K3s garbage collect expired passwords for nodes in cluster

nodes-gc.py

# steps
# 1. echo -n $(sudo cat /var/lib/rancher/k3s/server/cred/node-passwd) > node-pass
# 2. set kube context, export KUBECONFIG=/path/to/kube/config.yaml
# 3. python node-gc.py
# 4. sudo mv check-pass /var/lib/rancher/k3s/server/cred/node-passwd

# NOTE: Also you can just create cron job that clears content of the file(/var/lib/rancher/k3s/server/cred/node-passwd),
# works very well.

import subprocess

if __name__ == '__main__':
    # get active nodes from kubectl 
    out = subprocess.Popen(['kubectl', 'get', 'nodes', '-o=custom-columns=:metadata.name'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    output = out.communicate()
    nodes = output[0].decode('utf-8')
    nodes = [node for node in nodes.split('\n') if node]
    
    # read node-pass file
    with open('node-pass', 'r') as f:
        all_lines = f.readlines()
        all_lines = all_lines[0].split(',')
        all_lines = [line for line in all_lines if line]

        groups = []
        group_nodes = []
        for i in range(0, len(all_lines), 3):
            if all_lines[i+1] in nodes:
                group_nodes.append(all_lines[i+1])
                line = ','.join(all_lines[i:i+3]).strip()
                line = line + '\n'
                groups.append(line)
    
    # assert all active nodes password are in newly generated lines.
    assert len(nodes) == len(groups)
    assert set(group_nodes) == set(nodes)

    # write check-pass file
    with open('check-pass', 'w+') as f:
        f.writelines(groups)

remove-images-from-node.txt

sudo /usr/local/bin/k3s ctr i ls | awk '{print $1}' | xargs sudo /usr/local/bin/k3s ctr i rm

k3s has incorporated garbage collection of expired passwords in v1.20+k3s2. This is only useful if you are running anything below that version.