[K8s] namespace 刪除不掉,因為有 Kyverno 的 Admission Report?
今天想要把 Kubernetes 裡的一個 namespace 刪掉,
刪了半天,結果 kubectl delete ns test-ns
這個指令一直沒結束…
覺得有點奇怪,看了一下 kubectl -n test-ns get all
,
裡面卻又空空如也,這到底是怎麼回事呢?
問了一下 ChatGPT 關於 K8s namespace 砍不掉的原因,
從答案裡過濾出一個對這次案件很有幫助的指令:
kubectl api-resources --verbs=list --namespaced -o name | xargs -n 1 kubectl -n test-ns get --show-kind --ignore-not-found
把這個指令分兩段來看吧~首先前面的指令,
是把目前 K8s 裡支援的資源 (且是屬於 namespace 下的,非 cluster 層級) 都列出來:
$ kubectl api-resources --verbs=list --namespaced -o name configmaps endpoints events limitranges persistentvolumeclaims pods podtemplates replicationcontrollers resourcequotas secrets serviceaccounts services challenges.acme.cert-manager.io orders.acme.cert-manager.io agents.agent.k8s.elastic.co apmservers.apm.k8s.elastic.co controllerrevisions.apps daemonsets.apps deployments.apps replicasets.apps statefulsets.apps arangojobs.apps.arangodb.com horizontalpodautoscalers.autoscaling arangobackuppolicies.backup.arangodb.com arangobackups.backup.arangodb.com cronjobs.batch jobs.batch beats.beat.k8s.elastic.co certificaterequests.cert-manager.io certificates.cert-manager.io issuers.cert-manager.io leases.coordination.k8s.io arangoclustersynchronizations.database.arangodb.com arangodeployments.database.arangodb.com arangomembers.database.arangodb.com arangotasks.database.arangodb.com endpointslices.discovery.k8s.io elasticsearches.elasticsearch.k8s.elastic.co enterprisesearches.enterprisesearch.k8s.elastic.co events.events.k8s.io scaledjobs.keda.sh scaledobjects.keda.sh triggerauthentications.keda.sh kibanas.kibana.k8s.elastic.co admissionreports.kyverno.io backgroundscanreports.kyverno.io cleanuppolicies.kyverno.io policies.kyverno.io policyexceptions.kyverno.io updaterequests.kyverno.io elasticmapsservers.maps.k8s.elastic.co pods.metrics.k8s.io tenants.minio.min.io mongodbcommunity.mongodbcommunity.mongodb.com alertmanagerconfigs.monitoring.coreos.com alertmanagers.monitoring.coreos.com podmonitors.monitoring.coreos.com probes.monitoring.coreos.com prometheusagents.monitoring.coreos.com prometheuses.monitoring.coreos.com prometheusrules.monitoring.coreos.com scrapeconfigs.monitoring.coreos.com servicemonitors.monitoring.coreos.com thanosrulers.monitoring.coreos.com ingresses.networking.k8s.io networkpolicies.networking.k8s.io poddisruptionbudgets.policy perconaxtradbclusterbackups.pxc.percona.com perconaxtradbclusterrestores.pxc.percona.com perconaxtradbclusters.pxc.percona.com rolebindings.rbac.authorization.k8s.io roles.rbac.authorization.k8s.io arangodeploymentreplications.replication.database.arangodb.com secretproviderclasses.secrets-store.csi.x-k8s.io secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io volumesnapshots.snapshot.storage.k8s.io csistoragecapacities.storage.k8s.io policybindings.sts.min.io policyreports.wgpolicyk8s.io
接著,後半段的指令,是在指定的 namespace (本例中是 test-ns) 下面,
列出指定的 resource 型態,因此它就會有點像是在執行:
kubectl -n test-ns get --show-kind --ignore-not-found configmaps kubectl -n test-ns get --show-kind --ignore-not-found endpoints ......
這樣跟 kubectl -n test_ns get all
的差別是什麼呢?
原來這裡的 all 只是預定義好的一些常用資源,
像 pod/service/deployment/replicaset/cronjob/job 等等,
並不真的是「全部的」資源…
回到原本的問題,用上面的指令的確列出了一些不常見的資源:
admissionreport.kyverno.io/00289226-7222-4010-a2fd-f5c069514b54 109s 1 0 0 0 0 jobs.v1.batch admissionreport.kyverno.io/007845c4-9f63-4af8-ab0a-2a99c7eeb324 75m 1 0 0 0 0 jobs.v1.batch admissionreport.kyverno.io/00a1c537-50d0-4fb5-8c75-a52959374ed8 3m41s 1 0 0 0 0 jobs.v1.batch admissionreport.kyverno.io/013578aa-aa9b-4898-9ee3-4f625e27ab8e 37m 1 0 0 0 0 pods.v1 admissionreport.kyverno.io/0157a868-a384-4b81-98d3-b16701ab6624 27m 1 0 0 0 0 pods.v1
查了一下,這應該是 Kyverno 這個 Policy engine 產出的 Admission Report,
只是非常的大量,所以可能 kubectl delete ns 還在一直砍?
我後來是直接去砍掉那個 namespace 下所有的 Admission Report:
kubectl -n test-ns delete admissionreport.kyverno.io --all
這些 Admission Report 都刪掉之後,namespace 也跟著被清除囉~
(本頁面已被瀏覽過 72 次)