openshift
diff --git a/‎applications/pruning-objects.adoc‎
Lines changed: 5 additions & 0 deletions b/‎applications/pruning-objects.adoc‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎modules/pruning-images-conditions.adoc‎
Lines changed: 63 additions & 0 deletions b/‎modules/pruning-images-conditions.adoc‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎modules/pruning-images-job-cronjob.adoc‎
Lines changed: 172 additions & 0 deletions b/‎modules/pruning-images-job-cronjob.adoc‎
Lines changed: 172 additions & 0 deletions
@@ -39,6 +39,11 @@ include::modules/pruning-images.adoc[leveloffset=+1]
 
 ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 include::modules/pruning-images-manual.adoc[leveloffset=+1]
+//include::modules/pruning-images-job-cronjob.adoc[leveloffset=+2]
+include::modules/pruning-images-conditions.adoc[leveloffset=+2]
+include::modules/pruning-images-running-operation.adoc[leveloffset=+2]
+include::modules/pruning-images-secure-insecure.adoc[leveloffset=+2]
+include::modules/pruning-images-options.adoc[leveloffset=+2]
 include::modules/pruning-images-troubleshooting.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * applications/pruning-objects.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="pruning-images-conditions_{context}"]
+= Image prune conditions
+
+{product-title} supports two methodologies for pruning images:
+
+. Pruning by age and tag
+
+. Pruning by size limit
+
+These methodologies are mutually exclusive. You must choose whether to prune by age and tag, or by size limit. Regardless of the method that you choose, the image pruner checks to ensure that images in use are not removed.
+
+An image is only pruned if it meets the primary condition *and* is not actively referenced by a system component. 
+
+[id="pruning-images-age-tag_{context}"]
+== Pruning an image by age and tag
+
+Pruning an image by age and tag is the default pruning strategy. It identifies images for removal by using the `--keep-younger-than` and `--keep-tag-revisions` flags. To prune an image by age and tag, the image must be older than the `--keep-younger-than` threshold, not one of the most recent tag revisions, and cannot be in use by an active workload.
+
+For an image to be pruned by age and tag, *all* of the following conditions must be met:
+
+. The image is managed by {product-title} or has the `openshift.io/image.managed` annotation.
+
+. The image is older than the time specified by the `--keep-younger-than` flag. 
+
+. The image is not one of the most recent images for its tag, as specified by the `--keep-tag-revisions` flag. 
+
+. The image is *not* currently referenced by any of the following active or recent API objects:
++
+* Pods or image streams created more recently than the `--keep-younger-than` duration.
+* Running or pending pods
+* Deployments, replication controllers, replica sets, or stateful sets.
+* Builds, build configurations, jobs, or cronjobs. 
+
+An image is only removed if it is old, not a recent tag revision, and is confirmed to have no active references by system components. 
+
+[id="pruning-images-size-limit_{context}"]
+== Pruning an image by size limit
+
+Pruning an image by size limit uses the `--prune-over-size-limit` flag. This method is used to bring a project back under its defined image storage limit.
+
+[NOTE]
+====
+The `--prune-over-size-limit` flag cannot be combined with the `--keep-tag-revisions` flag nor the `--keep-younger-than` flags. Doing so returns information that this operation is not allowed.
+====
+
+For an image to be pruned using this method, all of the following conditions must be true:
+
+. The image is part of a project that is currently exceeding its smallest defined size limit.
+
+. The image is selected by the pruner as a candidate for deletion to reduce the total size. 
+
+. The image is not currently referenced by any of the following active API objects:
++
+* Pods that are in a `running` or `pending` state.
+* Deployments, replication controllers, replica sets, or stateful sets.
+* Builds, build configurations, jobs, or cronjobs.
+
+With this method, the primary trigger is the project's size, but the safety check to ensure that the image is not actively in use is still performed.
@@ -0,0 +1,172 @@
+// Module included in the following assemblies:
+//
+// * applications/pruning-objects.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="pruning-images-job-cronjob_{context}"]
+= Running image pruning as a Job or CronJob
+
+You can configure image pruning to run on a schedule by creating a `Job` or `CronJob` that invokes the pruning operation on the cluster.  
+This approach allows administrators to automate pruning at regular intervals without relying on the image pruning custom resource.
+
+
+.Prerequisites
+
+* To prune images, you must first log in to the CLI as a user with an access token. The user must also have the `system:image-pruner` cluster role or greater (for example, `cluster-admin`).
+* Expose the image registry.
