返回资源列表

Kubernetes Finalizers: Guaranteed Stateful Resource Teardown

13 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Achilles' Heel of Simple Controllers: Orphaned Resources

As a senior engineer building on Kubernetes, you've likely moved past simple stateless deployments and are now tasked with creating operators to manage complex, stateful applications. A common pattern is to define a Custom Resource (CR) that represents an external resource—an S3 bucket, a CloudSQL database, a DNS record in Route 53, or even a user in a third-party API.

The naive implementation of a controller for such a CR might handle creation and updates within its Reconcile loop. But what about deletion? A common mistake is to rely on a Delete event from a watch. This approach is fundamentally flawed and brittle. If your controller is down or disconnected from the API server when a user runs kubectl delete my-cr, it will miss the event entirely. The Kubernetes object is removed from etcd, but the external resource it managed is now orphaned, leading to resource leaks, security vulnerabilities, and unexpected cloud bills.

This is the exact problem that Kubernetes Finalizers are designed to solve. A finalizer is a metadata key that tells the Kubernetes API server to block the physical deletion of a resource until a specific controller has signaled that it has completed its cleanup tasks. It transforms deletion from a fire-and-forget action into a robust, two-phase, and observable process.

This article is not an introduction. It assumes you are familiar with Go, the operator pattern, and the basics of controller-runtime. We will dive directly into the production-grade implementation patterns, edge cases, and performance considerations of using finalizers to build resilient controllers.

The Two-Phase Deletion Mechanism Explained

Understanding the mechanics of how finalizers interact with the API server is critical. When a finalizer is present on an object, the standard DELETE request is fundamentally altered.

Without a Finalizer (Standard Deletion):

  • A client (e.g., kubectl) sends a DELETE request for an object.
    • The API server performs validation and admission control.
    • The object is immediately removed from etcd.
  • The API server sends a DELETED event to all watching clients.

    • With a Finalizer (Two-Phase Deletion):

  • A client sends a DELETE request for an object that has a non-empty metadata.finalizers array.
  • The API server sees the finalizer. Instead of deleting the object, it performs an update, setting the metadata.deletionTimestamp field to the current time.
  • The object is now in a terminating state. It is still present in etcd and visible via GET requests, but it cannot be updated (except for its metadata and status fields) and will not appear in most LIST requests unless explicitly requested.
  • The API server sends a MODIFIED event, not a DELETED one. This is a crucial distinction. Your controller's Reconcile loop is triggered for what appears to be a standard update.
  • Inside the Reconcile loop, your controller's logic must now detect that deletionTimestamp is non-nil. This is the signal to begin cleanup.
    • The controller performs its external cleanup logic (e.g., deleting the S3 bucket).
  • Upon successful and verified cleanup, the controller must remove its finalizer from the metadata.finalizers array and issue an UPDATE request for the CR.
  • The Kubernetes garbage collector, observing that the object has a deletionTimestamp and an empty finalizers array, now proceeds with the final step: physically removing the object from etcd.

    • This mechanism provides the guarantee we need. If the controller is down, the object simply remains in the Terminating state with its deletionTimestamp set. When the controller starts up again, it will receive a MODIFIED event for the object during its initial cache sync and will correctly execute its cleanup logic.

    Production Implementation with `controller-runtime`

    Let's build a controller for a Database CRD that manages a logical database within an external database server. We'll focus exclusively on the finalizer logic.

    Our CRD (database.my.domain_v1alpha1_database.yaml):

    yaml
    apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: databases.database.my.domain
spec:
  group: database.my.domain
  names:
    kind: Database
    listKind: DatabaseList
    plural: databases
    singular: database
  scope: Namespaced
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                dbName:
                  type: string
                owner:
                  type: string
            status:
              type: object
              properties:
                state:
                  type: string
                message:
                  type: string

    The Reconciler Core Logic

    We'll use kubebuilder or operator-sdk to scaffold our project. The heart of our implementation lies within the Reconcile function.

    go
    package controllers

import (
	"context"
	"time"

	"k8s.io/apimachinery/pkg/runtime"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
	"sigs.k8s.io/controller-runtime/pkg/log"

	databasev1alpha1 "my.domain/database-operator/api/v1alpha1"
)

// A mock external client for demonstration purposes.
// In a real implementation, this would interact with a real database API.
type ExternalDBClient struct{}

func (c *ExternalDBClient) DeleteDatabase(dbName string) error {
	// Idempotent deletion logic here
	// e.g., connect to DB server and run `DROP DATABASE IF EXISTS ...`
	return nil
}

func (c *ExternalDBClient) CreateDatabase(dbName, owner string) error {
	// Idempotent creation logic here
	// e.g., `CREATE DATABASE ...`
	return nil
}

// DatabaseReconciler reconciles a Database object
type DatabaseReconciler struct {
	client.Client
	Scheme          *runtime.Scheme
	ExternalDBAdmin *ExternalDBClient // Our client for the external service
}

