Resource Management

Unused Resource Operator

Automatically detect, assess, and clean up orphaned Kubernetes resources with intelligent safety scoring and configurable grace periods.

Learn More Get Started
Unused Resource Operator wireframe
01

Overview

The Unused Resource Operator (URO) identifies and manages orphaned resources.
As clusters evolve through deployments, rollbacks, and configuration changes, Secrets, ConfigMaps, PVCs, and other resources can become disconnected from their original workloads; consuming storage, incurring costs, and creating security risks without providing any value.

URO brings automated intelligence to resource lifecycle management. It scans clusters on configurable schedules, uses multiple detection strategies to determine if resources are truly in use, calculates safety scores to minimize false positives, and can automatically clean up orphans after a grace period; with optional S3 backups for recovery. Built-in support for 25+ resource types and extensibility via CEL expressions means URO adapts to any cluster's unique needs.

02

Features

Intelligent Orphan Detection

Multi-layered detection strategies check owner references, managed-by labels (Helm, ArgoCD, operators), Pod volume mounts, environment variables, RBAC bindings, and Ingress references to accurately determine if a resource is in use.

Scheduled Scanning

Define cron-based scanning schedules with concurrency controls. Scans can be suspended, resumed, or triggered on-demand. Multiple policies can target different resource types with independent schedules.

Safety Scoring & Grace Periods

Each orphan candidate receives a safety score (0-100) based on resource age, type, and reference analysis. Configurable grace periods (e.g., 7 days for Secrets, 30 days for PVCs) prevent accidental deletion.

S3 Backup Integration

Automatically backup resources to S3-compatible storage before deletion. Supports AES-256 encryption, compression, and configurable retention policies for compliance and disaster recovery.

Custom Scanners via CEL

Extend orphan detection to custom resources using CEL (Common Expression Language) expressions. Define orphan conditions and preservation rules without modifying operator code.

Comprehensive Reporting

Detailed reports track orphans by type and namespace, estimate cost savings for LoadBalancers and PVCs, and provide audit trails. Webhook notifications support compliance workflows.

03

Use Cases

04

Custom Resources

05

Example Workflow

Here's a typical workflow for configuring URO to scan for orphaned Secrets and ConfigMaps, with a 7-day grace period and webhook notifications for detected orphans. 

# 1. Optionally create a BackupConfig for S3 backup
  oc apply -f - <<EOF
  apiVersion: uro.cosmosdevops.co.uk/v1alpha1
  kind: BackupConfig
  metadata:
    name: default
  spec:
    s3:
      bucket: uro-backups
      region: us-east-1
      credentialsSecretRef:
        name: s3-credentials
        namespace: uro-system
  EOF

  # 2. Create an OrphanPolicy to scan Secrets and ConfigMaps
  oc apply -f - <<EOF
  apiVersion: uro.cosmosdevops.co.uk/v1alpha1
  kind: OrphanPolicy
  metadata:
    name: config-cleanup
  spec:
    schedule: "0 */6 * * *"
    resources:
      secrets:
        enabled: true
        gracePeriod: 168h
        autoDelete: false
      configMaps:
        enabled: true
        gracePeriod: 72h
    excludeNamespaces:
      - "kube-*"
      - "openshift-*"
  EOF

  # 3. Check scan results after the first scheduled run
  oc get orphanreports -o wide

  # 4. Review and approve orphan assessments for cleanup
  oc get orphanassessments
  oc patch orphanassessment  --type merge -p '{"spec":{"action":"approved"}}'

Stop Paying for Resources You Don't Use

URO brings automated intelligence to Kubernetes resource lifecycle management. Reduce costs, improve security, and keep your clusters clean with minimal operational overhead.

Get Started