Prevent Accidental Namespace Deletion in Production

Use RBAC policies, finalizers, and admission controllers to block accidental namespace deletions in Kubernetes and OpenShift.

JR

2 minute read

Use RBAC policies, finalizers, and admission controllers to block accidental namespace deletions in Kubernetes and OpenShift environments.

Accidental namespace deletion can disrupt workloads, cause data loss, and trigger outages. Here’s how to prevent it in production clusters.

Immediate Mitigation Workflow

  1. Audit existing permissions:
    Run kubectl get clusterroles -o yaml | grep -i namespace to check for overly permissive roles.
  2. Apply a namespace finalizer:
    Add kubernetes.io/ttl=1 or a custom finalizer to delay deletion until explicitly removed.
  3. Enable admission control:
    Use OpenShift’s NamespaceLifecycle or Kyverno policies to block deletes unless conditions are met.

Concrete Policy Example

RBAC Restriction:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-protector
rules:
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["delete"]
  resourceNames: ["prod", "staging"]  # Protect specific namespaces
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-protector-binding
subjects:
- kind: Group
  name: developers
roleRef:
  kind: ClusterRole
  name: namespace-protector
  apiGroup: rbac.authorization.k8s.io

Finalizer Example:

apiVersion: v1
kind: Namespace
metadata:
  name: prod
  finalizers: ["kubernetes.io/ttl"]
  annotations:
    "namespace-finalizers.k8s.io/protected": "true"

Tooling

  • kubectl: Use kubectl get namespaces -o wide --show-labels to audit protections.
  • OpenShift Console: Leverage built-in namespace deletion warnings and policies.
  • Kyverno/OPA Gatekeeper: Enforce namespace deletion rules via admission controllers.
  • Audit Logs: Monitor kubectl delete namespace attempts with kubectl audit.

Tradeoffs

  • Finalizers: Can delay intentional deletions if misconfigured. Use TTL finalizers for automatic cleanup.
  • RBAC: Overly restrictive policies may hinder legitimate workflows. Test bindings thoroughly.
  • Admission Controllers: Add latency to API requests; ensure they’re highly available.

Troubleshooting

Common Failures:

  1. Finalizer not respected:
    • Check if finalizer was removed manually (kubectl describe namespace <name>).
    • Verify API server version (finalizers require 1.24+).
  2. RBAC bypass:
    • Audit service accounts and default roles (e.g., default-service-account).
  3. Admission controller misconfiguration:
    • Check controller logs (kubectl logs -n kube-system <admission-controller-pod>).

Recovery:

  • Restore from backup using kubectl get namespace <name> --output=json | kubectl apply -f -.
  • Use kubectl replace --save-config -f <namespace-yaml> to reapply protected configurations.

Prevention Checklist

  1. Restrict delete access via RBAC.
  2. Apply finalizers to critical namespaces.
  3. Use admission controllers to enforce deletion policies.
  4. Monitor audit logs for delete attempts.
  5. Regularly test namespace recovery workflows.

Accidental deletions are preventable with layered controls, but assume eventual human error. Design for observability and fast recovery.

Source thread: How do you prevent accidental namespace deletion?

comments powered by Disqus