How to delete orphan NSX-T objects using PKS cleanup script
search cancel

How to delete orphan NSX-T objects using PKS cleanup script


Article ID: 298726


Updated On:


VMware Tanzu Kubernetes Grid Integrated Edition


You may need to run the pks_cleanup script if either of the following situations occur: 

  • The pks delete-cluster operation fails to remove all cluster objects.
  • A cluster deployment fails and you need to delete NSX-T objects that were created during the failed deployment. 


Product Version: 1.1
OS: Ubuntu


Installing the Cleanup Script 

Run the following commands to download the script, make it executable, and rename it: 

sudo chmod +x pks_cleanup_linux 
sudo mv pks_cleanup_linux /usr/local/bin/pks_cleanup 

To verify installation, run pks_cleanup --help 

Expected Results:

Cleanup script examples 

The following example commands demonstrate how to use the pks_cleanup script to delete NSX-T resources for a sample cluster. The sample cluster is for illustrative purposes only. Your cluster details and UUIDs will be different. 

Let's assume we have a PKS cluster identified as k81s with the following details: 

ubuntu@ubuntu:~$ pks cluster k8s1 

Name: k8s1 
Plan Name: Plan 1 
UUID: 18ef47d8-d4ac-4d6c-9d77-301860c3a98f 
Last Action: CREATE 
Last Action State: succeeded 
Last Action Description: Instance provisioning failed 
Kubernetes Master Host: k8s1 
Kubernetes Master Port: 8443 
Worker Nodes: 1 
Kubernetes Master IP(s): 

The --cluster flag accepts the format pks-[cluster UUID]. For this example, the --cluster value is pks-18ef47d8- d4ac-4d6c-9d77-301860c3a98f

To view the resources created by NCP that will be removed, run the following command: 

  • pks_cleanup --mgr-ip= --cluster=pks-18ef47d8-d4ac-4d6c-9d77-301860c3a98f 

To delete all resources created by NCP, run the following command: 

  • pks_cleanup --mgr-ip= --cluster=pks-18ef47d8-d4ac-4d6c-9d77-301860c3a98f -r=false 

To delete NSX-T resources created by both NCP and PKS, run the following command: 

  • pks_cleanup --mgr-ip= --cluster=pks-18ef47d8-d4ac-4d6c-9d77-301860c3a98f -r=false --pks --floating-ip-pool-id=5a35b05c-70d4-4337-9f8e-b8b8533476c7 --ip-block-id=d5aab712-4b83- 4690-a16f-f6a3583c9056 


Cleanup scripts command usage

The following table displays pks_cleanup [flags]:




-t, --ca-cert 


NSX-T ca certificate 

-c, --cluster 


Name of the target cluster in the format pks-[cluster UUID] 



UUID of the floating IP pool configured for the cluster 

-h, --help 


Help for the script 



UUID of the IP block configured for the cluster 

-m, --mgr-ip 


NSX-T Manager IP address 

-n, --nsx-cert 


NSX certificate path 

-k, --nsx-key 


NSX client private key path 

-p, --password 


NSX Manager password; ignored if nsx-cert is set 



Removes NSX-T resources created by PKS Requires floating-ip-pool-id and ip-block-id 

-r, --read-only 


Read only mode (default true) 

-u, --username 


NSX Manager username (default "admin"); ignored if nsx-cert is set 


Cleanup Script Details 

The pks_cleanup script flags are categorized as follows: 

  • Environmental parameters 
  • Authentication parameters 
  • PKS parameters 
  • Deletion parameters 

Environmental Parameters 

--cluster pks-[cluster UUID] 

The --cluster input parameter is the cluster identifier which must be in the format pks-[cluster UUID]

--mgr-ip [nsx-t manager ip] 

The IP address of the NSX-T Manager host. 

Authentication Parameters 

--username (default is “admin”) 

--password (default is “Admin!23Admin”) 

To authenticate with the NSX-T Manager using basic authentication, provide the flags ---username  and --password. You must supply valid authentication credentials if different from the default. 

--nsx-cert /path/to/client/cert 

--nsx-key /path/to/client/key 

To authenticate with NSX-T Manager using a client certificate, provide the paths to both the client certificate and key using the flags --nsx-cert and --nsx-key

--ca-cert /path/to/ca/cert 

To enable server certificate validation, provide the path to a valid CA certificate in --ca-cert

PKS Parameters 

By default, the pks_cleanup script only deletes NSX-T resources created by NCP. If you also want to delete NSX-T resources created by PKS (such as the load balancer for the cluster master VMs), provide the --pks flag. 

The --pks flag requires both the --floating-ip-pool-id and --ip-block-id flags. Each expects the UUID of the corresponding resource. 

Deletion Parameters 

By default the pks_cleanup script is read-only. This means that when you run the script it simply prints to stdout the resources to be deleted—it does not actually delete them. To delete the resources, you must pass the --read-only=false (or -r=false) flag. Note that the equals sign without spaces is required.