Back to Resources

Idempotent K8s Operators with Finalizers for Stateful Cleanup

11 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Deletion Fallacy: Why `kubectl delete` Isn't Enough

In the world of cloud-native automation, a Kubernetes Operator's primary role is to extend the Kubernetes API to manage complex, often stateful, applications. A senior engineer building an operator for a custom PostgresCluster resource will quickly implement the creation and update logic. The reconciliation loop will watch the Custom Resource (CR) and ensure the corresponding stateful sets, services, and config maps are in their desired state. The challenge, however, lies not in creation, but in destruction.

When a user executes kubectl delete postgrescluster my-prod-db, the Kubernetes garbage collector is ruthlessly efficient. It will remove the PostgresCluster object and, through owner references, cascade delete all dependent in-cluster objects. But what about the provisioned EBS volumes, the S3 bucket for backups, or the external monitoring dashboard entry? Kubernetes has no knowledge of these external dependencies. The operator's pod, no longer receiving reconciliation events for the deleted CR, is powerless. This leads to orphaned resources, security vulnerabilities, and mounting cloud costs—a production anti-pattern.

This is where the finalizer pattern becomes non-negotiable. A finalizer is a mechanism that blocks the garbage collection of a resource until specific conditions are met. It's a contract between your operator and the API server, transforming a fire-and-forget deletion into a graceful, multi-step teardown process. This article provides a deep dive into implementing a robust, idempotent finalizer-based cleanup mechanism for a stateful operator in Go using controller-runtime.

Anatomy of a Finalizer-Driven Deletion

Before diving into code, it's critical to understand the precise lifecycle of a resource managed with a finalizer. This is not a high-level overview; these are the discrete state transitions your operator's logic must handle.

  • Creation & Finalizer Injection: A user applies a manifest for a Database CR. The operator's reconciliation loop is triggered. Its first action for a new resource is to check for the presence of its specific finalizer string (e.g., db.example.com/finalizer). If absent, the operator adds it to the metadata.finalizers list and issues an Update call to the API server. No external resource is provisioned until the finalizer is successfully persisted on the CR.
  • Deletion Request: A user runs kubectl delete database my-db. The Kubernetes API server receives the request.
  • Admission & State Transition: The API server inspects the object. It sees that the metadata.finalizers list is not empty. Instead of deleting the object from etcd, it sets the metadata.deletionTimestamp field to the current time. The object now exists in a "terminating" state.
  • Reconciliation on Deletion: The operator's reconciliation loop is triggered again for my-db. This time, the controller's first check should be if !db.ObjectMeta.DeletionTimestamp.IsZero(). This condition being true signals that the object is in the process of being deleted and cleanup logic must be executed.
  • External Resource Cleanup: Inside this deletion logic block, the operator performs the out-of-cluster actions: it calls the cloud provider's API to deprovision the database instance, deletes the corresponding backup S3 bucket, and removes the entry from a configuration service. This logic must be idempotent.
  • Finalizer Removal: Only after the operator has verified that all external resources have been successfully cleaned up does it remove its finalizer string from the metadata.finalizers list and issues a final Update call to the API server.
  • Garbage Collection: The API server receives the update. It sees an object with a non-nil deletionTimestamp and an now-empty finalizers list. The contract has been fulfilled. The API server now proceeds with the final deletion of the object from etcd.

    • This sequence ensures that your operator retains control over the resource for as long as it needs to perform a graceful shutdown, preventing orphaned infrastructure.

    Production-Grade Implementation with `controller-runtime`

    Let's implement this for a hypothetical ExternalDatabase operator. We'll assume this CR manages a database instance on a fictional cloud provider, ExternalDBaaS.

