Deletion Protection

Deletion protection allows to prevent specific Kubernetes resources from being accidentially deleted.

Details

On NKE clusters, you can protect Kubernetes "Namespaces" and "PersistentVolumeClaims" (PVCs) from being accidentially deleted. This is an additional safety net to prevent productive applications and their data to be deleted by mistake.

Availability

The deletion-protection feature is enabled by default on every NKE cluster.

Usage

To prevent a Kubernetes Namespace and/or PersistentVolumeClaim from being deleted, you can add the nine.ch/deletion-protection: "true" annotation. As long as this annotation exists, the resource can not be deleted. Please make sure to use a value of "true" to activate the feature.

To add the annotation on a Kubernetes Namespace, you can use the following command:

kubectl create ns foo
kubectl annotate ns foo nine.ch/deletion-protection=true

To test if the annotation prevents an accidental deletion you can use the --dry-run=server option of kubectl:

kubectl delete --dry-run=server ns foo

Error from server (Forbidden): admission webhook
"deletion-protection.nine-controllers.nine.ch" denied the request: preventing
deletion because of nine.ch/deletion-protection annotation

To disable the deletion protection, you can either remove the annotation completely or use a value of "false":

kubectl annotate --overwrite ns foo nine.ch/deletion-protection=false

An additional deletion test should confirm the deactivation of the feature:

kubectl delete --dry-run=server ns foo

namespace "foo" deleted (server dry run)

Please note that, using a value different to "true" or "false" will lead to an error on deletion of the resource.

Furthermore, please be aware that to fully protect a "PersistentVolumeClaim" from being deleted, the annotation should be set on the corresponding PVC(s) and the Kubernetes Namespace which contains the PVC(s).