Automated snapshoting of deleted PVC

[Fricounet]

Is your feature request related to a problem?/Why is this needed

Hi all, I wanted to gather some opinions around the idea of providing an automated snapshoting mechanism when a PVC is being deleted. Currently, it can be a bit scary to use a storage class with reclaim policy Delete because it means that with one wrong manipulation, if the PVC is deleted, the backing data will also be deleted. On the other hand, using a Retain storage class is a bit cumbersome because PV will stay in the cluster indefinitely, leading to additional costs. As a result, we need to deploy in our clusters our own garbage collection mechanism to delete unused PV after some time.

Having an automated snapshot mechanism would allow us to use Delete storage classes while still allowing users to keep a backup of their data in case of accidental deletion.

Describe the solution you'd like in detail

For the implementation, I was thinking about the following:

• user creates PVC with a particular annotation (like snapshot.storage.kubernetes.io/snapshot-before-deletion)
• snapshot-controller adds finalizer on PVC to block its deletion
• user deletes PVC
• snapshot-controller watch those events and creates a snapshot through the CSI driver
• snapshot-controller creates a VolumeSnapshotContent for the created snapshot (and maybe a VolumeSnapshot in the same namespace too)
• snapshot-controller removes finalizer
• PVC is deleted

but any idea is welcome :smile:

Describe alternatives you've considered

Currently, we are doing something similar with a custom controller in our clusters but we are creating snapshots in the cloud provider directly. We were thinking about refactoring the controller to use CSI snapshots instead but then we figured that it might be even better to upstream thin in the exetrenal-snapshotter.

Additional context

I'm not sure if this feature would need a KEP but if it does, I can work on this

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[Fricounet]

/remove-lifecycle rotten