+
+.Procedure
+
+To manually prune images that are no longer required by the system due to age, status, or exceed limits, use one of the following methods:
+
+* Run image pruning as a `Job` or `CronJob` on the cluster by creating a YAML file for the `pruner` service account, for example:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
++
+.Example output
++
+[source,yaml]
+----
+kind: List
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: pruner
+    namespace: openshift-image-registry
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: openshift-image-registry-pruner
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:image-pruner
+  subjects:
+  - kind: ServiceAccount
+    name: pruner
+    namespace: openshift-image-registry
+- apiVersion: batch/v1
+  kind: CronJob
+  metadata:
+    name: image-pruner
+    namespace: openshift-image-registry
+  spec:
+    schedule: "0 0 * * *"
+    concurrencyPolicy: Forbid
+    successfulJobsHistoryLimit: 1
+    failedJobsHistoryLimit: 3
+    jobTemplate:
+      spec:
+        template:
+          spec:
+            restartPolicy: OnFailure
+            containers:
+            - image: "quay.io/openshift/origin-cli:4.1"
+              resources:
+                requests:
+                  cpu: 1
+                  memory: 1Gi
+              terminationMessagePolicy: FallbackToLogsOnError
+              command:
+              - oc
+              args:
+              - adm
+              - prune
+              - images
+              - --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+              - --keep-tag-revisions=5
+              - --keep-younger-than=96h
+              - --confirm=true
+              name: image-pruner
+            serviceAccountName: pruner
+----
+
+* Run the `oc adm prune images [<options>]` command:
++
+[source,terminal]
+----
+$ oc adm prune images [<options>]
+----
++
+Pruning images removes data from the integrated registry unless `--prune-registry=false` is used.
++
+Pruning images with the `--namespace` flag does not remove images, only image streams. Images are non-namespaced resources. Therefore, limiting pruning to a particular namespace makes it impossible to calculate its current usage.
++
+By default, the integrated registry caches metadata of blobs to reduce the number of requests to storage, and to increase the request-processing speed. Pruning does not update the integrated registry cache. Images that still contain pruned layers after pruning will be broken because the pruned layers that have metadata in the cache will not be pushed. Therefore, you must redeploy the registry to clear the cache after pruning:
++
+[source,terminal]
+----
+$ oc rollout restart deployment/image-registry -n openshift-image-registry
+----
++
+If the integrated registry uses a Redis cache, you must clean the database manually.
++
+If redeploying the registry after pruning is not an option, then you must permanently disable the cache.
++
+`oc adm prune images` operations require a route for your registry. Registry routes are not created by default.
++
+The *Prune images CLI configuration options* table describes the options you can use with the `oc adm prune images <options>` command.
++
+.Prune images CLI configuration options
+[cols="4,8",options="header"]
+|===
+
+|Option |Description
+
+.^|`--all`
+|Include images that were not pushed to the registry, but have been mirrored by
+pullthrough. This is on by default. To limit the pruning to images that were
+pushed to the integrated registry, pass `--all=false`.
+
+.^|`--certificate-authority`
+|The path to a certificate authority file to use when communicating with the
+{product-title}-managed registries. Defaults to the certificate authority data
+from the current user's configuration file. If provided, a secure connection is
+initiated.
+
+.^|`--confirm`
+|Indicate that pruning should occur, instead of performing a test-run. This
+requires a valid route to the integrated container image registry. If this
+command is run outside of the cluster network, the route must be provided
+using `--registry-url`.
+
+.^|`--force-insecure`
+|Use caution with this option. Allow an insecure connection to the container
+registry that is hosted via HTTP or has an invalid HTTPS certificate.
+
+.^|`--keep-tag-revisions=<N>`
+|For each imagestream, keep up to at most `N` image revisions per tag (default
+`3`).
+
+.^|`--keep-younger-than=<duration>`
+|Do not prune any image that is younger than `<duration>` relative to the
+current time. Alternately, do not prune any image that is referenced by any other object that
+is younger than `<duration>` relative to the current time (default `60m`).
+
+.^|`--prune-over-size-limit`
+|Prune each image that exceeds the smallest limit defined in the same project.
+This flag cannot be combined with `--keep-tag-revisions` nor
+`--keep-younger-than`.
+
+.^|`--registry-url`
+|The address to use when contacting the registry. The command attempts to use a
+cluster-internal URL determined from managed images and image streams. In case
+it fails (the registry cannot be resolved or reached), an alternative route that
+works needs to be provided using this flag. The registry hostname can be
+prefixed by `https://` or `http://`, which enforces particular connection
+protocol.
+
+.^|`--prune-registry`
+|In conjunction with the conditions stipulated by the other options, this option
+controls whether the data in the registry corresponding to the {product-title}
+image API object is pruned. By default, image pruning processes both the image
+API objects and corresponding data in the registry.
+
+This option is useful when you are only concerned with removing etcd content, to reduce the number of image objects but are not concerned with cleaning up registry storage, or if you intend to do that separately by hard pruning the registry during an appropriate maintenance window for the registry.
+|===
+