返回资源列表

Mastering Kubernetes Finalizers for Stateful Resource Management

12 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Dangling Resource Dilemma: Why Your Operator Needs Finalizers

As a senior engineer building a Kubernetes Operator, your primary goal is to extend the Kubernetes API to manage complex, often external, resources. A common use case is an operator that provisions a database in a cloud provider (like AWS RDS or Google Cloud SQL) when a Database Custom Resource (CR) is created. The reconciliation loop ensures the external resource's state matches the CR's spec.

But what happens when a user runs kubectl delete database my-prod-db?

Without a proper deletion lifecycle hook, the Kubernetes API server immediately removes the Database object from etcd. Your operator, which watches for changes to Database objects, receives a 'delete' event. However, by the time its Reconcile function is called, the object is gone. The operator has no information—no name, no ID, no spec—to know which external cloud database it needs to deprovision. The result is a dangling resource: an expensive, running cloud database with no corresponding CR in Kubernetes to manage it. This is a critical failure in production environments, leading to resource leaks, security vulnerabilities, and unnecessary costs.

This is the precise problem that Kubernetes Finalizers solve. They are a core mechanism that allows your controller to intercept the deletion of a resource, perform necessary cleanup actions, and only then permit the resource to be removed from the cluster. This article is not an introduction to finalizers; it's a deep dive into building production-grade, idempotent, and stateful cleanup logic that can withstand operator crashes and API failures.

The Finalizer Mechanism: A Deeper Look at the Termination Lifecycle

A finalizer is simply a string key added to a resource's metadata.finalizers list. While it's just a list of strings, its presence fundamentally alters the resource's deletion lifecycle.

  • User Initiates Deletion: A user or process runs kubectl delete or sends a DELETE request to the API server for a resource that has a finalizer in its metadata.
  • API Server Intercepts: The API server sees the finalizers list is not empty. Instead of deleting the object from etcd, it performs a special kind of update: it sets the metadata.deletionTimestamp field to the current time. The object is now in a terminating state.
  • Reconciliation is Triggered: This update (the addition of deletionTimestamp) generates an 'update' event, not a 'delete' event. Your operator's Reconcile function is triggered for the object, which still exists in the cluster.
  • Controller's Responsibility: Inside your reconciler, you must now check for the presence of this non-nil deletionTimestamp. This is your signal to begin cleanup.
  • Cleanup and Finalizer Removal: Your controller executes its cleanup logic (e.g., calling the cloud provider's API to delete the external database). Once this logic completes successfully, the controller must make one final API call to update the CR, removing its specific finalizer string from the metadata.finalizers list.
  • Final Deletion: The Kubernetes API server sees this update. It checks the finalizers list again. If the list is now empty, and the deletionTimestamp is set, it proceeds with the actual deletion of the object from etcd.

    • This process guarantees that your controller has a chance to execute its teardown logic before its source of truth—the CR—is gone.

    Core Implementation: A Finalizer-Aware Reconciler in Go

    We'll use Go with the controller-runtime library, the de-facto standard for building operators. Let's assume we have a Database CRD with a spec for configuration and a status to hold the external database ID.

    First, let's define our finalizer name as a constant.

    go
    // controllers/database_controller.go
const databaseFinalizer = "db.example.com/finalizer"

    Our Reconcile function becomes a two-pronged logic path, branching on the presence of the deletionTimestamp.

    go
    // controllers/database_controller.go
import (
	"context"

	"github.com/go-logr/logr"
	"k8s.io/apimachinery/pkg/runtime"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

	dbv1alpha1 "my-operator/api/v1alpha1"
)

// DatabaseReconciler reconciles a Database object
type DatabaseReconciler struct {
	client.Client
	Log    logr.Logger
	Scheme *runtime.Scheme
	// A mock client for our external database service
	DBServiceClient *db.Client 
}

func (r *DatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	log := r.Log.WithValues("database", req.NamespacedName)

