search

redradrat / aws-iam-operator

AWS IAM Operator for Kubernetes
Apache License 2.0
32 stars 7 forks source link

iam objects deletion issue (ordering required) #18

Closed shivpathak closed 3 years ago

shivpathak commented 3 years ago

Currently iam object should be deleted in following order in order to get them cleaned properly in k8s cluster-

policyattachment
policy
role/user
assumerolepolicy

If we shuffle the above mentioned objects order in deletion it stuck and we have to patch the finalizer and have to remove manually iam objects e.g role/user in AWS Console.

redradrat commented 3 years ago

@shivpathak I'm not sure what we can do about that on operator side? Of course we cannot delete a Policy before a PolicyAttachment. But the user has to be aware of that order. Right now the operator should give an error, if you try to delete in the wrong order. Is this not the case?

I think the operator should throw an error if you're trying to delete in the wrong order, and once you delete the right object, it should finish deletion.

Here we check for existing Attachments: https://github.com/redradrat/aws-iam-operator/blob/54e6ee578c70905a8312aa20102a25b0fcb04358/controllers/policy_controller.go#L160-L175

Here we fail if there was a "cleanup" error: https://github.com/redradrat/aws-iam-operator/blob/54e6ee578c70905a8312aa20102a25b0fcb04358/controllers/policy_controller.go#L89-L114

So as soon as the PolicyAttachment is gone, the deletion should cascade.

redradrat commented 3 years ago

Oh I see the issue,

the reconcile filter filters out the actual re-reuns after failing, due to the generation already being increased. Will move the generation increase to after the reconcile went OK.