// The finalizer name must be unique, typically using a domain-prefixed format.
const databaseFinalizer = "database.my.domain/finalizer"

func (r *DatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	logger := log.FromContext(ctx)

	// 1. Fetch the Database instance
	instance := &databasev1alpha1.Database{}
	if err := r.Get(ctx, req.NamespacedName, instance); err != nil {
		// We'll ignore not-found errors, since they can't be fixed by an immediate
		// requeue (we'll need to wait for a new notification). Other errors might be
		// transient, so we'll requeue.
		return ctrl.Result{}, client.IgnoreNotFound(err)
	}

	// 2. The Finalizer Gate: examine DeletionTimestamp
	if instance.ObjectMeta.DeletionTimestamp.IsZero() {
		// The object is NOT being deleted. 
        // Ensure our finalizer is present.
		if !controllerutil.ContainsFinalizer(instance, databaseFinalizer) {
			logger.Info("Adding Finalizer for Database")
			controllerutil.AddFinalizer(instance, databaseFinalizer)
			if err := r.Update(ctx, instance); err != nil {
				logger.Error(err, "Failed to add finalizer to Database")
				return ctrl.Result{}, err
			}
		}
	} else {
		// The object IS being deleted.
		if controllerutil.ContainsFinalizer(instance, databaseFinalizer) {
			logger.Info("Executing finalizer logic for Database")

			// Execute our external resource cleanup.
			if err := r.ExternalDBAdmin.DeleteDatabase(instance.Spec.DbName); err != nil {
				// If cleanup fails, we don't remove the finalizer. 
                // The reconciliation will be retried with exponential backoff.
				logger.Error(err, "Failed to delete external database")
				// You might want to update the status to reflect the error state.
				return ctrl.Result{}, err
			}

			// Cleanup was successful. Remove the finalizer.
			logger.Info("External database deleted. Removing finalizer.")
			controllerutil.RemoveFinalizer(instance, databaseFinalizer)
			if err := r.Update(ctx, instance); err != nil {
				logger.Error(err, "Failed to remove finalizer from Database")
				return ctrl.Result{}, err
			}
		}

		// Stop reconciliation as the item is being deleted.
		return ctrl.Result{}, nil
	}

	// 3. Main Reconciliation Logic (Create/Update)
	// This part of the code is only reached if the object is not being deleted.
	logger.Info("Reconciling Database creation/update")
	if err := r.ExternalDBAdmin.CreateDatabase(instance.Spec.DbName, instance.Spec.Owner); err != nil {
		logger.Error(err, "Failed to create/update external database")
		// Update status with error info
		instance.Status.State = "Error"
		instance.Status.Message = err.Error()
		if statusErr := r.Status().Update(ctx, instance); statusErr != nil {
			logger.Error(statusErr, "Failed to update Database status")
		}
		return ctrl.Result{}, err
	}

	// Update status to reflect success
	instance.Status.State = "Ready"
	instance.Status.Message = "Database provisioned successfully"
	if err := r.Status().Update(ctx, instance); err != nil {
		logger.Error(err, "Failed to update Database status")
		return ctrl.Result{}, err
	}

	return ctrl.Result{}, nil
}

// SetupWithManager sets up the controller with the Manager.
func (r *DatabaseReconciler) SetupWithManager(mgr ctrl.Manager) error {
	return ctrl.NewControllerManagedBy(mgr).
		For(&databasev1alpha1.Database{}).
		Complete(r)
}

    Analysis of the Implementation

  • Finalizer Registration: The first action for any new or updated object is to check for and add our finalizer. This is idempotent. If the finalizer is already there, ContainsFinalizer prevents an unnecessary Update call. This registration step ensures that from the moment our controller acknowledges the resource, it is protected from orphaned deletion.
  • Deletion Path: The else block (where DeletionTimestamp is non-zero) is the core of the teardown logic. We verify our finalizer is still present before acting. This is a safeguard in scenarios with multiple controllers and finalizers.
  • Error Handling during Deletion: This is the most critical aspect. If DeleteDatabase returns an error, we do not remove the finalizer. We return the error to the controller-runtime manager. The manager's default rate-limiting queue will then retry the reconciliation for this object with an exponential backoff. This prevents a tight loop of failed API calls and gives the external system (and our controller) time to recover.
  • Successful Deletion: Only after the external resource is confirmed to be gone do we remove the finalizer. The subsequent Update call signals to the API server that our controller's responsibilities are fulfilled, allowing the garbage collector to complete the deletion.

    • Advanced Scenarios and Production Hardening

    Real-world systems are messy. A simple success/fail path isn't enough. Let's explore common edge cases.

    Edge Case 1: The Stuck `Terminating` Resource

    Problem: The external deletion API is permanently broken, or a bug in your controller prevents the cleanup logic from ever succeeding. The object is now stuck in the Terminating state indefinitely because the finalizer can never be removed.

    Analysis: This is, in some ways, a feature, not a bug. It prevents data loss or resource orphaning by default, forcing an operator to intervene. The stuck object is a clear signal that something is wrong.