    First, our primary reconciliation function in externaldatabase_controller.go.

    go
    package controllers

import (
	"context"
	"time"

	"github.com/go-logr/logr"
	kerrors "k8s.io/apimachinery/pkg/api/errors"
	"k8s.io/apimachinery/pkg/runtime"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
	"sigs.k8s.io/controller-runtime/pkg/log"

	dbv1alpha1 "github.com/your-org/external-db-operator/api/v1alpha1"
)

const externalDBFinalizer = "db.example.com/finalizer"

// ExternalDatabaseReconciler reconciles a ExternalDatabase object
type ExternalDatabaseReconciler struct {
	client.Client
	Scheme            *runtime.Scheme
	ExternalDBService ExternalDBaaSClient // Interface to our external service
}

func (r *ExternalDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	logger := log.FromContext(ctx)

	// 1. Fetch the ExternalDatabase instance
	db := &dbv1alpha1.ExternalDatabase{}
	if err := r.Get(ctx, req.NamespacedName, db); err != nil {
		if kerrors.IsNotFound(err) {
			// Object was deleted, nothing to do. This happens after our finalizer is removed.
			logger.Info("ExternalDatabase resource not found. Ignoring since object must be deleted.")
			return ctrl.Result{}, nil
		}
		logger.Error(err, "Failed to get ExternalDatabase")
		return ctrl.Result{}, err
	}

	// 2. The core finalizer logic
	if !db.ObjectMeta.DeletionTimestamp.IsZero() {
		// The object is being deleted
		return r.reconcileDelete(ctx, db, logger)
	} else {
		// The object is not being deleted, so we ensure our finalizer is present.
		if err := r.ensureFinalizer(ctx, db, logger); err != nil {
			return ctrl.Result{}, err
		}
	}

	// 3. Main reconciliation logic for creation/updates
	return r.reconcileNormal(ctx, db, logger)
}

// ... SetupWithManager function ...

    The Reconcile function is now purely a dispatcher. It fetches the object and, based on the DeletionTimestamp, decides whether to enter the deletion workflow (reconcileDelete) or the standard creation/update workflow (reconcileNormal).

    The Finalizer Management Logic

    Let's look at ensureFinalizer and reconcileDelete.

    go
    func (r *ExternalDatabaseReconciler) ensureFinalizer(ctx context.Context, db *dbv1alpha1.ExternalDatabase, logger logr.Logger) error {
	if !controllerutil.ContainsFinalizer(db, externalDBFinalizer) {
		logger.Info("Adding finalizer for ExternalDatabase")
		controllerutil.AddFinalizer(db, externalDBFinalizer)
		if err := r.Update(ctx, db); err != nil {
			logger.Error(err, "Failed to add finalizer")
			return err
		}
	}
	return nil
}

func (r *ExternalDatabaseReconciler) reconcileDelete(ctx context.Context, db *dbv1alpha1.ExternalDatabase, logger logr.Logger) (ctrl.Result, error) {
	if controllerutil.ContainsFinalizer(db, externalDBFinalizer) {
		// Our finalizer is present, so let's handle external dependency cleanup.
		logger.Info("Starting external database cleanup")

		if err := r.ExternalDBService.DeleteDatabase(ctx, db.Status.DBInstanceID); err != nil {
			// This is a critical edge case. If the deletion fails, we MUST NOT remove the finalizer.
			// We return an error to trigger a requeue, so we can retry the cleanup.
			logger.Error(err, "Failed to delete external database instance", "InstanceID", db.Status.DBInstanceID)
			// Here you would update the CR status to reflect the deletion failure.
			// r.setCondition(db, "Deleting", metav1.ConditionFalse, "DeletionFailed", err.Error())
			// if err := r.Status().Update(ctx, db); err != nil { ... }
			return ctrl.Result{}, err
		}

		logger.Info("External database cleanup successful")

		// Once the external dependency is gone, we can remove the finalizer.
		controllerutil.RemoveFinalizer(db, externalDBFinalizer)
		if err := r.Update(ctx, db); err != nil {
			logger.Error(err, "Failed to remove finalizer")
			return ctrl.Result{}, err
		}
	}

	// Stop reconciliation as the item is being deleted
	return ctrl.Result{}, nil
}

    This implementation covers the happy path but also the most important failure mode: if DeleteDatabase fails, we return an error. The controller-runtime manager will catch this error and requeue the request, causing our reconcileDelete to be called again after a backoff period. The finalizer remains, the CR is not deleted, and we have another chance to perform the cleanup.

