Skip to content

Decommissioning Clusters

Safely delete tenant clusters when no longer needed. Deletion cascades from the Cluster CR to every owned CAPI resource — you delete the Cluster and CAPI handles the rest.

Before You Delete

Deletion is permanent

Deleting a tenant cluster removes its control plane, workers, and any data that lives only on those VMs. Backups of any persistent data should already be in place.

Checklist:

  • [ ] Backup application data and persistent volumes.
  • [ ] Migrate workloads if needed.
  • [ ] Notify team members.
  • [ ] Verify you're targeting the right cluster name.
  • [ ] Confirm no production workloads remain.

Delete

# Take a final backup (whatever backup tool your environment uses)

# Delete the Cluster — CAPI cascades the delete to KamajiControlPlane, TenantControlPlane,
# KubevirtCluster, MachineDeployment, KubevirtMachineTemplate, and the worker VMs.
kubectl delete cluster my-cluster -n <tenant-namespace>

# Verify cascade completed
kubectl get cluster,kamajicontrolplane,tenantcontrolplane,kubevirtcluster -n <tenant-namespace>
kubectl get machinedeployment,machines -n <tenant-namespace>

Cleanup verification

# Anything left over with the cluster's name?
kubectl get all -n <tenant-namespace> | grep my-cluster

# LoadBalancer service VIPs released?
kubectl get svc -A | grep my-cluster

Stuck deletion

If the Cluster deletion hangs, check finalizers on any child resource that's not letting go:

kubectl get cluster my-cluster -n <tenant-namespace> -o yaml | grep finalizers
kubectl get tenantcontrolplane my-cluster -n <tenant-namespace> -o yaml | grep finalizers
kubectl get machines -n <tenant-namespace> -o yaml | grep finalizers

If a finalizer is stuck because its controller is down, remove the finalizer manually (last resort — only when you're sure the underlying resource is gone or unrecoverable):

kubectl patch tenantcontrolplane my-cluster -n <tenant-namespace> \
  -p '{"metadata":{"finalizers":[]}}' --type=merge

Post-deletion

  • Verify any external resources (DNS records, edge-router NAT entries, external secrets) tied to the cluster are released.
  • Confirm quota usage has dropped on the under cluster.
  • Archive backups and rotate any tenant credentials.