EMK - Dual approval cluster deletion
Estimated time to read: 2 minutes
This page describes how to configure the dual approval cluster deletion for your Kubernetes cluster. Currently it is only possible to activate with a service account or by support request.
The dual approval cluster deletion sets up your EMK project account to require dual approval to verify the deletion of a cluster. To prevent simple deletion of a cluster (or make it harder, at least), the EMK Project can be configured to apply the dual approval concept for Shoot deletion. This means that the subject confirming the deletion must not be the same as the subject sending the DELETE request.
Danger
Project members can still change the labels of cluster (or the selector itself) to circumvent the dual approval concept. This concern is intentionally excluded/ignored for now since the principle is not a “security feature” but shall just help preventing accidental deletion.
Configure dual approval cluster deletion
Make sure you have a service account and can access your EMK project with it. See service account access.
- Update your EMK project to contain:
As usual, .spec.dualApprovalForDeletion[].selector.matchLabels={}
matches all resources, .spec.dualApprovalForDeletion[].selector.matchLabels=null
matches none at all. It can also be decided to specify an individual label selector if this concept shall only apply to a subset of the clusters in the project (e.g., CI/development clusters shall be excluded).
The includeServiceAccounts
(default: true
) controls whether the concept also applies when the cluster deletion confirmation and actual deletion is triggered via ServiceAccounts
. This is to prevent that CI jobs have to follow this concept as well, adding additional complexity/overhead. Alternatively, you could also use two ServiceAccounts
, one for confirming the deletion, and another one for actually sending the DELETE request, if desired.