---
type: skill
lifecycle: stable
inheritance: inheritable
name: nnf-cve-cleanup
description: Cleans up NNF deployments impacted by vulnerable or outdated container images using guided execution.
tier: standard
applyTo: '**/*nnf*,**/*cve*,**/*cleanup*'
currency: 2026-04-30
lastReviewed: 2026-04-30
---

# NNF CVE Cleanup (Execution Enabled)

This skill remediates S360 / ADO action items like:

- "Cleanup Required: Parallel RP deployments running outdated images"
- "Vulnerable container image reference"
- "CVE in NFC cluster extension images"

Affected components typically include:
- nfarpgatewaymgrworker
- nfarpsouthboundworker
- nfarpjobservice

---

## ✅ Step 1 — Resolve target (cluster + deployments)

Extract from S360 / ADO text:
- SubscriptionId
- ResourceGroup
- ClusterName (if available)
- Namespace
- Deployment names (nfarp*)

If missing → run resolver:

```bash
python scripts/resolve-target.py --text "<paste S360/ADO text>"
```

---

## ✅ Step 2 — Execute cleanup

Allowed subscriptions (hard-enforced by script):
- d854f6e5-7f11-4515-9d58-2ef770a77ee2
- 962219bd-33e8-461a-aa01-2ea9236a2b07
- 9531faa8-8c39-4165-b033-48697fe943db
- 89a70903-42a2-4ff6-b437-688a27893711

Choose the appropriate action for your scenario:

| Action | When to use |
|--------|-------------|
| `restart` (default) | Refresh pods to pull patched images (CVE remediation) |
| `delete` | Permanently remove stale/orphaned deployments |
| `scale-down` | Scale stale deployments to 0 replicas without deleting |

PowerShell:
```powershell
# Restart pods (CVE image refresh)
scripts/cleanup-deployments.ps1 -SubscriptionId <sub> -ResourceGroup <rg> -ClusterName <cluster> -Namespace <ns> -Deployments "dep1,dep2" -Action restart

# Delete stale deployments
scripts/cleanup-deployments.ps1 -SubscriptionId <sub> -ResourceGroup <rg> -ClusterName <cluster> -Namespace <ns> -Deployments "dep1,dep2" -Action delete

# Scale down to 0 replicas
scripts/cleanup-deployments.ps1 -SubscriptionId <sub> -ResourceGroup <rg> -ClusterName <cluster> -Namespace <ns> -Deployments "dep1,dep2" -Action scale-down
```

Bash:
```bash
# Restart pods (CVE image refresh)
scripts/cleanup-deployments.sh --subscription <sub> --resource-group <rg> --cluster <cluster> --namespace <ns> --deployments "dep1,dep2" --action restart

# Delete stale deployments
scripts/cleanup-deployments.sh --subscription <sub> --resource-group <rg> --cluster <cluster> --namespace <ns> --deployments "dep1,dep2" --action delete

# Scale down to 0 replicas
scripts/cleanup-deployments.sh --subscription <sub> --resource-group <rg> --cluster <cluster> --namespace <ns> --deployments "dep1,dep2" --action scale-down
```


---

## ✅ Step 3 — Verify cleanup

kubectl get pods -n <namespace>
kubectl rollout status deployment <deployment> -n <namespace>

---

## ✅ Step 4 — Document results

Capture the following:

Deployment rollout status
Pod health output
Any errors or warnings

Paste results into:

S360 action item
ADO work item

✅ Close the item after successful validation