Skip to content

Clean up organization memberships when users are deleted#544

Open
scotwells wants to merge 1 commit intomainfrom
fix/issue-536-user-policybinding-gc
Open

Clean up organization memberships when users are deleted#544
scotwells wants to merge 1 commit intomainfrom
fix/issue-536-user-policybinding-gc

Conversation

@scotwells
Copy link
Copy Markdown
Contributor

@scotwells scotwells commented Mar 27, 2026

Summary

  • Adds a finalizer to the UserController that deletes all OrganizationMemberships referencing a user before allowing the User object to be removed
  • Extends the OrganizationMembership validation webhook to allow last-owner membership deletion when the referenced User is being deleted (verified via direct API server read, not cache)
  • Fixes the Organization webhook and UserInvitation controller to set correct User ownerReferences on OrganizationMemberships
  • Adds a two-pass self-delete in the OrganizationMembership controller for existing orphaned memberships where the User no longer exists

Context

When a User was deleted, OrganizationMembership resources referencing that user were not cleaned up because they had no User ownerReference (webhook creation path) or had a malformed one (invitation path used .Group instead of .String() for APIVersion). The orphaned memberships left their owned PolicyBindings stuck in SubjectValidationFailed state.

Closes #536

Test plan

  • Webhook tests verify deletion is allowed when User has DeletionTimestamp
  • Webhook tests verify deletion is allowed when User is already gone
  • Webhook tests verify last-owner guard still blocks when User is active
  • All existing unit tests pass
  • Chainsaw e2e test validates full lifecycle: create user + org → verify membership → delete user → verify cleanup
  • e2e test confirmed to detect the bug in CI (test-only branch failed as expected)

🤖 Generated with Claude Code

@joggrbot
Copy link
Copy Markdown
Contributor

joggrbot bot commented Mar 27, 2026
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: 485ee94 | Powered by Joggr

@joggrbot joggrbot bot mentioned this pull request Mar 27, 2026
Closed
@scotwells @claude
fix: clean up OrganizationMemberships when Users are deleted
485ee94 
Add a finalizer to the UserController that deletes all
OrganizationMemberships referencing a user before allowing the User
object to be removed. This prevents PolicyBindings owned by those
memberships from becoming permanently orphaned.

Also fixes:
- OrganizationMembership validation webhook now allows last-owner
  membership deletion when the referenced User is being deleted
- Organization webhook sets User ownerReference on memberships
- UserInvitation controller fixes malformed ownerReference APIVersion
- OrganizationMembership controller self-deletes after two-pass
  confirmation when the referenced User no longer exists

Closes #536

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scotwells scotwells force-pushed the fix/issue-536-user-policybinding-gc branch from 1f29aaa to 485ee94 Compare March 27, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Orphaned PolicyBindings for deleted Users not garbage collected

1 participant

@scotwells