Verified steps

Define a finalizer constant string in your controller (e.g., `myapp.example.com/finalizer`)
In the reconcile loop, check `object.DeletionTimestamp.IsZero()` to distinguish active from deleting objects
If not deleting and finalizer absent, add it with `controllerutil.AddFinalizer` and update the object
If deleting and finalizer present, run cleanup logic (e.g., delete external cloud resource), then call `controllerutil.RemoveFinalizer` and update
Return after adding or removing the finalizer; do not proceed with normal reconciliation in the same loop iteration

Known gotchas

Failing to remove the finalizer after successful cleanup leaves the object stuck in `Terminating` indefinitely — always remove the finalizer in a defer or final update call
Updating the object after adding the finalizer triggers another reconcile immediately; guard against double-add with the `controllerutil.ContainsFinalizer` check
External resource cleanup errors should return an error (to requeue) rather than silently proceeding to finalizer removal, or the external resource leaks

kubernetes.io · 5 steps · unrated

Scaffold a Kubernetes operator project with Kubebuilder and implement a basic reconcile loop

book.kubebuilder.io · 6 steps · unrated

Sync Kubernetes secrets from HashiCorp Vault using External Secrets Operator

external-secrets.io/docs · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Implement finalizers in a Kubernetes operator for clean external resource deletion

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes