Enforce deletion of resources via RL CR

[rflorenc]

I have been testing the resource-locker-operator with the end goal of locking/patching resources feed in by ArgoCD in a GitOps scenario. One use case that comes to mind is the possibility to also delete resources which are not owned by Argo/Helm applications, like for example APIServer or Node resources.

This could be done via a new action field in the RL CR spec, which could then perform the delete operation on the resource. Example:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
  name: APIServer
spec:
  resources:
    - apiVersion: v1
      kind: Secret
      name: kubeadmin
      namespace: kube-system
      action: delete
  serviceAccount:
    name: my-admin

End result being the secret being deleted and enforce deleted by the RLO. Would this be something that could be added as a feature to the RLO?

[raffaelespazzoli]

It seems to me that this feature would break the fully declarative approach to managing configuration moving towards an imperative model. In general the rule is that if you don't want an object, you should not create it. Can you make a realistic example where this would be useful?