I was helping a user get started with an EKS project and they encountered an error on destroy that was confusing to them: namespaces "kube-system" is forbidden: this namespace may not be deleted.

What had happened was that in their program, they we creating a Namespace resource to manage the built in kube-system namespace like this:

# This is the namespace where the AWS Load Balancer Controller will be installed.
namespace = kubernetes.core.v1.Namespace('aws-loadbalancer',
                                   metadata={
                                       'name': 'kube-system'  # typically installed in the kube-system namespace
                                   },
                                   opts=pulumi.ResourceOptions(provider=eks_provider))

This succeeded on create, probably as an SSA-mode “upsert” on create since the namespace already exists. However, since this is a built-in namespace, the destroy fails.

We should probably have failed fast on the initial pulumi up, warning the user that the namespace already exists and suggesting that they need to either import the resource if they want to manage it or just use a NamespacePatch if they just want to modify some properties of it.