Decommissioning Clusters¶
Safely delete tenant clusters when no longer needed. Deletion cascades from the Cluster CR to every owned CAPI resource — you delete the Cluster and CAPI handles the rest.
Before You Delete¶
Deletion is permanent
Deleting a tenant cluster removes its control plane, workers, and any data that lives only on those VMs. Backups of any persistent data should already be in place.
Checklist:
- [ ] Backup application data and persistent volumes.
- [ ] Migrate workloads if needed.
- [ ] Notify team members.
- [ ] Verify you're targeting the right cluster name.
- [ ] Confirm no production workloads remain.
Delete¶
# Take a final backup (whatever backup tool your environment uses)
# Delete the Cluster — CAPI cascades the delete to KamajiControlPlane, TenantControlPlane,
# KubevirtCluster, MachineDeployment, KubevirtMachineTemplate, and the worker VMs.
kubectl delete cluster my-cluster -n <tenant-namespace>
# Verify cascade completed
kubectl get cluster,kamajicontrolplane,tenantcontrolplane,kubevirtcluster -n <tenant-namespace>
kubectl get machinedeployment,machines -n <tenant-namespace>
Cleanup verification¶
# Anything left over with the cluster's name?
kubectl get all -n <tenant-namespace> | grep my-cluster
# LoadBalancer service VIPs released?
kubectl get svc -A | grep my-cluster
Stuck deletion¶
If the Cluster deletion hangs, check finalizers on any child resource that's not letting go:
kubectl get cluster my-cluster -n <tenant-namespace> -o yaml | grep finalizers
kubectl get tenantcontrolplane my-cluster -n <tenant-namespace> -o yaml | grep finalizers
kubectl get machines -n <tenant-namespace> -o yaml | grep finalizers
If a finalizer is stuck because its controller is down, remove the finalizer manually (last resort — only when you're sure the underlying resource is gone or unrecoverable):
kubectl patch tenantcontrolplane my-cluster -n <tenant-namespace> \
-p '{"metadata":{"finalizers":[]}}' --type=merge
Post-deletion¶
- Verify any external resources (DNS records, edge-router NAT entries, external secrets) tied to the cluster are released.
- Confirm quota usage has dropped on the under cluster.
- Archive backups and rotate any tenant credentials.