We’re excited to share our first-ever alpha feature:
sensuctl prune, which will help you easily (and safely!) remove resources you no longer need.
For some background, many of our Sensu Core and Enterprise users rely on configuration management tools like Ansible, Chef, and Puppet — or GitHub repos with CI — to drive their Sensu configurations. With Sensu Go, most of these configuration management tools require resources be explicitly deleted, making it hard to maintain your resource definitions. While that method certainly works, you’d end up with a lot more lines of code that would be a struggle to clean up afterwards. And, CI users don’t have the ability to treat their GitHub repo as a source of truth, because there’s no way of telling unless you manually tell the API (i.e., even if you remove a check definition from your repo, it will remain in your Sensu Go cluster unless you manually delete it using sensuctl); with pruning, this is no longer required! Now, with
sensuctl prune, resource deletion and maintenance is a built-in functionality of Sensu Go. You can synchronize your resources in your Sensu cluster and prune anything that’s no longer locally configured.
With great power comes great responsibility; the Sensu engineering team has worked to make
sensuctl prune a useful feature that’s also safe to use. As you might imagine, without the proper guardrails in place, it’d be easy to accidentally remove critical resources!
sensuctl prune is an alpha feature in 5.19.0; it’s still in active development, and may include breaking changes. To stay on the safe side, we recommend sticking to sensuctl for removing resources (as opposed to the API), and make sure to keep both your sensuctl and sensu-backend versions in sync.
We’d love to hear what you think! Drop us a note in Discourse with your feedback.
Sensuctl prune guardrails
sensuctl prune can only delete resources that have the label
sensu.io/managed_by: sensuctl, which Sensu automatically adds to all resources created by sensuctl. This means you can only use
sensuctl prune to delete resources that were created by sensuctl, which prevents you from accidentally scrapping your whole cluster. Further, you won’t be able to prune anything created in the web UI — we don’t expect users to keep resource definitions of resources created outside of
sensuctl create (otherwise, it would require users who created the resources in the web UI to have to export/back up new resources to avoid them getting pruned).
Pruning also follows the role-based access control (RBAC) permissions of the current user — so, you’ll only be able to to prune configs that you created. For example, in order to prune resources in the
dev namespace, the current user will need to have delete access to the
dev namespace if they want to send the prune command.
Sensuctl prune in action
Here’s a quick gif of creating and removing resources with
As you can see, I created all resources within the
./sensu-go-resources directory and the
check-test.yml resource using
sensuctl create. After verifying those resources are there using
sensuctl check list, I prune all resources not present in the
./sensu-go-resources directory by inputting
sensuctl prune checks -f ./sensu-go-resources. I input
check list again to verify, and it’s gone!
Check out our docs for a full list of flags and
sensuctl prune resource types.
Go forth and prune (plus, a webinar)
We hope this post gave you a good idea of what you can do with
sensuctl prune. When you’re ready to give it a try, go ahead and upgrade to the latest version of Sensu Go and send us your feedback in Discourse.
Want to see a live demo of
sensuctl prune (plus a ton of other features in Sensu Go)? Check out our webinar, in which CEO Caleb Hailey will demo pruning, API keys, secrets management, and more!