Kops delete cluster command should provide lifecycle-overrides option

[tobernguyen]

1. What kops version are you running? The command kops version, will display this information. 1.17.0-beta.1

2. What Kubernetes version are you running? kubectl version will print the version if a cluster is running or provide the Kubernetes version specified as a kops flag.

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c12ce618213", GitTreeState:"clean", BuildDate:"2020-02-13T18:08:14Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.3", GitCommit:"06ad960bfd03b39c8310aaf92d1e7c12ce618213", GitTreeState:"clean", BuildDate:"2020-02-11T18:07:13Z", GoVersion:"go1.13.6", Compiler:"gc", Platform:"linux/amd64"}

3. What cloud provider are you using? AWS

4. What commands did you run? What is the simplest way to reproduce this issue? I created a cluster using existing AWS Instance Profiles (https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#use-existing-aws-instance-profiles)

kops update cluster ${CLUSTER_NAME} --yes --lifecycle-overrides IAMRole=ExistsAndWarnIfChanges,IAMRolePolicy=ExistsAndWarnIfChanges,IAMInstanceProfileRole=ExistsAndWarnIfChanges

Then I tried to delete the cluster:

kops delete cluster --name $CLUSTER_NAME --yes

5. What happened after the commands executed? The kops delete cluster command tries to delete the attached AWS Instance Profiles, IAM Roles, and IAM Policies which were managed outside kops (it were provisioned by Terraform in our project).

6. What did you expect to happen? kops delete cluster should provide lifecycle-overrides option like kops update command so we tell kops to not delete AWS Instance Profiles, IAM Roles, and Policies.

7. Please provide your cluster manifest. Execute kops get --name my.example.com -o yaml to display your cluster manifest. You may want to remove your cluster name and other sensitive information. I don't think this is needed

8. Please run the commands with most verbose logging by adding the -v 10 flag. Paste the logs into this report, or in a gist and provide the gist link here. I don't think this is needed

9. Anything else do we need to know? No

[rifelpet]

/kind feature

I agree this is a gap in Kops' ability to support scenarios in which lifecycle overrides are intended.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[jeffhubLR]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[jeffhubLR]

/remove-lifecycle stale

[aramhakobyan]

+1

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[aramhakobyan]

+

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

[tobernguyen]

/remove-lifecycle rotten

[h3poteto]

I can reproduce this using master git-3eacde0212. At the moment, kops delete only Instance Profiles that match this expression. Deletion of IAM Roles is similar condition. So if I provide masters.$CLUSTER_NAME and nodes.$CLUSTER_NAME as existing Instance Profile, it will be deleted when delete cluster.

[h3poteto]

I will take this issue.

/assign

[johngmyers]

11497 changes the logic for deleting IAM Roles from using name to using ownership tags. A similar change could be made for Instance Profiles.

[h3poteto]

@johngmyers Nice changes. #11497 will resolve a part of this issue.

A similar change could be made for Instance Profiles.

It's good. But this issue proposes lifecycle-overrides option, which do you think is the better way?

And I'm worried about this comment.

[johngmyers]

@h3poteto I'm struggling to understand what a lifecycle-overrides option to a delete cluster command would mean, especially in the general case. Would we need to support giving the --phase flag to delete cluster? With which combination of flags would we want to remove the cluster from the state store?

[h3poteto]

@johngmyers I was expecting something like... For example when I execute kops delete cluster --lifecycle-overrides IAMRoles=Ignore, kops deletes the cluster leaving only IAMRole. More specifically, when that option was specified, kops skips these actions in delete cluster command.

I'm sorry, I don't know about --phase flag. Could you please tell me what the flag specifies?

[johngmyers]

@h3poteto perhaps you could look it up in the documentation?

[h3poteto]

@johanhubens Is this https://kops.sigs.k8s.io/cli/kops_update_cluster/#options ?

--phase string Subset of tasks to run: assets, cluster, network, security

This option is similar I expected.

[h3poteto]

I think that your suggestion

A similar change could be made for Instance Profiles.

is good idea. We can delete Instance Profiles using ownership tags with the same logic as #11497 . If it can be implemented, I think that those options are unnecessary.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[h3poteto]

I think this issue has already been resolved, so we can close this.

[johngmyers]

/close

[k8s-ci-robot]

@johngmyers: Closing this issue.

In response to [this](https://github.com/kubernetes/kops/issues/8823#issuecomment-903421308): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.