kyverno · vishal-chdhry · Dec 4, 2024 · Nov 5, 2024 · Nov 13, 2024 · Nov 20, 2024
diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md
@@ -96,3 +96,71 @@ spec:
 Although labeled resources are watched by Kyverno, the cleanup interval (the time resolution at which any cleanup can be performed) is controlled by a flag passed to the cleanup controller called `ttlReconciliationInterval`. This value is set to `1m` by default and can be changed if a longer resolution is required.
 
 Because this is a label, there is opportunity to chain other Kyverno functionality around it. For example, it is possible to use a Kyverno mutate rule to assign this label to matching resources. A validate rule could be written prohibiting, for example, users from the `infra-ops` group from assigning the label to resources in certain Namespaces. Or, Kyverno could generate a new resource with this label as part of the resource definition.
+
+## DeletionPropagationPolicy (Common to both)
+
+The deletionPropagationPolicy field is an optional setting available in both CleanupPolicy and TTL-based cleanup configurations. It determines how Kubernetes handles the deletion of dependent resources when the primary resource is deleted.
+
+Supported values:
+
+- **Foreground**: Ensures dependent resources are deleted before the primary resource is removed.
+- **Background**: Deletes the primary resource first, while dependents are removed asynchronously.
+- **Orphan**: Deletes the primary resource but leaves its dependents untouched.
+
+{{% alert title="Note" color="info" %}}
+If deletionPropagationPolicy is not set, Kyverno defers to the Kubernetes API server's default behavior, which typically handles dependents based on cluster settings.
+{{% /alert %}}
+
+### Cleanup Policy Example with deletionPropagationPolicy ###
+
+A ClusterCleanupPolicy can include deletionPropagationPolicy to control the cleanup of dependents. Here's an example:
+
+```yaml
+apiVersion: kyverno.io/v2
+kind: ClusterCleanupPolicy
+metadata:
+  name: cleandeploy
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Deployment
+        selector:
+          matchLabels:
+            canremove: "true"
+  conditions:
+    any:
+    - key: "{{ target.spec.replicas }}"
+      operator: LessThan
+      value: 2
+  schedule: "*/5 * * * *"
+  deletionPropagationPolicy: "Foreground"
+```
+This policy schedules the deletion of Deployments labeled canremove: "true" with fewer than two replicas every 5 minutes, ensuring dependent resources are deleted before the Deployment itself.
+
+### TTL-Based Cleanup Example with deletionPropagationPolicy ###
+
+Resources with a cleanup.kyverno.io/ttl label can also use the deletionPropagationPolicy to manage dependent resources:
+
+```yaml
+apiVersion: v1
+kind: CleanupPolicy
+metadata:
+  labels:
+    cleanup.kyverno.io/ttl: 2m
+  annotations:
+    deletionPropagationPolicy: "Orphan"
+  name: foo
+spec:
+  containers:
+  - args:
+    - sleep
+    - 1d
+    image: busybox:1.35
+    name: foo
+```
+In this example:
+
+The TTL label specifies that the Pod will be deleted 2 minutes after creation.
+The deletionPropagationPolicy: "Orphan" ensures that any dependents remain in the cluster after the Pod is deleted.