Deletion Policy

When an OpenBaoCluster is deleted, the Operator uses Kubernetes standard cascading deletion (OwnerReferences) to clean up resources. You can configure how aggressive this cleanup is.

Deletion Policies

Control what happens to critical data (Persistent Volumes) and external backups when a cluster is removed.

Retain (Default)DeletePVCs

Best for: Production settings where data safety is paramount.

The Operator cleans up compute resources (StatefulSet, Services, ConfigMaps) but PRESERVES critical secrets and storage.

spec:
  deletionPolicy: Retain  # Default behavior

Cleanup Scope:

• Deleted: Pods, StatefulSets, Services, ConfigMaps, TLS Secrets
• Retained: PVCs (Data), Unseal Key Secret, Root Token Secret, S3 Backups

Why Unseal Key is Retained

The unseal key secret is essential to decrypt your PVC data. Without it, your encrypted data becomes unrecoverable. The Operator automatically orphans these secrets (removes owner references) so Kubernetes garbage collection won't delete them.

Best for: CI/CD pipelines, ephemeral dev environments.

The Operator actively deletes the associated PersistentVolumeClaims (PVCs) when the cluster is deleted.

spec:
  deletionPolicy: DeletePVCs

Data Loss Warning

This policy permanently deletes the underlying disk volumes when the Custom Resource is deleted. This action cannot be undone.

Cleanup Scope:

• Deleted: Pods, StatefulSets, Services, ConfigMaps, Secrets, PVCs (Data)
• Retained: S3 Backups

Performing Deletion

To delete a cluster:

kubectl -n security delete openbaocluster dev-cluster

Verifying Cleanup

After deletion, you can check for any leftover resources (like PVCs if using Retain policy):

kubectl -n security get pvc -l openbao.org/cluster=dev-cluster