Back to Resources

Kubernetes Finalizers: Graceful Deletion for Stateful Operators

11 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Deletion Fallacy in Stateless vs. Stateful Systems

In a stateless world, deletion is a trivial fire-and-forget operation. When a Deployment's ReplicaSet is deleted, Kubernetes simply terminates the associated Pods. The garbage collector is ruthlessly efficient. But for stateful systems managed by an operator—databases, message queues, distributed caches—this default behavior is a liability. A kubectl delete mydatabase db-instance command could trigger a cascade that terminates pods before a final backup is taken, de-provisions a cloud disk before its data is migrated, or leaves orphaned DNS entries pointing to a non-existent service.

This is where the Kubernetes control plane provides a powerful, yet often misunderstood, mechanism: Finalizers. A finalizer is a namespaced key that tells the Kubernetes API server to block the garbage collection of an object until specific pre-delete conditions are met. It's a hook that allows your operator to intercept a deletion request, perform complex cleanup logic, and only then permit the object's removal.

This article is not an introduction to operators. It assumes you are comfortable with Custom Resource Definitions (CRDs), the controller pattern, and the basics of the controller-runtime library in Go. We will focus exclusively on the advanced implementation patterns for using finalizers to build production-ready, resilient stateful operators.

The Deletion Lifecycle: DeletionTimestamp and the Reconciliation Loop

When a user executes kubectl delete, the API server doesn't immediately remove the object. Instead, it performs two crucial actions:

  • It sets the metadata.deletionTimestamp field on the object to the current time.
  • It checks the metadata.finalizers array. If this array is not empty, the object is placed in a Terminating state and is not deleted.

    • The presence of the deletionTimestamp is the signal to your controller that the object is on its way out. Your reconciliation loop, which was previously focused on converging the current state to the desired state, must now switch its objective to executing pre-delete cleanup tasks.

    Your Reconcile function's primary entry point must therefore contain this fundamental branching logic:

    go
    import (
	"context"
	"time"

	"github.com/go-logr/logr"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/runtime"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

	dbV1alpha1 "your/project/api/v1alpha1"
)

// PostgreSQLInstanceReconciler reconciles a PostgreSQLInstance object
type PostgreSQLInstanceReconciler struct {
	client.Client
	Log    logr.Logger
	Scheme *runtime.Scheme
}

const myFinalizerName = "db.example.com/finalizer"

func (r *PostgreSQLInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	log := r.Log.WithValues("postgresqlinstance", req.NamespacedName)

	// 1. Fetch the PostgreSQLInstance instance
	instance := &dbV1alpha1.PostgreSQLInstance{}
	err := r.Get(ctx, req.NamespacedName, instance)
	// Handle not found errors, which are expected after final deletion.
	// ...

	// 2. The Core Finalizer Logic
	if instance.ObjectMeta.DeletionTimestamp.IsZero() {
		// The object is NOT being deleted, so we add our finalizer if it doesn't exist.
		if !controllerutil.ContainsFinalizer(instance, myFinalizerName) {
			controllerutil.AddFinalizer(instance, myFinalizerName)
			if err := r.Update(ctx, instance); err != nil {
				return ctrl.Result{}, err
			}
		}
		// This is where you'd put your normal reconciliation logic (create Deployments, Services, etc.)
		// ...

	} else {
		// The object IS being deleted
		if controllerutil.ContainsFinalizer(instance, myFinalizerName) {
			// Our finalizer is present, so we must run our cleanup logic.
			if err := r.handleFinalizer(ctx, instance); err != nil {
				// If the cleanup logic fails, we return an error to requeue the request.
				// This ensures we retry the cleanup until it succeeds.
				return ctrl.Result{}, err
			}

			// Cleanup was successful. Remove the finalizer to allow deletion.
			controllerutil.RemoveFinalizer(instance, myFinalizerName)
			if err := r.Update(ctx, instance); err != nil {
				return ctrl.Result{}, err
			}
		}
		// Stop reconciliation as the item is being deleted
		return ctrl.Result{}, nil
	}

	return ctrl.Result{}, nil
}

    This structure is the bedrock of robust finalizer implementation. The key takeaways are:

    Add Finalizer Early: The finalizer is added during the first* successful reconciliation of a new object. This ensures it's present before any deletion can be requested.

    * Deletion is a State: The DeletionTimestamp transforms the object's state, changing the goal of the reconciliation loop from creation/update to cleanup.

    * Failure is Requeued: If your handleFinalizer function returns an error, the request is requeued. The finalizer is not removed. This is the safety mechanism that prevents resource orphaning. The object will remain in the Terminating state until the cleanup logic succeeds.

