Keep your configs in good order with sensuctl prune 🌿

We’re excited to share our first-ever alpha feature: sensuctl prune, which will help you easily (and safely!) remove resources you no longer need.

For some background, many of our Sensu Core and Enterprise users rely on configuration management tools like Ansible, Chef, and Puppet — or GitHub repos with CI — to drive their Sensu configurations. With Sensu Go, most of these configuration management tools require resources be explicitly deleted, making it hard to maintain your resource definitions. While that method certainly works, you’d end up with a lot more lines of code that would be a struggle to clean up afterwards. And, CI users don’t have the ability to treat their GitHub repo as a source of truth, because there’s no way of telling unless you manually tell the API (i.e., even if you remove a check definition from your repo, it will remain in your Sensu Go cluster unless you manually delete it using sensuctl); with pruning, this is no longer required! Now, with sensuctl prune, resource deletion and maintenance is a built-in functionality of Sensu Go. You can synchronize your resources in your Sensu cluster and prune anything that’s no longer locally configured.

With great power comes great responsibility; the Sensu engineering team has worked to make sensuctl prune a useful feature that’s also safe to use. As you might imagine, without the proper guardrails in place, it’d be easy to accidentally remove critical resources!

Please note: sensuctl prune is an alpha feature in 5.19.0; it’s still in active development, and may include breaking changes. To stay on the safe side, we recommend sticking to sensuctl for removing resources (as opposed to the API), and make sure to keep both your sensuctl and sensu-backend versions in sync.

We’d love to hear what you think! Drop us a note in Discourse with your feedback.

Sensuctl prune guardrails

sensuctl prune can only delete resources that have the label sensu.io/managed_by: sensuctl, which Sensu automatically adds to all resources created by sensuctl. This means you can only use sensuctl prune to delete resources that were created by sensuctl, which prevents you from accidentally scrapping your whole cluster. Further, you won’t be able to prune anything created in the web UI — we don’t expect users to keep resource definitions of resources created outside of sensuctl create (otherwise, it would require users who created the resources in the web UI to have to export/back up new resources to avoid them getting pruned).

Pruning also follows the role-based access control (RBAC) permissions of the current user — so, you’ll only be able to to prune configs that you created. For example, in order to prune resources in the dev namespace, the current user will need to have delete access to the dev namespace if they want to send the prune command.

Sensuctl prune in action

Here’s a quick gif of creating and removing resources with sensuctl prune:

As you can see, I created all resources within the ./sensu-go-resources directory and the check-test.yml resource using sensuctl create. After verifying those resources are there using sensuctl check list, I prune all resources not present in the ./sensu-go-resources directory by inputting sensuctl prune checks -f ./sensu-go-resources. I input check list again to verify, and it’s gone!

Check out our docs for a full list of flags and sensuctl prune resource types.

Go forth and prune (plus, a webinar)

We hope this post gave you a good idea of what you can do with sensuctl prune. When you’re ready to give it a try, go ahead and upgrade to the latest version of Sensu Go and send us your feedback in Discourse.

Want to see a live demo of sensuctl prune (plus a ton of other features in Sensu Go)? Check out our webinar, in which CEO Caleb Hailey will demo pruning, API keys, secrets management, and more!