Retain AWS Resources after CR Deletion

Using the ACK deletion policy configuration

The ACK controllers are designed to create, update and delete AWS resources following the lifecycle of their respective Kubernetes custom resources. As a result, when deleting an ACK resource, the underlying AWS resource is first deleted before deleting its Kubernetes custom resource. This behavior is expected so that users can delete AWS resources using the same Kubernetes APIs as they used to create them.

There are some cases where a user wants to leave the underlying AWS resource intact, but still delete the resource from Kubernetes. For example, migrating stateful data resources (like S3 buckets or RDS database instances) between Kubernetes installations or removing a resource from the control of an ACK controller without deleting the resource altogether.

All ACK controllers support “deletion policy” configuration, which lets the controller know which resources should be deleted from AWS (or left untouched) before deleting their K8s resources. The controller looks for deletion policy configuration in the following order:

  • Within an ACK resource annotation as
  • Within a Namespace annotation as {service}
  • Within the controller command-line using the --deletion-policy argument

Each of these configuration options supports the following values:

  • delete - (Default) Deletes the resource from AWS before deleting it from K8s
  • retain - Keeps the AWS resource intact before deleting it from K8s

Configuring the deletion policy

Using Helm values

To set a controller-wide deletion policy, which will apply to all ACK resources owned by the ACK controller, you can set the deletionPolicy Helm chart value. This Helm chart value accepts the same values as the deletion policy configuration described above.

For example, to retain all AWS resources when installing the Helm chart through the Helm CLI: helm install ... --set=deletionPolicy=retain

For all resources within a Namespace

To set the deletion policy for all resources within a namespace (only for a single service), you can add an annotation to the Namespace object itself.

For example, to set all S3 resources to be retained within the namespace:

apiVersion: v1
kind: Namespace
 annotations: retain
 name: retain-s3-namespace

For a single ACK resource

If you want to just retain a single specific resource, you can override the default behavior by setting an annotation directly onto the resource.

For example, to retain a specific S3 bucket:

kind: Bucket
  name: retained-bucket
  annotations: retain
  name: my-retained-bucket

Note: The key for annotating a single resource is not the same as the key when annotating a namespace. You do not need to provide the name of the service as a prefix for a single resource.

Edit this page on GitHub