    Mitigation & Resolution:

  • Robust Status Updates: Your controller should update the CR's status subresource with detailed error messages during failed finalizer execution. This makes debugging far easier for users (kubectl describe database my-db).
  • Metrics and Alerting: Expose Prometheus metrics from your controller, such as reconciliation_errors_total and finalizer_execution_failures_total, with labels for the resource name/namespace. Set up alerting for resources that fail reconciliation repeatedly.
  • Manual Intervention (The Last Resort): An administrator with sufficient permissions can forcefully remove the finalizer. This is a dangerous operation that should only be performed when the operator is certain the external resource has been manually cleaned up.
    • bash
        # DANGER: This will orphan the external resource if it still exists.
    kubectl patch database my-db -n my-namespace --type json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'

    Edge Case 2: Idempotency is Non-Negotiable

    Problem: Your Reconcile function might be called multiple times for the same deletion event due to transient errors, controller restarts, or etcd rollbacks. If your cleanup logic is not idempotent, you can run into serious problems.

    Example of a non-idempotent action: Trying to DROP DATABASE my_db when it has already been dropped. The second call will fail, causing the controller to return an error and get stuck in a retry loop, even though the desired state (no database) has been achieved.

    Solution: Your external interaction logic must be idempotent.

    * For Deletion: Check if the resource exists before attempting to delete it. Most cloud SDKs provide a NotFound or similar error type that you can check for. If you receive a NotFound error during deletion, you can treat it as a success.

    go
        // Improved deletion logic
    if err := r.ExternalDBAdmin.DeleteDatabase(instance.Spec.DbName); err != nil {
        // Check if the error is because the resource is already gone.
        if IsExternalResourceNotFound(err) { 
            logger.Info("External database already deleted. Proceeding to remove finalizer.")
            // Treat as success
        } else {
            logger.Error(err, "Failed to delete external database")
            return ctrl.Result{}, err
        }
    }

    * For Creation: Use CREATE IF NOT EXISTS semantics. If that's not possible, check for existence before creating. For updates, design them as apply/converge operations rather than simple create/replace.

    Edge Case 3: Coordinating Multiple Controllers

    Problem: A single CR might manage multiple external resources handled by different controllers or different parts of the same controller. For example, a WebApp CR might create a database, a load balancer, and a set of DNS records.

    Solution: Use multiple, distinct finalizers. Each controller or logical component adds its own uniquely named finalizer.

    go
    const databaseFinalizer = "webapp.my.domain/database"
const loadBalancerFinalizer = "webapp.my.domain/loadbalancer"

// In Reconcile loop:
// 1. Add both finalizers on creation.
controllerutil.AddFinalizer(instance, databaseFinalizer)
controllerutil.AddFinalizer(instance, loadBalancerFinalizer)

// In deletion path:
if controllerutil.ContainsFinalizer(instance, databaseFinalizer) {
    // ... delete database ...
    controllerutil.RemoveFinalizer(instance, databaseFinalizer)
}

if controllerutil.ContainsFinalizer(instance, loadBalancerFinalizer) {
    // ... delete load balancer ...
    controllerutil.RemoveFinalizer(instance, loadBalancerFinalizer)
}

// Update the object after all necessary changes.
r.Update(ctx, instance)

    The Kubernetes object will not be deleted until all finalizers are removed from the list. This provides a powerful, declarative way to orchestrate complex, multi-resource teardowns without tight coupling between components.

    Performance and Scalability Considerations

    While finalizers provide correctness, they come with performance trade-offs that are important to understand in large-scale environments.

    * Increased API Server Load: Every finalizer addition and removal is a full UPDATE operation against the Kubernetes API server. For a CRD with a high churn rate (many creations and deletions), this can double the number of writes compared to a controller without finalizers. This can become a bottleneck in very large clusters.

    * Requeue Strategy: Returning an error on finalizer failure is the correct approach, but be mindful of the consequences. If an external API is down, thousands of CRs could enter a backoff-retry loop simultaneously, leading to a thundering herd problem when the API recovers. Consider implementing jitter in your requeue logic or using more sophisticated rate-limiting in your controller's manager setup.

    * Controller Watch Overhead: A large number of objects stuck in the Terminating state can still consume memory in your controller's cache. While they are eventually deleted, a systemic failure in a downstream dependency could cause a build-up that impacts controller performance. Monitoring the number of terminating resources is a valuable operational metric.

    Conclusion: A Foundational Pattern for Reliability

    Finalizers are not an optional feature for controllers managing external state; they are a foundational pattern for building reliable, production-grade Kubernetes operators. They provide the crucial guarantee that your cleanup logic will be executed, even in the face of controller failures and network partitions.

    By embracing the two-phase deletion model and engineering your reconciliation and cleanup logic for idempotency, you can prevent orphaned resources, eliminate infrastructure leaks, and create controllers that behave predictably and safely. The cost of additional API server updates is a small price to pay for the correctness and operational peace of mind that finalizers provide. For any senior engineer building on the Kubernetes platform, mastering this pattern is an essential step toward true cloud-native automation.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles