[rektide]

Every Kubernetes shop I've seen uses Helm to deploy their workloads, & now you can set up all your S3 Buckets, SQS, SNS stuff in that same Helm chart as your app. This is hella ideal.

I also just generally love the thought of being able to manage any cloud resources at all via standard open-protocols & systems. Compounding the investment, rather than having to invest in a bunch of specific not-interconnected areas is going to lead to great things.

It'll be interesting to see what if any architectural flourishes or innovations went in to ACK's control loops.

[etxm]

It’s all fun and games until a deployment is acting funny and somebody destroys the chart and re-creates it and takes the bucket out with it.

Does it have functionality like Kube DB that makes a “dormant” version of the state store?

[jrockway]

Deletion is typically specified by an immutable finalizer on the resource. For example, you can create a StorageClass that saves your PersistentVolume when you delete the PersistentVolumeClaim, and you can't change the class of a claim, so even if your templating goes haywire and deletes your volume claim, the actual data is safe and can be recovered. I have to imagine that any API that lets you create things like RDS instances would have similar protection. (You might think that the k8s world is very mutable, but there are some immutable things hanging around. For cases exactly like this.)

I don't use AWS so I didn't look into this thoroughly, but the word "finalizer" does show up in the code frequently:

    // MarkManaged places the supplied resource under the management of ACK.
    // What this typically means is that the resource manager will decorate the
    // underlying custom resource (CR) with a finalizer that indicates ACK is
    // managing the resource and the underlying CR may not be deleted until ACK
    // is finished cleaning up any backend AWS service resources associated
    // with the CR.

I dunno how good it is, but clearly they've thought about it. Test it before you invest billions of dollars into it, though.

[dilyevsky]

Finalizers dont do much for safety. They are simply there to ensure controller (in this case ACK) won’t miss the deletion event and leave the resource dangling. To actually prevent object from being deleted you need a validation webhook

[robszumski]

An interesting part of the Operator Lifecycle Manager (OLM) is the capability to scaffold webhooks for Operators, rotate their secrets, etc to make this type protection easy for everyone to provide. All you need to do is bring your validation logic specific to the app.

https://olm.operatorframework.io/docs/advanced-tasks/adding-...

[an_opabinia]

Kubernetes complexity: The amount of indirection for “you must write a --force flag to delete something” is astounding.

[DanielDent]

What this describes is a mechanism for k8s to delete underlying resources prior to removing them from k8s.

E.g. before completely removing the CRD representing an S3 bucket, this provides a mechanism for that S3 bucket to be deleted from AWS systems.

Which I think is the opposite of what you were hoping.

[nrmitchi]

This is, in my opinion, the most dangerous thing about CRDs, especially for resources that are not scoped the the cluster.

It is way to easy to accidently delete something you need. PV's were my first experience dealing with this (a chart upgrade recreated a PVC, the old one unbound, and was immediately cleaned up), and it's not a risk that I want to see extended to buckets, RDS instances, etc.

The other side of this is that CRDs can lead to abandoned resources; if you find your cluster borked, or shut down improperly, any resources which existed as CRDs (or in cloud Kubernetes land, include LoadBalancers) probably did not get cleaned up, and will be abandoned (but left running).

It's not clear that there is actually a good solution here that fits neatly in with existing CRD behaviour.

[rektide]

If you've used helm for more than one day you'd know about the helm.sh/resource-policy: keep,

Which makes your first big "accidentally deleted" concern pretty near moot, so long as it's your ci/CD tools with permissions & they are using helm. So long as random cluster users aren't futzing around randomly poking at & deleting things.

Yes, you have to go way further & prevent your idiot users from being dumb, if you are giving them cluster role permissions. But again, have you considered not doing that?

Abandoned resources is no less of an issue. If there are external resources that don't have state (such as your Load balancer examp, the good news is you can delete them all & let the resource controllers recreate the real ones.

In general I feel like you are letting the 1% of concerns dominate & dissuade you, & that most people can make it very far with nothing extra.

[nrmitchi]

> If you've used helm for more than one day

I'm not sure why you're popping in to a thread from a week ago, starting with personal insinuations against my qualifications to have an opinion, and being a generally uncivil person.

You should try to make your points without the condescending attitude.

[rektide]

metadata: annotations: helm.sh/resource-policy: keep

works for any & all resources!