@@ -847,6 +847,35 @@ not vulnerable to ordering changes in the list.
847847
848848Once the last finalizer is removed, the resource is actually removed from etcd.
849849
850+ ### Force deletion
851+
852+ {{< feature-state feature_gate_name="AllowUnsafeMalformedObjectDeletion" >}}
853+
854+ {{< caution >}}
855+ This may break the workload associated with the resource being force deleted, if it
856+ relies on the normal deletion flow, so cluster breaking consequences may apply.
857+ {{< /caution >}}
858+
859+ By enabling the delete option ` ignoreStoreReadErrorWithClusterBreakingPotential ` , the
860+ user can perform an unsafe, and force ** delete** operation of an undecryptable/corrupt
861+ resource. This option is behind a new ALPHA feature gate, and it is disabled by
862+ default. In order to use this option, the cluster operator must enable the feature by
863+ setting the command line option ` --feature-gates=AllowUnsafeMalformedObjectDeletion=true ` .
864+
865+ {{< note >}}
866+ The user performing the force ** delete** operation must have the
867+ ` unsafe-delete-ignore-read-errors ` permission on the resource.
868+ {{< /note >}}
869+
870+ A resource is considered corrupt if it can not be successfully retrieved from the
871+ storage due to a) transformation error e.g. decryption failure, or b) the object
872+ failed to decode. Normal deletion flow is attempted first, and if it fails with
873+ a ` corrupt resource ` error then it triggers the unsafe, and force delete. A force
874+ ** delete** operation ignores finalizer constraints, and skips precondition checks.
875+
876+ The default value for this option is ` false ` , this maintains backward compatibility.
877+ When this field is set to ` true ` , the fields ` dryRun ` , ` gracePeriodSeconds ` ,
878+ ` orphanDependents ` , ` preconditions ` , and ` propagationPolicy ` must be left unset.
850879
851880## Single resource API
852881
0 commit comments