	// Fetch the Database instance
	dbInstance := &dbv1alpha1.Database{}
	err := r.Get(ctx, req.NamespacedName, dbInstance)
	if err != nil {
		if client.IgnoreNotFound(err) != nil {
			log.Error(err, "unable to fetch Database")
			return ctrl.Result{}, err
		}
		// Object not found, it must have been deleted. Return and don't requeue.
		log.Info("Database resource not found. Ignoring since object must be deleted")
		return ctrl.Result{}, nil
	}

	// Check if the instance is being deleted
	if dbInstance.ObjectMeta.DeletionTimestamp.IsZero() {
		// The object is not being deleted, so if it does not have our finalizer,
		// then lets add the finalizer and update the object.
		if !controllerutil.ContainsFinalizer(dbInstance, databaseFinalizer) {
			log.Info("Adding finalizer for Database")
			controllerutil.AddFinalizer(dbInstance, databaseFinalizer)
			if err := r.Update(ctx, dbInstance); err != nil {
				return ctrl.Result{}, err
			}
		}
		// This is the normal reconciliation path: create or update the external resource
		return r.reconcileNormal(ctx, dbInstance, log)
	} else {
		// The object is being deleted
		if controllerutil.ContainsFinalizer(dbInstance, databaseFinalizer) {
			// Our finalizer is present, so lets handle external dependency cleanup
			if err := r.reconcileDelete(ctx, dbInstance, log); err != nil {
				// If fail to delete the external dependency here, return with error
				// so that it can be retried.
				return ctrl.Result{}, err
			}

			// Once external dependency is cleaned up, remove the finalizer.
			log.Info("Removing finalizer after successful cleanup")
			controllerutil.RemoveFinalizer(dbInstance, databaseFinalizer)
			if err := r.Update(ctx, dbInstance); err != nil {
				return ctrl.Result{}, err
			}
		}

		// Stop reconciliation as the item is being deleted
		return ctrl.Result{}, nil
	}
}

    This structure correctly separates the creation/update path from the deletion path. A critical, and often missed, first step in the reconcileNormal path is to ensure the finalizer is present. If it's not, you add it and immediately update the object. This ensures that any subsequent deletion request will be correctly intercepted.

    Advanced Pattern: Idempotent Cleanup Logic

    The reconcileDelete function is where the core cleanup logic resides. A naive implementation might look like this:

    go
    // Naive, non-idempotent delete function
func (r *DatabaseReconciler) reconcileDelete(ctx context.Context, dbInstance *dbv1alpha1.Database, log logr.Logger) error {
	log.Info("Starting cleanup for external database", "databaseID", dbInstance.Status.DatabaseID)
	if dbInstance.Status.DatabaseID == "" {
		log.Info("DatabaseID not found in status, assuming external resource was never created.")
		return nil
	}

	err := r.DBServiceClient.DeleteDatabase(ctx, dbInstance.Status.DatabaseID)
	if err != nil {
		log.Error(err, "Failed to delete external database")
		return err // Returning an error will cause a requeue
	}

	log.Info("Successfully deleted external database")
	return nil
}

    This code has a fatal flaw. Consider this sequence of events:

  • reconcileDelete is called.
  • r.DBServiceClient.DeleteDatabase successfully deletes the cloud database.
  • The operator pod crashes before it can remove the finalizer from the CR.
  • The operator restarts, and the controller reconciles the Database object again.
  • It sees the deletionTimestamp and calls reconcileDelete again.
  • r.DBServiceClient.DeleteDatabase is called for a resource that no longer exists. The cloud provider's API returns a 404 Not Found error.
    • Our function sees this as a failure, logs the error, and returns it.
  • controller-runtime requeues the reconciliation, and we are now in an infinite loop, unable to remove the finalizer. The CR is stuck in the Terminating state forever.

    • The solution is to make the cleanup logic idempotent. The function must produce the same outcome (a clean state) regardless of how many times it's called. For deletion, this means treating a "Not Found" error as a success.

    go
    // Production-ready, idempotent delete function
func (r *DatabaseReconciler) reconcileDelete(ctx context.Context, dbInstance *dbv1alpha1.Database, log logr.Logger) error {
	log.Info("Starting idempotent cleanup for external database", "databaseID", dbInstance.Status.DatabaseID)
	if dbInstance.Status.DatabaseID == "" {
		log.Info("DatabaseID not found in status, assuming external resource was never created.")
		return nil
	}

	err := r.DBServiceClient.DeleteDatabase(ctx, dbInstance.Status.DatabaseID)
	if err != nil {
		// Use a helper function from the cloud provider's SDK to check for a specific error type.
		if dbservice.IsNotFound(err) {
			log.Info("External database already deleted. Cleanup is considered successful.")
			return nil // This is a success condition
		}
		// Any other error is a real failure.
		log.Error(err, "Failed to delete external database")
		return err
	}

	log.Info("Successfully deleted external database")
	return nil
}

    This simple change of handling the NotFound error makes the entire process resilient to crashes and retries.

    Advanced Pattern: Multi-Stage Cleanup with Status Subresource

    Real-world resources are rarely a single entity. A "database" might consist of the database instance itself, a DNS record for its endpoint, a set of firewall rules, and a backup S3 bucket. These must be deleted in a specific order: first the DNS record, then the firewall rules, then the database, and finally the S3 bucket (which must be empty first).

    If we try to do this in a single reconcileDelete function, we face the same idempotency problem but magnified. If the operator crashes after deleting the DNS record but before the firewall rules, how does it know where to resume?

    The solution is to use the CR's status subresource as a state machine. We can define conditions or fields in our status to track the progress of our multi-stage cleanup.

    First, let's update our DatabaseStatus struct in api/v1alpha1/database_types.go:

    go
    // api/v1alpha1/database_types.go

type DeletionPhase string

const (
	DeletionPhaseDnsRecords DeletionPhase = "DnsRecords"
	DeletionPhaseFirewall   DeletionPhase = "Firewall"
	DeletionPhaseInstance   DeletionPhase = "Instance"
	DeletionPhaseComplete   DeletionPhase = "Complete"
)

// DatabaseStatus defines the observed state of Database
type DatabaseStatus struct {
	DatabaseID    string        `json:"databaseId,omitempty"`
	Endpoint      string        `json:"endpoint,omitempty"`
	// +optional
	DeletionPhase DeletionPhase `json:"deletionPhase,omitempty"`
}

    Now, our reconcileDelete function becomes a state machine dispatcher. This pattern is far more robust and provides excellent observability into the deletion process.

    go
    // controllers/database_controller.go

func (r *DatabaseReconciler) reconcileDelete(ctx context.Context, dbInstance *dbv1alpha1.Database, log logr.Logger) error {
	phase := dbInstance.Status.DeletionPhase
	log.Info("Reconciling deletion", "currentPhase", phase)

	switch phase {
	case "":
		// Initial state, start with DNS cleanup
		log.Info("Deletion phase: starting DNS cleanup")
		// ... logic to delete DNS record ...
		if err := r.DBServiceClient.DeleteDnsRecord(ctx, dbInstance.Status.Endpoint); err != nil && !dbservice.IsNotFound(err) {
			return err // Retry on failure
		}
		// Update status to the next phase
		dbInstance.Status.DeletionPhase = dbv1alpha1.DeletionPhaseDnsRecords
		return r.Status().Update(ctx, dbInstance)

	case dbv1alpha1.DeletionPhaseDnsRecords:
		log.Info("Deletion phase: starting Firewall cleanup")
		// ... logic to delete firewall rules ...
		if err := r.DBServiceClient.DeleteFirewallRules(ctx, dbInstance.Status.DatabaseID); err != nil && !dbservice.IsNotFound(err) {
			return err
		}
		// Update status to the next phase
		dbInstance.Status.DeletionPhase = dbv1alpha1.DeletionPhaseFirewall
		return r.Status().Update(ctx, dbInstance)

	case dbv1alpha1.DeletionPhaseFirewall:
		log.Info("Deletion phase: starting DB instance cleanup")
		// ... logic to delete the main DB instance ...
		if err := r.DBServiceClient.DeleteDatabase(ctx, dbInstance.Status.DatabaseID); err != nil && !dbservice.IsNotFound(err) {
			return err
		}
		// Update status to the final phase
		dbInstance.Status.DeletionPhase = dbv1alpha1.DeletionPhaseInstance
		return r.Status().Update(ctx, dbInstance)

	case dbv1alpha1.DeletionPhaseInstance:
		// This is our terminal success state for cleanup.
		// The main reconcile loop will see this and remove the finalizer.
		log.Info("All external resources cleaned up successfully.")
		return nil

	default:
		log.Info("Unknown deletion phase", "phase", phase)
		return nil
	}
}

    We need to slightly modify the main Reconcile loop's deletion logic to accommodate this:

    go
    // ... in the main Reconcile function's 'else' block ...
} else {
	if controllerutil.ContainsFinalizer(dbInstance, databaseFinalizer) {
		// Run our state machine for deletion.
		if err := r.reconcileDelete(ctx, dbInstance, log); err != nil {
			// An error during deletion requires a retry.
			// The status update itself returns an error, which triggers requeue.
			return ctrl.Result{}, err
		}

		// Check if the deletion state machine has completed.
		if dbInstance.Status.DeletionPhase == dbv1alpha1.DeletionPhaseInstance {
			log.Info("Cleanup complete, removing finalizer")
			controllerutil.RemoveFinalizer(dbInstance, databaseFinalizer)
			if err := r.Update(ctx, dbInstance); err != nil {
				return ctrl.Result{}, err
			}
		}
	}
	return ctrl.Result{}, nil
}

    This pattern is exceptionally robust. Each step is idempotent and its completion is recorded transactionally in the CR's status. If the operator crashes at any point, it will restart, read the DeletionPhase from the status, and resume exactly where it left off.

    Edge Cases and Production Considerations

    Building a truly production-ready operator requires thinking about the failure modes.

    Stuck Finalizers

    What if a step in your cleanup logic is permanently broken? For example, the operator's cloud credentials have been revoked, and it can no longer make API calls to delete the external database. It will retry forever, and the CR will be stuck in the Terminating state. This prevents the namespace it's in from being deleted, causing cascading problems.

    * Monitoring: Your operator must have metrics and alerts for resources that have been in a terminating state for too long (e.g., > 1 hour). This is a signal for manual intervention.

    * Manual Intervention: An administrator with sufficient permissions may need to manually clean up the external resource and then force-remove the finalizer from the Kubernetes object. This is a dangerous operation and should be a last resort.

    bash
        # DANGER: Only do this after manually verifying external cleanup.
    kubectl patch database my-prod-db --type json -p='[{"op": "remove", "path": "/metadata/finalizers"}]'

    Finalizers and Owner References

    Kubernetes garbage collection relies on ownerReferences. If a Pod is owned by a ReplicaSet, deleting the ReplicaSet will also delete the Pod. However, this interaction is blocked by finalizers. If the Pod has a finalizer, the ReplicaSet will not be fully deleted until the Pod's finalizer is removed. This can create complex, hard-to-debug deletion deadlocks if you have chains of ownership where a child resource has a finalizer that its controller cannot clear.

    Be mindful of which resources in an ownership chain have finalizers and ensure their controllers can always complete their cleanup logic.

    Controller Concurrency

    If you configure your controller manager with MaxConcurrentReconciles > 1, it's theoretically possible for two reconciliation loops for the same object to run. The controller-runtime library has safeguards (like the workqueue) that make this extremely unlikely for a single controller. However, it's another reason why all your logic—especially state-changing cleanup logic—must be designed to be idempotent from the ground up. The status-driven state machine pattern is inherently safer in this regard than a long function with multiple sequential API calls.

    Conclusion: Beyond the Basics

    Finalizers are a deceptively simple concept that requires deep, careful engineering to implement correctly in a production environment. Moving beyond a simple "delete and remove" function to a stateful, idempotent, and observable cleanup process is what distinguishes a basic operator from a reliable, production-grade controller.

    By leveraging the CR's status subresource as a state machine for your deletion logic, you create a system that is resilient to crashes, retries, and transient failures. It provides a clear, auditable trail of the cleanup process and ensures that your operator never leaves costly or insecure resources dangling in your cloud environment. This level of robustness is not a "nice-to-have"; it is a fundamental requirement for building trusted automation on top of Kubernetes.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles