Feature Request: Add Resource Protection Configuration #8
Description
Feature Request: Add Resource Protection Configuration
Description
Currently, Hitman can delete any resource that matches its conditions. While it's possible to protect resources using complex templating in preStep, a more straightforward and declarative approach would be beneficial for protecting critical resources.
This feature proposes adding a protection mechanism that would prevent accidental deletion of critical resources through simple configuration.
Proposed Configuration
spec:
# Existing configuration remains unchanged
protection:
enabled: true
protected:
# Protect entire namespaces
namespaces:
- "kube-system"
- "monitoring"
# Protect resources with specific labels
labels:
"do-not-delete": "true"
"environment": "production"
# Protect specific resources
resources:
- kind: "Secret"
name: "cluster-certificates"
Benefits
- Safety: Prevent accidental deletion of critical system resources
- Simplicity: Declarative configuration instead of complex templating
- Maintainability: Easier to audit and update protected resources
- Global Protection: Applied across all resource definitions
Current Workaround
Currently, this can be achieved using preStep and conditions, but it's more complex:
preStep: |
{{- if eq .object.metadata.namespace "kube-system" }}
{{- $vars.protected = true }}
{{- end }}
conditions:
- key: "{{ not .vars.protected }}"
value: "true"