    Production Scenario: A Managed Database Operator

    Let's apply this to a tangible example: an operator that manages PostgreSQLInstance custom resources. When a PostgreSQLInstance is deleted, we must perform two critical actions:

    • Trigger a final backup of the database to an external object store (e.g., AWS S3).
  • Delete an associated DNS record in an external service (e.g., AWS Route 53) that pointed to the database Service.

    • Our handleFinalizer function orchestrates this process.

    Step 1: Triggering a Kubernetes Job for Backup

    Long-running tasks like database dumps should not be executed within the operator's process. This can block the reconciliation of other resources. The canonical Kubernetes pattern is to offload this work to a Job.

    Our handleFinalizer function will first check if the backup job has already been created and completed. This idempotency is crucial, as the reconciliation loop may run multiple times.

    go
    // In PostgreSQLInstanceReconciler
func (r *PostgreSQLInstanceReconciler) handleFinalizer(ctx context.Context, instance *dbV1alpha1.PostgreSQLInstance) error {
	log := r.Log.WithValues("postgresqlinstance", instance.NamespacedName)

	// --- Part 1: Final Backup --- 
	log.Info("Starting finalizer logic: performing final backup.")

	// Use a consistent naming convention for the backup job
	backupJobName := instance.Name + "-final-backup"
	backupJob := &batchv1.Job{}

	err := r.Get(ctx, client.ObjectKey{Name: backupJobName, Namespace: instance.Namespace}, backupJob)
	if err != nil {
		if apierrors.IsNotFound(err) {
			log.Info("Backup job not found, creating a new one.")
			// Define the backup Job spec
			newJob := r.defineBackupJob(instance, backupJobName)
			if err := r.Create(ctx, newJob); err != nil {
				log.Error(err, "Failed to create final backup job")
				return err // Requeue
			}
			// Job created, requeue to check its status later
			return fmt.Errorf("backup job created, waiting for completion")
		} else {
			log.Error(err, "Failed to get backup job")
			return err // Requeue
		}
	}

	// Check job status
	if !isJobFinished(backupJob) {
		log.Info("Backup job is still running.")
		return fmt.Errorf("backup job in progress") // Requeue
	}

	if backupJob.Status.Succeeded == 0 {
		// The job failed. This is a critical error.
		log.Error(fmt.Errorf("backup job failed"), "Final backup failed. Manual intervention may be required.")
		// We return an error to keep the finalizer and prevent deletion.
		// An administrator must investigate the failed Job logs.
		return fmt.Errorf("final backup job %s failed", backupJobName)
	}

	log.Info("Final backup job completed successfully.")

	// --- Part 2: Delete External DNS Record --- 
	// (Implementation in next section)

	return nil
}

func isJobFinished(job *batchv1.Job) bool {
	for _, c := range job.Status.Conditions {
		if (c.Type == batchv1.JobComplete || c.Type == batchv1.JobFailed) && c.Status == corev1.ConditionTrue {
			return true
		}
	}
	return false
}

// defineBackupJob is a helper to create the Job object
func (r *PostgreSQLInstanceReconciler) defineBackupJob(instance *dbV1alpha1.PostgreSQLInstance, jobName string) *batchv1.Job {
	// ... implementation to define a Job that runs a container with pg_dump
	// and uploads to S3. It must use environment variables or a ConfigMap
	// to get database credentials, S3 bucket details, etc.
	// This is highly specific to your environment.
	return &batchv1.Job{
		// ... Job Spec
	}
}

    Notice the error handling strategy. We don't just return a generic error. We return a specific error message fmt.Errorf("backup job in progress") which, while causing a requeue, also signals intent. If the job fails, we return a permanent-style error. The object will be stuck in Terminating until an operator manually fixes the underlying issue (e.g., S3 credentials) and perhaps deletes the failed Job so the reconciler can try again.

    Step 2: Managing External, Non-Kubernetes Resources

    Our second task is to delete a DNS record. This involves interacting with an external API (AWS SDK, Google Cloud SDK, etc.). This logic must also be idempotent.

    go
    // In PostgreSQLInstanceReconciler, continuing handleFinalizer...
func (r *PostgreSQLInstanceReconciler) handleFinalizer(ctx context.Context, instance *dbV1alpha1.PostgreSQLInstance) error {
    // ... (Backup job logic from above) ...
    log.Info("Final backup job completed successfully.")

    // --- Part 2: Delete External DNS Record ---
    log.Info("Starting DNS record deletion.")

