When removing a cluster from a gce-multi-cluster ingress, firewall rules are updated before removing backend services:
# kubemci remove-clusters portal-webfront --ingress=ingress-webfront.yml --gcp-project=$GCP_PROJECT --kubeconfig=$KUBECONFIG --kubecontexts=gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1
Determining instance groups for cluster gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1
Removing clusters from firewall rule
Updating existing firewall rule mci1-fr--portal-webfront to match the desired state
Firewall rule mci1-fr--portal-webfront updated successfully
Removing backend services from clusters
Updating existing backend service mci1-be-31081--portal-webfront to match the desired state
Backend service mci1-be-31081--portal-webfront updated successfully
Removing clusters [gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1] from https forwarding rule
Updating existing forwarding rule mci1-fws--portal-webfront to match the desired state
Forwarding rule mci1-fws--portal-webfront updated successfully
Removing clusters [gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1] from http forwarding rule
Updating existing forwarding rule mci1-fw--portal-webfront to match the desired state
Forwarding rule mci1-fw--portal-webfront updated successfully
Removing clusters [gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1] from url map
Updating existing url map mci1-um--portal-webfront to match the desired state
URL Map mci1-um--portal-webfront updated successfully
Deleting Ingress from cluster: gke_myproject-prod_europe-west1-b_myproject-prod-europe-west1-cluster1...
I've not yet witnessed issues with that, but I guess firewall rules should only be updated after removing backend services to reduce the risk of failing requests.
When removing a cluster from a
gce-multi-cluster
ingress, firewall rules are updated before removing backend services:I've not yet witnessed issues with that, but I guess firewall rules should only be updated after removing backend services to reduce the risk of failing requests.