Test cascading deletes on cluster scoped resources.

owner-ref-investigation.md

Kubernetes Ownership test

• Background
• Create a Namespace
• Create ClusterRole
• Create ClusterRoleBinding
• Check validity

Background

If we delete a namespace that owns a ClusterRole, which owns a ClusterRoleBinding, will they delete in a cascading fashion?

Create a namespace

kubectl create ns starburst

Create ClusterRole

Create a ClusterRole owned by the namespace:

kubectl apply -f -<<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  ownerReferences:
    - apiVersion: v1
      kind: Namespace
      name: starburst
      uid: $(kubectl get ns starburst --template='{{ .metadata.uid}}')
  creationTimestamp: null
  name: secret-reader
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
EOF

Create a ClusterRoleBinding

Create a ClusterRoleBinding owned by the clusterrole

kubectl apply -f -<<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  ownerReferences:
    - apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      name: secret-reader
      uid: $(kubectl get clusterrole secret-reader --template='{{ .metadata.uid }}')
  creationTimestamp: null
  name: secret-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: secret-reader
subjects:
- kind: ServiceAccount
  name: secret-watcher
  namespace: default
EOF

Check Validity

If you delete the namespace, then the subsequent "owned" objects will also be deleted:

kubectl get clusterrole secret-reader 

kubectl get clusterrolebinding secret-reader-binding

kubectl delete ns starburst 

kubectl get clusterrole secret-reader 

kubectl get clusterrolebinding secret-reader-binding

Clean Up

Already cleaned because of the cascading delete