Bug 1939096 - ACM destroys management cluster workloads if a managed cluster is named after existing namespace
Summary: ACM destroys management cluster workloads if a managed cluster is named after...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Advanced Cluster Management for Kubernetes
Classification: Red Hat
Component: Cluster Lifecycle
Version: rhacm-2.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: rhacm-2.3
Assignee: James Talton
QA Contact: Derek Ho
Christopher Dawson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-15 15:55 UTC by Tomas Coufal
Modified: 2022-01-07 17:05 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-07 17:05:33 UTC
Target Upstream Version:
Embargoed:
juhsu: rhacm-2.3.z+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github open-cluster-management backlog issues 10465 0 None None None 2021-03-16 13:39:32 UTC
Red Hat Bugzilla 1867607 1 None None None 2021-03-15 15:55:41 UTC

Description Tomas Coufal 2021-03-15 15:55:42 UTC 
Description of problem:
This issue is a direct consequence of a decision made on: https://bugzilla.redhat.com/show_bug.cgi?id=1867607

ACM deletes the managed cluster namespace on cluster destroy.

When user creates a cluster in ACM and names it after an existing unprotected namespace like "hive" or "open-cluster-management" for example those namespaces get deleted on cluster destroy as well. Which makes ACM:

- auto-destroy itself
- destroy any other user workload without a warning


Naming a cluster "hive" is completely reasonable for the user and they are not discouraged to use any existing namespace name as a cluster name.

Doesn't affect protected namespaces like "default" "openshift-*", "kube-*" since they can't be deleted without escalation.

Version-Release number of selected component (if applicable):
ACM 2.2

How reproducible:
always

Steps to Reproduce:
1. Create a new cluster and name it "hive"
2. Destroy the cluster
3. Watch ACM go down, because the hive namespace is deleted

Actual results:
Namespace is deleted

Expected results:
Either only the resources created by ACM are deleted or (and this is IMO the  preferred and better option) ACM doesn't use the cluster name as is for the  namespace name. 

Another possible solution would be to prohibit users from creating a cluster with a name of an existing namespace - would have to become part of the API validation.

Additional info:
Direct consequence of WONTFIXing https://bugzilla.redhat.com/show_bug.cgi?id=1867607
Note You need to log in before you can comment on or make changes to this bug.