Bug description
When a tenant user deletes a namespace, it transitions to a "Terminating" state but gets stuck due to resources with finalizers or other blocking conditions. At this point, the user loses access to the namespace and can no longer list, edit, or delete the blocking resources, effectively leaving the namespace stuck in "Terminating" state indefinitely.
This creates a deadlock situation: the namespace cannot complete deletion because of blocking resources, and the user cannot remove those resources because they no longer have access to the namespace.
How to reproduce
- Create a Tenant with a user as owner:
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: my-tenant
spec:
owners:
- name: alice
kind: User
- As the tenant user, create a namespace and deploy resources that include finalizers (e.g., custom resources managed by an operator, PVCs, etc.):
kubectl --as=alice create namespace my-namespace
kubectl --as=alice -n my-namespace apply -f <resource-with-finalizer>.yaml
- As the tenant user, delete the namespace:
kubectl --as=alice delete namespace my-namespace
- The namespace transitions to "Terminating" state. The user can no longer access it:
kubectl --as=alice get pods -n my-namespace
# Error: forbidden
- The namespace remains stuck in "Terminating" because the blocking resources cannot be removed by the user.
Expected behavior
When a namespace enters the "Terminating" state, the tenant user should retain sufficient access (at minimum, permissions to list and delete resources) within the namespace so they can resolve any blocking resources and allow the namespace deletion to complete.
Logs
No particular pertinent logs from the Capsule controller manager. The only observable symptoms are:
403 Forbidden errors when the tenant user attempts to access resources in the terminating namespace
Resources with finalizers remaining in the namespace, preventing deletion from completing
Additional context
- Capsule version: 0.12.4
- Capsule proxy version: 0.10.0
- Helm Chart version: 0.12.4
- Kubernetes version: 1.34.0
- Talos version 1.12.2
This issue may be related to how Capsule manages RBAC bindings for namespaces belonging to a Tenant. When the namespace enters "Terminating" state, the associated RoleBindings may be removed or become ineffective, stripping the user's permissions before the namespace is fully cleaned up.
A possible solution could be to ensure that Capsule preserves user access to namespaces in "Terminating" state until deletion is complete, or to have Capsule handle the cleanup of blocking resources on behalf of the user.
Bug description
When a tenant user deletes a namespace, it transitions to a "Terminating" state but gets stuck due to resources with finalizers or other blocking conditions. At this point, the user loses access to the namespace and can no longer list, edit, or delete the blocking resources, effectively leaving the namespace stuck in "Terminating" state indefinitely.
This creates a deadlock situation: the namespace cannot complete deletion because of blocking resources, and the user cannot remove those resources because they no longer have access to the namespace.
How to reproduce
kubectl --as=alice get pods -n my-namespace # Error: forbiddenExpected behavior
When a namespace enters the "Terminating" state, the tenant user should retain sufficient access (at minimum, permissions to list and delete resources) within the namespace so they can resolve any blocking resources and allow the namespace deletion to complete.
Logs
No particular pertinent logs from the Capsule controller manager. The only observable symptoms are:
403 Forbidden errors when the tenant user attempts to access resources in the terminating namespace
Resources with finalizers remaining in the namespace, preventing deletion from completing
Additional context
This issue may be related to how Capsule manages RBAC bindings for namespaces belonging to a Tenant. When the namespace enters "Terminating" state, the associated RoleBindings may be removed or become ineffective, stripping the user's permissions before the namespace is fully cleaned up.
A possible solution could be to ensure that Capsule preserves user access to namespaces in "Terminating" state until deletion is complete, or to have Capsule handle the cleanup of blocking resources on behalf of the user.