Merge pull request #18185 from hakman/azure-delete-cluster

azure: Fix deletion ordering issues

Author: k8s-ci-robot

pkg/resources/azure/azure.go

@@ -231,8 +231,16 @@ func (g *resourceGetter) toSubnetResource(subnet *network.Subnet, vnetID string)
 	blocks = append(blocks, toKey(typeVirtualNetwork, vnetID))
 	blocks = append(blocks, toKey(typeResourceGroup, g.resourceGroupID()))
 
-	if subnet.Properties != nil && subnet.Properties.NatGateway != nil && subnet.Properties.NatGateway.ID != nil {
-		blocks = append(blocks, toKey(typeNatGateway, *subnet.Properties.NatGateway.ID))
+	if subnet.Properties != nil {
+		if subnet.Properties.NatGateway != nil && subnet.Properties.NatGateway.ID != nil {
+			blocks = append(blocks, toKey(typeNatGateway, *subnet.Properties.NatGateway.ID))
+		}
+		if subnet.Properties.RouteTable != nil && subnet.Properties.RouteTable.ID != nil {
+			blocks = append(blocks, toKey(typeRouteTable, *subnet.Properties.RouteTable.ID))
+		}
+		if subnet.Properties.NetworkSecurityGroup != nil && subnet.Properties.NetworkSecurityGroup.ID != nil {
+			blocks = append(blocks, toKey(typeNetworkSecurityGroup, *subnet.Properties.NetworkSecurityGroup.ID))
+		}
 	}
 
 	vnet, err := arm.ParseResourceID(vnetID)

pkg/resources/azure/errors.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"errors"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+)
+
+// IsDependencyViolation checks if the error is a transient dependency/conflict
+// error that should be retried quietly during resource deletion.
+func IsDependencyViolation(err error) bool {
+	var azErr *azcore.ResponseError
+	if !errors.As(err, &azErr) {
+		return false
+	}
+	switch azErr.ErrorCode {
+	// Conflict is returned when deleting multiple VMSS VMs concurrently;
+	// Azure only allows one mutating operation per VMSS at a time.
+	case "Conflict":
+		return true
+	case "InUseRouteTableCannotBeDeleted", "InUseNetworkSecurityGroupCannotBeDeleted",
+		"InUseSubnetCannotBeDeleted", "NatGatewayInUseBySubnet":
+		return true
+	default:
+		return false
+	}
+}

pkg/resources/ops/delete.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/resources"
 	awsresources "k8s.io/kops/pkg/resources/aws"
+	azureresources "k8s.io/kops/pkg/resources/azure"
 	gceresources "k8s.io/kops/pkg/resources/gce"
 	"k8s.io/kops/upup/pkg/fi"
 )
@@ -129,7 +130,7 @@ func DeleteResources(cloud fi.Cloud, resourceMap map[string]*resources.Resource,
 					}
 					if err != nil {
 						mutex.Lock()
-						if awsresources.IsDependencyViolation(err) || gceresources.IsDependencyViolation(err) {
+						if awsresources.IsDependencyViolation(err) || gceresources.IsDependencyViolation(err) || azureresources.IsDependencyViolation(err) {
 							fmt.Printf("%s\tstill has dependencies, will retry\n", human)
 							klog.V(4).Infof("resource %q generated a dependency error: %v", human, err)
 						} else {