digitalocean-cloud-controller-manager icon indicating copy to clipboard operation
digitalocean-cloud-controller-manager copied to clipboard

Published 20 hours ago verified publisher icon digitalocean

Protect load balancer from being deleted

Open Kavantix opened this issue 2 years ago • 7 comments

Currently load balancers are always deleted when the service is deleted unless the disown annotation is specified. The disown annotation however disables all other features as well.

So what I would like to have is an annotation protect: "true" that leaves all features intact but prevents deletion such that the ip address of that load balancer can be reused if someone manages to delete the service.

Kavantix avatar Apr 14 '22 13:04 Kavantix

Hey @Kavantix, one question for clarification: do you expect a delete request for a LoadBalancer-typed Service to just silently not carry out the LB deletion against the API or rather return an error? That is, should the Service still be deleted or not? What is your use case?

timoreimann avatar Aug 01 '22 06:08 timoreimann

@rawkode interested in your feedback on the above question as well since you submitted a PR.

timoreimann avatar Aug 01 '22 06:08 timoreimann

@timoreimann preventing the service from being deleted would also be fine.

My main concern is that normally deleting and recreating a service in kubernetes will not break anything but when it is mapped to a do load balancer it now does break since the ip changes.

We managed to accidentally delete a load balancer once while thinking it was disowned

Kavantix avatar Aug 01 '22 07:08 Kavantix

Got it. I think a validating web hook may be an equally good if not better solution for you assuming that deleting the Service without the LB would still be a bit of a hassle to you (i.e., if you accidentally deleted the Service, you would still have the LB but would also have to craft a new Service object with the right annotation to re-own the orphaned LB).

The validating web hook is something that our CCM could also provide and it would presumably be controlled by an annotation. So same mechanism, but different implementation.

timoreimann avatar Aug 01 '22 08:08 timoreimann

So basically an 'are you sure you want to delete this service' if it has the 'protect: true' annotation?

Kavantix avatar Aug 01 '22 10:08 Kavantix

Sort of: If the protective annotation was set, then a validation web hook who reject DELETE requests to the Service object right away.

FWIW this can already be done with a custom web hook unrelated to CCM (and frameworks like OPA / GateKeeper / Kyvero should allow to do so without a custom implementation). I'd normally refer to one of these solutions but I also see the value in making it a built-in feature of our CCM given that the loss of the LB and its public IP address is quite impactful.

timoreimann avatar Aug 01 '22 11:08 timoreimann

For my use-case, preventing deletion of the service is a no go.

I provision the LB and service independently and this is already supported by providing the load-balancer-id tag. For DOKs customers that don’t want to go down the external-dns route, this is probably pretty common.

rawkode avatar Aug 01 '22 12:08 rawkode