    // Assume we have a DNS client initialized in our Reconciler struct
    // dnsClient := r.DNSClient

    // The hostname would be stored in the CR's spec or status
    hostnameToDelete := instance.Spec.Hostname
    if hostnameToDelete == "" {
        log.Info("No hostname specified, skipping DNS deletion.")
    } else {
        err := dnsClient.DeleteRecord(ctx, hostnameToDelete)
        if err != nil {
            // Idempotency Check: If the error indicates the record is already gone,
            // we can consider it a success.
            if isDnsRecordNotFound(err) {
                log.Info("DNS record already deleted.")
            } else {
                // Any other error (e.g., API credentials, throttling) should cause a requeue.
                log.Error(err, "Failed to delete DNS record", "hostname", hostnameToDelete)
                return err
            }
        }
    }

    log.Info("Successfully cleaned up all external resources.")
    return nil // Success! The finalizer can now be removed.
}

// isDnsRecordNotFound is a placeholder for your DNS provider's specific error check.
func isDnsRecordNotFound(err error) bool {
    // For AWS Route 53, you might check for a specific error code like "InvalidChangeBatch"
    // with a message containing "Tried to delete resource record set... but it was not found".
    return strings.Contains(err.Error(), "not found")
}

    The most critical part here is isDnsRecordNotFound. If the reconciler runs, successfully deletes the DNS record, but then fails before it can remove the finalizer (e.g., the operator pod crashes), the next reconciliation attempt will try to delete the DNS record again. The external API will return an error stating the record doesn't exist. Your code must correctly interpret this "not found" error as a success condition for the cleanup step, rather than a failure that would cause an infinite requeue loop.

    Advanced Edge Cases and Production Considerations

    The "Stuck in Terminating" Problem

    This is the most common issue seen with finalizers. An object remains in the Terminating state indefinitely. This is not a bug; it's a feature indicating that your cleanup logic is consistently failing.

    Debugging Steps:

  • Check Operator Logs: The operator logs for that specific resource (log.WithValues("postgresqlinstance", req.NamespacedName)) are your primary source of truth. They will contain the error that is causing the handleFinalizer function to fail and requeue.
  • Inspect Dependent Objects: Check the state of the backup Job. Run kubectl describe job and kubectl logs for the job's pod to see why it failed.
  • Check External Systems: Are the S3 credentials valid? Is the IAM role for the operator correct? Can the operator pod reach the Route 53 API endpoint?

    • Forced Removal (The Last Resort):

    If the external system is permanently gone or the cleanup logic has a bug that cannot be fixed immediately, a cluster administrator can manually remove the finalizer:

    bash
    kubectl patch postgresqlinstance <instance-name> -p '{"metadata":{"finalizers":[]}}' --type=merge

    WARNING: This is a destructive operation. It bypasses your operator's safety checks. Executing this will cause the Kubernetes garbage collector to immediately delete the object, potentially orphaning any external resources your operator was supposed to clean up.

    Idempotency is Non-Negotiable

    We've touched on this, but it cannot be overstated. Every step within your handleFinalizer function must be safely repeatable. Always check for the existence of a resource before creating it, and always handle "not found" errors gracefully when deleting resources.

    * Creating a Job: Check if a job with the expected name already exists.

    * Deleting a Cloud Resource: Your deletion function must not fail if the resource is already gone.

    * Updating a Database: Any cleanup queries should be written in a way that running them twice has the same effect as running them once.

    Multiple Finalizers

    Kubernetes objects can have multiple finalizers, often managed by different controllers. For example, a storage provisioner might add a finalizer to a PersistentVolumeClaim to clean up a cloud disk, while your backup operator adds another to snapshot it.

    When kubectl delete is called, the DeletionTimestamp is set. Each controller will see this and run its own finalizer logic. Controller A will run its cleanup and remove finalizer-A. The object remains in Terminating because finalizer-B is still present. Only when Controller B finishes its work and removes finalizer-B will the finalizers array become empty, allowing garbage collection to proceed. This is a cooperative, ordered shutdown mechanism.

    Conclusion

    Finalizers are not just an optional feature; they are the essential mechanism for building operators that can safely manage the lifecycle of stateful applications and their external dependencies. By correctly leveraging the DeletionTimestamp and implementing robust, idempotent cleanup logic, you transform your operator from a simple resource provisioner into a true production-grade system administrator.

    Remember the core principles:

  • Branch your reconciliation logic: Is DeletionTimestamp zero or non-zero?
  • Offload long-running tasks: Use Jobs for tasks like backups or data migrations.
  • Embrace idempotency: Your cleanup logic will be executed multiple times. Design for it.
  • Treat Terminating as a signal: A stuck object is a symptom of a failing dependency. Use your operator's logs to diagnose the root cause.

    • By mastering these patterns, you can provide users of your operator with a safe, reliable, and predictable experience, preventing the data loss and resource leaks that are all too common when stateful workloads are managed without a deep understanding of the Kubernetes deletion lifecycle.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles