titan-iac/services/maintenance/image-sweeper-cronjob.yaml

# services/maintenance/image-sweeper-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: image-sweeper
  namespace: maintenance
spec:
  schedule: "30 4 * * 0"
  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 2
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: node-image-sweeper
          restartPolicy: OnFailure
          nodeSelector:
            kubernetes.io/os: linux
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          tolerations:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
          containers:
            - name: image-sweeper
              image: python:3.12.9-alpine3.20
              command: ["/bin/sh", "/scripts/node_image_sweeper.sh"]
              env:
                - name: ONE_SHOT
                  value: "true"
              securityContext:
                privileged: true
                runAsUser: 0
              volumeMounts:
                - name: host-root
                  mountPath: /host
                - name: script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: host-root
              hostPath:
                path: /
            - name: script
              configMap:
                name: node-image-sweeper-script
                defaultMode: 0555