search

Azure / azure-service-operator

Azure Service Operator allows you to create Azure resources using kubectl
https://azure.github.io/azure-service-operator/
MIT License
740 stars 194 forks source link

Feature: Add Microsoft.Authorization/locks; Lock resources #3756

Open mehighlow opened 8 months ago

mehighlow commented 8 months ago

Add implementation to lock resources to prevent them from being destroyed in the Azure Portal while ASO keeps managing them.

Lock your resources to protect your infrastructure

Let's say I want to minimize any chance of my resources being deleted while I manage them with ASO. From the ASO side, I have an option to set serviceoperator.azure.com/reconcile-policy: detach-on-delete to prevent accidental deletes of K8s objects from being reconciled with Azure. However, those resources can still be deleted from the Azure Portal. It would be great to use ASO to have an option to set a lock to prevent them from being deleted from the Azure Portal.

There are 2 types of locks:

  1. Read-only, which can be projected to serviceoperator.azure.com/reconcile-policy: skip
  2. Delete - this feature request.

The way I propose implementing delete lock is through an annotation like serviceoperator.azure.com/reconcile-policy: lock-delete, which can be used only in combination with serviceoperator.azure.com/reconcile-policy: detach-on-delete, unless you consider combining them together into a single annotation like serviceoperator.azure.com/reconcile-policy: locked-detach-on-delete

matthchr commented 7 months ago

This seems like a reasonable ask.

matthchr commented 1 month ago

Put in to 2.10 for design and discussion.