[BUG] VPCs do not wait for child subnets to be deleted

[cruickshankpg]

Kube-OVN Version

v1.13.2

Kubernetes Version

v1.28.6

Operation-system/Kernel Version

"Ubuntu 22.04.5 LTS" 6.8.0-47-generic

Description

VPCs with subnets do not have finalizers set on them so can be immediately deleted without waiting for their subnets. This results in repeated logs of:

I0310 11:07:51.568997       7 vpc.go:92] handle delete vpc prematurely-deleted-vpc
E0310 11:07:51.569071       7 vpc.go:105] failed to delete vpc prematurely-deleted-vpc please delete subnet orphaned-subnet first
E0310 11:07:51.569173       7 controller.go:1315] "Unhandled Error" err="error syncing delete vpc \"prematurely-deleted-vpc\": failed to delete vpc prematurely-deleted-vpc, please delete subnet orphaned-subnet first, requeuing" logger="UnhandledError"

If the subnet is unable to be deleted at the same time, for example if there is still a pod running using an IP address then it's very easy to hit #5028

If the kube-ovn-controller leader is restarted, gc is triggered and the underlying OVN logical router is deleted

Steps To Reproduce

Create a VPC and subnet:

cat << EOF | kubectl apply -f -
apiVersion: kubeovn.io/v1
kind: Vpc
metadata:
  name: prematurely-deleted-vpc
---
apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: orphaned-subnet
spec:
  vpc: prematurely-deleted-vpc
  protocol: IPv4
  cidrBlock: "10.16.0.0/16"
EOF

Delete VPC:

kubectl delete vpc prematurely-deleted-vpc

Logs then repeatedly show:

I0310 16:56:33.031219       7 vpc.go:92] handle delete vpc prematurely-deleted-vpc
E0310 16:56:33.031278       7 vpc.go:105] failed to delete vpc prematurely-deleted-vpc, please delete subnet orphaned-subnet first
E0310 16:56:33.031410       7 controller.go:1315] "Unhandled Error" err="error syncing delete vpc \"prematurely-deleted-vpc\": failed to delete vpc prematurely-deleted-vpc, please delete subnet orphaned-subnet first, requeuing" logger="UnhandledError"

The VPC is no longer present in etcd:

kubectl get vpc prematurely-deleted-vpc
Error from server (NotFound): vpcs.kubeovn.io "prematurely-deleted-vpc" not found

Current Behavior

VPC CR deletion happens immediately even though it is referenced by a subnet but controller is unable to process.

Expected Behavior

VPC deletion is blocked by a finalizer until all subnets are removed

[dosubot]

To address the issue where VPCs in Kube-OVN version 1.13.2 are deleted without waiting for their child subnets to be removed, you can implement a webhook that prevents the deletion of a VPC if it has associated subnets. The VpcDeleteHook in the webhook package is designed for this purpose. It checks if there are any subnets associated with the VPC and denies the deletion request if subnets exist. This ensures that VPCs are not deleted before their child subnets, effectively preventing the issue you're experiencing.

Here's the relevant code snippet for the VpcDeleteHook:

func (v *ValidatingHook) VpcDeleteHook(_ context.Context, req admission.Request) admission.Response {
    vpc := ovnv1.Vpc{}
    if err := v.decoder.DecodeRaw(req.OldObject, &vpc); err != nil {
        return ctrlwebhook.Errored(http.StatusBadRequest, err)
    }
    if len(vpc.Status.Subnets) != 0 {
        return ctrlwebhook.Denied("can't delete vpc when any subnet in the vpc")
    }
    return ctrlwebhook.Allowed("by pass")
}

This function ensures that the VPC deletion is blocked if there are any subnets present, thus preventing the premature deletion of VPCs ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[oilbeater]

You are correct, we need to add a finalizer to the VPC CRs.