- The admission controller intercepts
kubectl apply(and other admission) requests and runs yourvalidate,mutate, andverifyImagesrules. - The background controller handles
generaterules andmutate existingpolicies that must act on already-existing resources. - Today we add a third component: the cleanup controller.

match and conditions, is there anything that needs to be deleted right now?

scheduleis required and uses standard cron syntax. It controls when the cleanup controller evaluates a policy.- Cleanup policies are not admission-time evaluations. They cannot reference user-specific admission data (for example, roles, clusterroles, or subjects) because that information is only available during admission.
- Policies run in the background and delete resources that match the
matchclause and satisfyconditions.
canremove: "true" when their replica count is less than 2. The policy runs every five minutes.
The
target variable in condition expressions refers to the matched resource (for example, the Deployment being evaluated). In docs and examples, wrap the expression in backticks: {{ target.spec.replicas }}.

rbac.kyverno.io/aggregate-to-cleanup-controller: "true". The API server will merge its rules into the cleanup controller’s role.
Example ClusterRole that allows the cleanup controller to manage Deployments:
If the cleanup controller lacks aggregated RBAC permissions for the targeted resource kinds, Kyverno will reject creation of the cleanup policy with an error. Ensure the cleanup controller has
get, list, watch, and delete (or other necessary verbs) for each targeted kind.- The cleanup controller is a new Kyverno component that processes cleanup policies on a schedule and deletes matched resources.
- Cleanup policies (ClusterCleanupPolicy and CleanupPolicy) are declarative resources built for deletion workflows.
scheduleis required and uses cron syntax to control when the cleanup logic runs.- You must explicitly grant the cleanup controller RBAC permissions for the resource kinds it will delete — typically via ClusterRole aggregation.
- Kyverno documentation: https://kyverno.io/docs/
- Kubernetes RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
