Help Center/ SoftWare Repository for Container/ Best Practices/ Automatically Adding Image Retention Policies Using Cloud Custodian
Updated on 2025-09-10 GMT+08:00
View PDF
Share

Automatically Adding Image Retention Policies Using Cloud Custodian

This section applies only to SWR Enterprise Edition.

Many enterprises use cloud services provided by different cloud vendors. In such a hybrid cloud environment, alongside the security approaches provided by each cloud vendor, enterprises need strict governance over the cloud infrastructure. SWR is an important container service, and its security is critical. It is necessary to monitor SWR to prevent any access and permission vulnerabilities.

Cloud Custodian provides an open-source rule engine that can automatically check and govern cloud resources based on predefined security policies and compliance requirements. It can be used to control access to and govern resources in SWR. Cloud Custodian allows you to set rules to verify the environment based on the defined security and compliance standards. It helps follow security rules, manage tags, recycle unused resources, and control costs. It also provides an interface for you to easily implement consistent security policies and operational specifications in hybrid cloud environments.

Figure 1 Architecture of how Cloud Custodian is used to manage SWR resources

In this figure, there are the following cloud services:

  • CTS records operations on cloud resources in your account. You can use the logs to perform security analysis, track resource changes, audit compliance, and locate faults.
  • FunctionGraph hosts and computes event-driven functions in a serverless context while ensuring high availability, high scalability, and zero maintenance. All you need to do is write your code and set conditions.
  • SWR Enterprise Edition provides secure and dedicated hosting services. You can host cloud native artifacts that comply with the OCI standard, such as container images and Helm charts.

Procedure

  1. Install Python. This is the running environment Cloud Custodian depends on.

    You are advised to use Python 3.11 and develop the Python application in a virtual environment.

    For other Python versions, install them according to the official Python documentation. If you use native Python 3.11, run the commands below to create and activate a virtual environment.

    # Create a virtual environment.
python -m venv custodian
# Activate a virtual environment (Linux).
source custodian/bin/activate
# Activate a virtual environment (Windows).
custodian\Scripts\activate.bat
If you use Conda or Miniconda, you can also run the commands below to create and activate a virtual environment.
# Create a virtual environment.
conda create -n custodian python=3.11
# Activate a virtual environment.
conda activate custodian

  2. Install Cloud Custodian.

    1. Download Cloud Custodian. 
      git clone https://github.com/huaweicloud/cloud-custodian.git
cd cloud-custodian
    1. Install Python dependencies. 
      pip install -e .
pip install -e tools/c7n_huaweicloud/.

    For more details, see Cloud Custodian official documentation.

  3. Check whether Cloud Custodian is installed. 

    custodian schema huaweicloud.swr-ee

    If the following information is displayed, the installation is successful.

  4. Define a Cloud Custodian policy. 

    policies:
  - name: swr-ee-event
    resource: huaweicloud.swr-ee-namespace
    mode:
      type: cloudtrace
      xrole: fgs_default_agency
      events:
        - source: 'SWR.namespace'
          event: 'createNamespace'
          ids: 'resource_name'
    actions:
      - type: set-lifecycle
        rules:
          - template: latestPushedK
            params:
              latestPushedK: 50
            scope_selectors:
              repository:
                - kind: doublestar
                  pattern: '**'
            tag_selectors:
              - kind: doublestar
                decoration: matches
                pattern: '**'

    When you create a namespace of SWR Enterprise Edition, the policy automatically sets a retention policy for the namespace to retain the latest 50 artifact tags.

    The following are two example policies for your reference:

    Policy 1: Retain images in images repositories that have been created for more than 90 days. 
    policies:
  - name: swr-ee-repos
    resource: huaweicloud.swr-ee
    filters:
      - type: age
        days: 90
        op: gt

    Policy 2: Retain images whose artifact tags match release*.

    policies:
  - name: swr-ee-set-immutability-rules
    resource: huaweicloud.swr-ee-namespace
    actions:
      - type: set-immutability
        state: True
        scope_selectors:
          repository:
            - kind: doublestar
              pattern: '**'
        tag_selectors:
          - kind: doublestar
            decoration: matches
            pattern: '{release*}'

    For more policy configurations, see Cloud Custodian official documentation.

  5. Run the custodian command to enable the policy.

    1. Before executing the policy, configure environment variables in the terminal. The commands below are used in Linux. In Windows, replace export with set. 
      # Configure the AK/SK of the Huawei Cloud account.
export HUAWEI_ACCESS_KEY_ID={your-ak}
export HUAWEI_SECRET_ACCESS_KEY={your-sk}
# Configure the default region where resources are located, for example, ap-southeast-1. You can obtain the region from the web page URL.
export HUAWEI_DEFAULT_REGION={your-region}
    1. Enable the policy. 
      custodian run --output-dir=<output_directory> <policy_name>.yaml