SUSE Support

Here When You Need Us

How to clean the orphaned cluster objects from the deleted cluster namespaces.

This document (000020788) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.x

Situation

In some cases there may be orphaned cluster objects left behind after the in-proper deletion of a downstream cluster in Rancher. These orphaned objects could introduce a condition that causes the leader Rancher pod to enter a CrashLoop state.

Examples of errors from the Rancher pod logs. 
[ERROR] failed to call leader func: namespaces "c-xxxxx" not found
fatal error: concurrent map read and map write
[ERROR] error syncing ‘c-xxxx/p-xxxx’: handler mgmt-project-rbac-remove: failed to remove finalizer on controller.cattle.io/mgmt-project-rbac-remove, requeuing
[ERROR] error syncing ‘c-xxxxx/p-xxxxx’: handler mgmt-project-rbac-remove: failed to remove finalizer on controller.cattle.io/mgmt-project-rbac-remove, requeuing
[ERROR] error syncing ‘c-xxxxx/p-xxxxx’: handler cluster-registration-token: clusters.management.cattle.io "c-xxxxx" not found, requeuing

 

Resolution

Find the objects under the deleted cluster namespaces and manually delete each objects. Make sure there are no such orphaned objects or namespaces left in the local cluster.

1. Set a kubeconfig for the Rancher (local) management cluster to be used with the following steps

2. Verify the Active downstream clusters 
kubectl get clusters.management.cattle.io -o custom-columns="ID:.metadata.name,NAME:.spec.displayName,K8S_VERSION:.status.version.gitVersion,CREATED:.metadata.creationTimestamp,DELETED:.metadata.deletionTimestamp,LAST_READY:.status.conditions[?(@.type == 'Ready')].lastUpdateTime,READY:.status.conditions[?(@.type == 'Ready')].status" --sort-by=.metadata.creationTimestamp
3. Cross verify with the Rancher pod logs to get the deleted downstream cluster namespace and collect the details. Compare with the active list of clusters versus the cluster namespaces. 
kubectl logs -n cattle-system -l app=rancher -c rancher

kubectl get ns -A |grep "c-"
4. If there is a cluster that is stuck deleting, this may not complete. In this case, the finalizer object can be removed from the cluster.management.cattle.io object. Please note the c-xxxxx needs to be replaced with the cluster ID that is stuck deleting. 
kubectl patch clusters.management.cattle.io <c-xxxxx> -p '{"metadata":{"finalizers":[]}}' --type=merge
5. If there is a namespace for a cluster that no longer exists, get the orphaned object details under the deleted cluster namespace. 
kubectl api-resources --verbs=list --namespaced -o name  | xargs -n 1 kubectl get --show-kind --ignore-not-found -n <c-xxxxx>
6. Do the cleanup of orphaned objects.
  • Create the cluster namespace which is deleted, ignore if the cluster namespace is present
kubectl create ns <c-xxxxx>
  • Check the objects detected (in step 5) if desired, each object should have a deletion timestamp if a finalizer is preventing the object from being deleted.
kubectl -n <c-xxxxx> get <resource type> <name of object> -o yaml
  • Remove the finalizer to unblock the deletion of the objects. The command needs to be run for each object.
kubectl -n <c-xxxxx> patch <resource type> <name of object> -p '{"metadata":{"finalizers":[]}}' --type=merge
  • Make sure there are no objects left in the namespace.
kubectl api-resources --verbs=list --namespaced -o name | xargs -n 1 kubectl get --show-kind --ignore-not-found -n <c-xxxxx>
  • Finally, delete the namespace.
kubectl delete ns <c-xxxxx>

Cause

It is important to delete downstream clusters in a process to allow Rancher to delete clusters and clean nodes that are in an Active state.

Downstream cluster deletion is ideally performed from the Rancher UI / API, where nodes are available and able to be gracefully removed. For example, where possible do not terminate nodes in the infrastructure before the deletion is completed. 

Status

Top Issue

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020788
  • Creation Date: 27-Sep-2022
  • Modified Date:28-Mar-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center