cleanup.kyverno.io/ttl.
How it works
- Add the
cleanup.kyverno.io/ttllabel to a resource’s metadata at creation time. - The Kyverno Cleanup Controller watches for that label, records the resource and its expiration, and deletes the resource when the TTL has passed.

cleanup.kyverno.io/ttl label on the resource itself is the instruction — the label triggers the Cleanup Controller to act.
TTL value formats
Kyverno supports two TTL value formats:

Choose a relative duration when you want the countdown to start at creation time. Use an ISO 8601 timestamp when you require deletion at a precise UTC moment.
- Label a Pod for deletion → the controller must have
deletepermission onpods. - Label a Deployment for deletion → the controller must have
deletepermission ondeployments.

Ensure the Kyverno Cleanup Controller’s ClusterRole (or aggregated role) includes the
delete verb for every resource type you want TTL-based cleanup to manage. Missing delete permission prevents Kyverno from removing labeled resources.- Controller runs at 1 minute — sees the Pod but not expired.
- TTL expires at 90 seconds — controller is not running at that exact moment.
- Next controller run (e.g., 2 minutes) — controller detects the expired Pod and deletes it.
1m).

--ttlReconciliationInterval flag (or corresponding configuration), for example:


- Use cleanup policies for administrator-defined, rule-driven housekeeping across the cluster.
- Use
cleanup.kyverno.io/ttlfor per-resource, explicit expiration when resources are known to be temporary at creation time.
- Kyverno Cleanup Controller (docs): https://kyverno.io/docs
- ISO 8601 / RFC 3339 timestamps: https://www.ietf.org/rfc/rfc3339.txt
- Kubernetes RBAC documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/