undefined | Better HN

0 pointsetxm5y ago0 comments

It’s all fun and games until a deployment is acting funny and somebody destroys the chart and re-creates it and takes the bucket out with it.

Does it have functionality like Kube DB that makes a “dormant” version of the state store?

0 comments

jrockway5y ago

Deletion is typically specified by an immutable finalizer on the resource. For example, you can create a StorageClass that saves your PersistentVolume when you delete the PersistentVolumeClaim, and you can't change the class of a claim, so even if your templating goes haywire and deletes your volume claim, the actual data is safe and can be recovered. I have to imagine that any API that lets you create things like RDS instances would have similar protection. (You might think that the k8s world is very mutable, but there are some immutable things hanging around. For cases exactly like this.)

I don't use AWS so I didn't look into this thoroughly, but the word "finalizer" does show up in the code frequently:

    // MarkManaged places the supplied resource under the management of ACK.
    // What this typically means is that the resource manager will decorate the
    // underlying custom resource (CR) with a finalizer that indicates ACK is
    // managing the resource and the underlying CR may not be deleted until ACK
    // is finished cleaning up any backend AWS service resources associated
    // with the CR.

I dunno how good it is, but clearly they've thought about it. Test it before you invest billions of dollars into it, though.

dilyevsky5y ago

Finalizers dont do much for safety. They are simply there to ensure controller (in this case ACK) won’t miss the deletion event and leave the resource dangling. To actually prevent object from being deleted you need a validation webhook

robszumski5y ago

An interesting part of the Operator Lifecycle Manager (OLM) is the capability to scaffold webhooks for Operators, rotate their secrets, etc to make this type protection easy for everyone to provide. All you need to do is bring your validation logic specific to the app.

https://olm.operatorframework.io/docs/advanced-tasks/adding-...

1 more reply

DanielDent5y ago

What this describes is a mechanism for k8s to delete underlying resources prior to removing them from k8s.

E.g. before completely removing the CRD representing an S3 bucket, this provides a mechanism for that S3 bucket to be deleted from AWS systems.

Which I think is the opposite of what you were hoping.

nrmitchi5y ago

This is, in my opinion, the most dangerous thing about CRDs, especially for resources that are not scoped the the cluster.

It is way to easy to accidently delete something you need. PV's were my first experience dealing with this (a chart upgrade recreated a PVC, the old one unbound, and was immediately cleaned up), and it's not a risk that I want to see extended to buckets, RDS instances, etc.

The other side of this is that CRDs can lead to abandoned resources; if you find your cluster borked, or shut down improperly, any resources which existed as CRDs (or in cloud Kubernetes land, include LoadBalancers) probably did not get cleaned up, and will be abandoned (but left running).

It's not clear that there is actually a good solution here that fits neatly in with existing CRD behaviour.

rektide5y ago

If you've used helm for more than one day you'd know about the helm.sh/resource-policy: keep,

Which makes your first big "accidentally deleted" concern pretty near moot, so long as it's your ci/CD tools with permissions & they are using helm. So long as random cluster users aren't futzing around randomly poking at & deleting things.

Yes, you have to go way further & prevent your idiot users from being dumb, if you are giving them cluster role permissions. But again, have you considered not doing that?

Abandoned resources is no less of an issue. If there are external resources that don't have state (such as your Load balancer examp, the good news is you can delete them all & let the resource controllers recreate the real ones.

In general I feel like you are letting the 1% of concerns dominate & dissuade you, & that most people can make it very far with nothing extra.

nrmitchi5y ago

> If you've used helm for more than one day

I'm not sure why you're popping in to a thread from a week ago, starting with personal insinuations against my qualifications to have an opinion, and being a generally uncivil person.

You should try to make your points without the condescending attitude.

rektide5y ago

metadata: annotations: helm.sh/resource-policy: keep

works for any & all resources!

j / k navigate · click thread line to collapse

0 comments

jrockway5y ago

I don't use AWS so I didn't look into this thoroughly, but the word "finalizer" does show up in the code frequently:

    // MarkManaged places the supplied resource under the management of ACK.
    // What this typically means is that the resource manager will decorate the
    // underlying custom resource (CR) with a finalizer that indicates ACK is
    // managing the resource and the underlying CR may not be deleted until ACK
    // is finished cleaning up any backend AWS service resources associated
    // with the CR.

I dunno how good it is, but clearly they've thought about it. Test it before you invest billions of dollars into it, though.

dilyevsky5y ago

robszumski5y ago

https://olm.operatorframework.io/docs/advanced-tasks/adding-...

1 more reply

DanielDent5y ago

What this describes is a mechanism for k8s to delete underlying resources prior to removing them from k8s.

E.g. before completely removing the CRD representing an S3 bucket, this provides a mechanism for that S3 bucket to be deleted from AWS systems.

Which I think is the opposite of what you were hoping.

nrmitchi5y ago

This is, in my opinion, the most dangerous thing about CRDs, especially for resources that are not scoped the the cluster.

It's not clear that there is actually a good solution here that fits neatly in with existing CRD behaviour.

rektide5y ago

If you've used helm for more than one day you'd know about the helm.sh/resource-policy: keep,

Yes, you have to go way further & prevent your idiot users from being dumb, if you are giving them cluster role permissions. But again, have you considered not doing that?

In general I feel like you are letting the 1% of concerns dominate & dissuade you, & that most people can make it very far with nothing extra.

nrmitchi5y ago

> If you've used helm for more than one day

I'm not sure why you're popping in to a thread from a week ago, starting with personal insinuations against my qualifications to have an opinion, and being a generally uncivil person.

You should try to make your points without the condescending attitude.

rektide5y ago

metadata: annotations: helm.sh/resource-policy: keep

works for any & all resources!

j / k navigate · click thread line to collapse