    Advanced Edge Cases and Idempotency in Deletion

    Production systems are defined by how they handle failure. A simple DeleteDatabase call is insufficient. What happens if the operator pod crashes right after the API call succeeds but before r.Update(ctx, db) removes the finalizer?

    Upon restart, the operator will receive a reconciliation event for the same CR, which is still in a terminating state. It will call reconcileDelete again. Our current implementation would call r.ExternalDBService.DeleteDatabase a second time on an already-deleted resource. This might return a NotFound error, which our code would incorrectly interpret as a failure, preventing the finalizer from ever being removed. This is a "stuck finalizer" scenario.

    The deletion logic must be idempotent.

    Let's refine reconcileDelete:

    go
    func (r *ExternalDatabaseReconciler) reconcileDelete(ctx context.Context, db *dbv1alpha1.ExternalDatabase, logger logr.Logger) (ctrl.Result, error) {
	if !controllerutil.ContainsFinalizer(db, externalDBFinalizer) {
		return ctrl.Result{}, nil // Finalizer already gone, nothing to do.
	}

	logger.Info("Reconciling deletion for external database", "InstanceID", db.Status.DBInstanceID)

	// It's possible the DBInstanceID is not set if the resource creation never completed.
	if db.Status.DBInstanceID == "" {
		logger.Info("External database was never provisioned. Removing finalizer.")
		controllerutil.RemoveFinalizer(db, externalDBFinalizer)
		return ctrl.Result{}, r.Update(ctx, db)
	}

	// Check the status of the external resource.
	status, err := r.ExternalDBService.GetDatabaseStatus(ctx, db.Status.DBInstanceID)
	if err != nil {
		if IsNotFound(err) { // Assuming IsNotFound is a helper for your cloud API client
			// The resource is already gone. This is a success state for cleanup.
			logger.Info("External database already deleted. Removing finalizer.")
			controllerutil.RemoveFinalizer(db, externalDBFinalizer)
			return ctrl.Result{}, r.Update(ctx, db)
		}
		// Any other error means we can't verify the state, so we must retry.
		logger.Error(err, "Failed to get external database status during deletion")
		return ctrl.Result{}, err
	}

	// If the resource is still present, attempt deletion.
	if status != "DELETING" && status != "DELETED" {
		logger.Info("Issuing deletion request for external database")
		if err := r.ExternalDBService.DeleteDatabase(ctx, db.Status.DBInstanceID); err != nil {
			// Check for specific race conditions, e.g., if another process just deleted it.
			if IsNotFound(err) {
				logger.Info("External database was deleted by another process during reconciliation. Removing finalizer.")
				controllerutil.RemoveFinalizer(db, externalDBFinalizer)
				return ctrl.Result{}, r.Update(ctx, db)
			}
			logger.Error(err, "Failed to delete external database instance")
			return ctrl.Result{}, err
		}
		// Deletion initiated, but may be async. Requeue to check status later.
		logger.Info("External database deletion initiated. Requeuing to verify.")
		return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
	}

	// If status is DELETING, we just wait. Requeue to check again later.
	if status == "DELETING" {
		logger.Info("External database is still being deleted. Requeuing.")
		return ctrl.Result{RequeueAfter: 30 * time.Second}, nil
	}

	// If we reach here, status is DELETED. The job is done.
	logger.Info("Verified external database is deleted. Removing finalizer.")
	controllerutil.RemoveFinalizer(db, externalDBFinalizer)
	return ctrl.Result{}, r.Update(ctx, db)
}

    This revised logic is far more robust:

