A Kubernetes CronJob that automatically identifies and cleans up namespaces tied to deprovisioned Azure Entra ID (formerly Azure AD) users.
flowchart TD
A[Start] --> B{Mode}
B -->|Test| C[Use Mock Data]
B -->|Dry Run| D[Preview Actions]
B -->|Prod| E[Real Azure Auth]
C & D & E --> F[Check New Namespaces]
F --> G1{Valid Domain?}
G1 -->|Yes| G2{User Exists?}
G1 -->|No| H[Log & Ignore]
G2 -->|Missing| I[Label for Deletion]
G2 -->|Exists| J[No Action]
flowchart TD
K[Start] --> L[Check Labeled Namespaces]
L --> M{Grace Period Expired?}
M -->|Yes| N{User Still Missing?}
M -->|No| O[Keep Namespace]
N -->|Yes| P[Delete Namespace]
N -->|No| Q[Remove Label]
- ✅ Automated Lifecycle Management: Label-based namespace management
- 🔒 Security First: Azure Entra ID integration with domain allowlisting
- 🧪 Testing Friendly: Local testing mode with mock data
- ☁️ Safe Operations: Dry-run capability for pre-deployment validation
# Clone & Setup
git clone https://github.com/StatCan/namespace-cleaner.git
cd namespace-cleaner
# Build the Docker image (required for all other operations)
make image
# Run unit tests
make test-unit
# Perform a dry-run on a real cluster
make dry-run
# Deploy to production
make runOur GitHub Actions workflow provides:
- ✅ Automatic test coverage tracking
- 🔒 Security scanning with Trivy
- 📦 Docker image builds on push
- 📈 Live coverage badge updates
# configmap.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: namespace-cleaner-config
namespace: das
data:
ALLOWED_DOMAINS: "statcan.gc.ca,cloud.statcan.ca"
GRACE_PERIOD: "90d" # Format: <number><unit> (h=hours, d=days)# View logs
kubectl logs -l job-name=namespace-cleaner
# Check cronjob status
kubectl get cronjob namespace-cleaner -o wide
# Full system reset
make stop && make clean && make run- Fork the repository
- Create feature branch (
git checkout -b feature/your-feature) - Commit changes with tests (
make test) - Push to branch (
git push origin feature/your-feature) - Open PR with coverage badge verification