-analyzed=30 --even-if-exists-in-runtime=true
 ✔ Added artifact-lifecycle-policy
Name: example lifecycle policy
Policy Conditions:
  - artifactType: image
    daysSinceAnalyzed: 30
    evenIfExistsInRuntimeInventory: true
    includeBaseImages: false
    version: 1
Uuid: 73226831-9140-4d27-a922-4a61e43dbb0d
Action: delete
Deleted At:
Enabled: false
Updated At: 2023-11-22T13:38:49Z
Created At: 2023-11-22T13:38:49Z
Description: example

Updating an existing Artifact Lifecycle Policy

# anchorectl system artifact-lifecycle-policy update 5620b641-a25f-4b1f-966c-929281a41e16 --action=delete --name=example --artifact-type=image --days-since-analyzed=60 --even-if-exists-in-runtime=false
 ✔ Update artifact-lifecycle-policy
Name: example
Policy Conditions:
  - artifactType: image
    daysSinceAnalyzed: 60
    evenIfExistsInRuntimeInventory: false
    includeBaseImages: false
    version: 2
Uuid: 5620b641-a25f-4b1f-966c-929281a41e16
Action: delete
Deleted At:
Enabled: false
Updated At: 2023-11-22T13:58:04Z
Created At: 2023-11-22T13:02:24Z
Description: test description

Enabling the Artifact Lifecycle Policy

# anchorectl system artifact-lifecycle-policy update 5620b641-a25f-4b1f-966c-929281a41e16 --action=delete --name=example --artifact-type=image --days-since-analyzed=60 --even-if-exists-in-runtime=false --enable=true
 ✔ Update artifact-lifecycle-policy
Name: example
Policy Conditions:
  - artifactType: image
    daysSinceAnalyzed: 60
    evenIfExistsInRuntimeInventory: false
    includeBaseImages: false
    version: 2
Uuid: 5620b641-a25f-4b1f-966c-929281a41e16
Action: delete
Deleted At:
Enabled: true
Updated At: 2023-11-22T13:58:04Z
Created At: 2023-11-22T13:02:24Z
Description: test description

List Artifact Lifecycle Policies

anchorectl system artifact-lifecycle-policy list
 ✔ Fetched artifact-lifecycle-policies
Items:
  - action: delete
    createdAt: "2023-11-22T13:02:24Z"
    description: example description
    enabled: true
    name: "example policy"
    policyConditions:
      - artifactType: image
        daysSinceAnalyzed: 1
        evenIfExistsInRuntimeInventory: true
        includeBaseImages: false
        version: 2
    updatedAt: "2023-11-22T13:02:24Z"
    uuid: 5620b641-a25f-4b1f-966c-929281a41e16

Get specific Artifact Lifecycle Policy

Note: it is possible to request “deleted” policies through this API for audit reasons. The deleted_at field will be null, and enabled will be true if the policy is active.

anchorectl system artifact-lifecycle-policy get 5620b641-a25f-4b1f-966c-929281a41e16
 ✔ Fetched artifact-lifecycle-policy
Name: 2023-11-22T13:02:24.621Z
Policy Conditions:
  - artifactType: image
    daysSinceAnalyzed: 1
    evenIfExistsInRuntimeInventory: true
    includeBaseImages: false
    version: 1
Uuid: 5620b641-a25f-4b1f-966c-929281a41e16
Action: delete
Deleted At:
Enabled: true
Updated At: 2023-11-22T13:02:24Z
Created At: 2023-11-22T13:02:24Z
Description: test description

Delete a policy

Note: for the purposes of audit the policy will still remain in the system. It will be disabled and marked deleted. This will effectively make it hidden unless explicitly requested by its UUID through the API.

# anchorectl system artifact-lifecycle-policy delete 73226831-9140-4d27-a922-4a61e43dbb0d
 ✔ Deleted artifact-lifecycle-policy
No results
Last modified June 3, 2024