  • Handles Pre-Provisioning Deletion: If the CR is deleted before the external database ID is ever stored in its status, it correctly identifies that there's nothing to clean up.
  • Checks State Before Acting: It first calls GetDatabaseStatus. If the resource is already gone, it considers the cleanup a success. This solves the operator crash scenario.
  • Manages Asynchronous Deletion: Many cloud APIs initiate a long-running deletion task. The DeleteDatabase call might return 202 Accepted immediately. Our logic now handles the DELETING state by requeueing with a delay, polling for the final DELETED state rather than assuming synchronous completion.
  • Handles Race Conditions: It explicitly checks for NotFound errors even after a Get succeeded moments before, guarding against external deletion processes.

    • Performance and Requeue Strategies

    The default exponential backoff provided by controller-runtime when you return ctrl.Result{}, err is excellent for transient Kubernetes API errors. However, for external service failures, you may want more control.

    Consider an external API that is down for maintenance. The default backoff might retry every 1s, 2s, 4s, ..., up to a cap (e.g., 5 minutes). This can still generate significant error logs and API pressure. A better strategy is to use a controlled requeue with a custom, longer delay.

    go
    // Inside reconcileDelete, when a call to ExternalDBService fails

if IsRateLimitingError(err) || IsServiceUnavailableError(err) {
    logger.Warn("External service is unavailable or rate limiting. Retrying in 5 minutes.")
    // By returning a nil error, we tell controller-runtime the reconciliation was "successful" for now,
    // and we are taking control of the requeue schedule.
    return ctrl.Result{RequeueAfter: 5 * time.Minute}, nil
}

// For other, potentially recoverable errors, use the default backoff.
logger.Error(err, "An unexpected error occurred during cleanup")
return ctrl.Result{}, err

    This pattern distinguishes between different classes of errors:

    * Transient, retriable errors (e.g., network blip): Use return ctrl.Result{}, err for default exponential backoff.

    * Known long-term outages or rate limits: Use return ctrl.Result{RequeueAfter: ...}, nil to schedule a requeue far in the future, reducing pressure on both the operator and the external service.

    * Non-retriable errors (e.g., invalid credentials): Log the error, update the CR's status with a terminal condition, and return ctrl.Result{}, nil to stop retrying. This requires manual intervention and should trigger a monitoring alert.

    Benchmarking and Monitoring

    In a production environment, you must monitor for stuck finalizers. A simple Prometheus query can achieve this:

    promql
    # Alert if any CR has been in a terminating state for over 30 minutes.
sum(kube_customresource_metadata_deletion_timestamp) by (namespace, customresource) > 0 and (time() - kube_customresource_metadata_deletion_timestamp > 1800)

    This alert is a critical safety net. It signals that your operator's cleanup logic is failing persistently and requires human investigation. When a stuck finalizer is found, the first step is to check the operator's logs for the specific CR to understand why the cleanup is failing. In a true emergency where the operator is buggy and cannot be fixed quickly, an administrator can manually remove the finalizer:

    bash
    kubectl patch externaldatabase my-db --type='json' -p='[{"op": "remove", "path": "/metadata/finalizers"}]'

    This is a break-glass procedure. It will cause the external resource to be orphaned and should only be used when the cost of the Kubernetes object being stuck is higher than the cost of the orphaned resource.

    Conclusion: Beyond Automation to Reliability

    Implementing an operator that can create resources is the entry point to Kubernetes automation. The mark of a production-grade, senior-level operator implementation is its ability to destroy resources with the same reliability and state awareness.

    The finalizer pattern is the cornerstone of this capability. It's not merely a feature; it's an architectural commitment to managing the full lifecycle of external dependencies. By building idempotent deletion logic, handling asynchronous cloud provider operations, and implementing intelligent requeue strategies, you elevate your operator from a simple script to a truly robust and resilient piece of cloud-native infrastructure. The patterns discussed here—state checking before action, graceful handling of NotFound states, and distinguishing between error types for requeueing—are essential for any engineer building operators that manage critical, stateful services.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles