openshift · jab-rh · Apr 23, 2025 · Apr 14, 2025
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -4686,6 +4686,8 @@ Topics:
     File: virt-edit-boot-order
   - Name: Deleting virtual machines
     File: virt-delete-vms
+  - Name: Enabling or disabling virtual machine delete protection
+    File: virt-enabling-disabling-vm-delete-protection
   - Name: Exporting virtual machines
     File: virt-exporting-vms
   - Name: Managing virtual machine instances

diff --git a/modules/virt-delete-vm-web.adoc b/modules/virt-delete-vm-web.adoc
@@ -1,22 +1,32 @@
 // Module included in the following assemblies:
 //
-// * virt/virtual_machines/virt-delete-vms.adoc
+// * virt/managing-vms/virt-delete-vms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="virt-delete-vm-web_{context}"]
 
 = Deleting a virtual machine using the web console
 
-Deleting a virtual machine permanently removes it from the cluster.
+Deleting a virtual machine (VM) permanently removes it from the cluster.
+
+If the VM is delete protected, the *Delete* action is disabled in the VM's *Actions* menu.
+
+.Prequisite
+
+* To delete the VM, you must first disable the VM's delete protection setting, if enabled.
 
 .Procedure
 
-. In the {product-title} console, click *Virtualization* -> *VirtualMachines* from the side menu.
+. From the {product-title} web console, choose your view:
+
+    * For a virtualization-focused view, select *Administrator* → *Virtualization* → *VirtualMachines*.
+
+    * For a general view, navigate to *Virtualization* → *VirtualMachines*.
 
-. Click the Options menu {kebab} beside a virtual machine and select *Delete*.
+. Click the *Actions* menu {kebab} beside a VM and select *Delete*.
 +
-Alternatively, click the virtual machine name to open the *VirtualMachine details* page and click *Actions* -> *Delete*.
+Alternatively, click the VM's name to open the *VirtualMachine details* page and click *Actions* -> *Delete*.
 
 . Optional: Select *With grace period* or clear *Delete disks*.
 
-. Click *Delete* to permanently delete the virtual machine.
+. Click *Delete* to permanently delete the VM.
diff --git a/modules/virt-deleting-vms.adoc b/modules/virt-deleting-vms.adoc
@@ -1,21 +1,21 @@
 // Module included in the following assemblies:
 //
-// * virt/virtual_machines/virt-delete-vms.adoc
+// * virt/managing-vms/virt-delete-vms.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="virt-deleting-vms_{context}"]
 
 = Deleting a virtual machine by using the CLI
 
-You can delete a virtual machine by using the `oc` command-line interface (CLI). The `oc` client enables you to perform actions on multiple virtual machines.
+You can delete a virtual machine (VM) by using the `oc` command-line interface (CLI). The `oc` client enables you to perform actions on multiple VMs.
 
 .Prerequisites
 
-* Identify the name of the virtual machine that you want to delete.
+* To delete the VM, you must first disable the VM's delete protection setting, if enabled.
 
 .Procedure
 
-* Delete the virtual machine by running the following command:
+* Delete the VM by running the following command:
 +
 [source,terminal]
 ----
@@ -28,3 +28,4 @@ This command only deletes a VM in the current project. Specify the
 `-n <project_name>` option if the VM you want to delete is in
 a different project or namespace.
 ====
+
diff --git a/modules/virt-enabling-disabling-vm-delete-protection-cli.adoc b/modules/virt-enabling-disabling-vm-delete-protection-cli.adoc
@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * virt/managing-vms/virt-enabling-disabling-vm-delete-protection.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-enabling-disabling-vm-delete-protection-cli_{context}"]
+= Enabling or disabling VM delete protection by using the command line
+
+To prevent the inadvertent deletion of a virtual machine (VM), you can enable VM delete protection by using the command line. You can also disable delete protection for a VM.
+
+By default, delete protection is not enabled for VMs. You must set the option for each individual VM.
+
+.Prerequisites
+
+* You have installed the {oc-first}.
+
+.Procedure
+
+* Enable delete protection for a VM by running the following command:
++
+[source,terminal]
+----
+$ oc patch vm <vm_name> --type merge -p '{"metadata":{"labels":{"kubevirt.io/vm-delete-protection":"True"}}}' -n <namespace>
+----
+
+* Disable delete protection for a VM by running the following command:
++
+[source,terminal]
+----
+$ oc patch vm <vm_name> --type json -p '[{"op": "remove", "path": "/metadata/labels/kubevirt.io~1vm-delete-protection"}]' -n <namespace>
+----
+
diff --git a/modules/virt-enabling-disabling-vm-delete-protection-web.adoc b/modules/virt-enabling-disabling-vm-delete-protection-web.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * virt/managing-vms/virt-enabling-disabling-vm-delete-protection.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-enabling-disabling-vm-delete-protection-web_{context}"]
+
+= Enabling or disabling virtual machine delete protection by using the web console
+
+To prevent the inadvertent deletion of a virtual machine (VM), you can enable VM delete protection by using the {product-title} web console. You can also disable delete protection for a VM.
+
+By default, delete protection is not enabled for VMs. You must set the option for each individual VM.
+
+.Procedure
+
+. From the {product-title} web console, choose your view:
+
+    * For a virtualization-focused view, select *Administrator* → *Virtualization* → *VirtualMachines*.
+
+    * For a general view, navigate to *Virtualization* → *VirtualMachines*.
+
+. From the *VirtualMachines* list, select the VM whose delete protection you want to enable or disable.
+
+. Click the *Configuration* tab.
+
+. In the *VirtualMachines details*, choose to enable or disable the protection as follows:
+
+* To enable the protection:
+.. Set the *Deletion protection* switch to *On*.
+.. Click *Enable* to confirm the protection.
+
+ * To disable the protection:
+.. Set the *Deletion protection* switch to *Off*.
+.. Click *Disable* to disable the protection.
diff --git a/modules/virt-removing-vm-delete-protection.adoc b/modules/virt-removing-vm-delete-protection.adoc
@@ -0,0 +1,78 @@
+// Module included in the following assemblies:
+//
+// * virt/managing-vms/virt-enabling-disabling-vm-delete-protection.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-removing-vm-delete-protection_{context}"]
+
+= Removing the VM delete protection option
+
+When you enable delete protection on a virtual machine (VM), you ensure that the VM cannot be inadvertently deleted. You can also disable the protection for a VM.
+
+As a cluster administrator, you can choose not to make the VM delete protection option available. VMs with delete protection already enabled retain that setting; for any new VMs that are created, enabling the option is not allowed.
+
+You can remove the delete protection option by establishing a validation admission policy for the cluster and then creating the necessary binding to use the policy in the cluster.
+
+.Prerequisites
+
+* You must have cluster administrator privileges.
+
+.Procedure
+
+. Create the validation admission policy, as shown in the following example:
++
+.Example validation admission policy file
+[source,yaml]
+----
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "disable-vm-delete-protection"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["kubevirt.io"]
+      apiVersions: ["*"]
+      operations:  ["UPDATE", "CREATE"]
+      resources:   ["virtualmachines"]
+  variables:
+    - expression: string('kubevirt.io/vm-delete-protection')
+      name: vmDeleteProtectionLabel
+  validations:
+  - expression: >-
+      !has(object.metadata.labels) ||
+      !object.metadata.labels.exists(label, label == variables.vmDeleteProtectionLabel) ||
+      has(oldObject.metadata.labels) &&
+      oldObject.metadata.labels.exists(label, label == variables.vmDeleteProtectionLabel)
+    message: "Virtual Machine delete protection feature is disabled"
+----
+
+. Apply the validation admission policy to the cluster:
++
+[source,terminal]
+----
+$ oc apply -f disable-vm-delete-protection.yaml
+----
+
+. Create the validation admission policy binding, as shown in the following example:
++
+.Example validation admission policy binding file
+[source,yaml]
+----
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "disable-vm-delete-protection-binding"
+spec:
+  policyName: "disable-vm-delete-protection"
+  validationActions: [Deny]
+  matchResources:
+----
+
+. Apply the validation admission policy binding to the cluster:
++
+[source,terminal]
+----
+$ oc apply -f disable-vm-delete-protection-binding.yaml
+----
diff --git a/virt/managing_vms/virt-delete-vms.adoc b/virt/managing_vms/virt-delete-vms.adoc
@@ -6,7 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can delete a virtual machine from the web console or by using the `oc` command-line interface.
+You can delete a virtual machine by using the web console or the `oc` command line interface.
 
 include::modules/virt-delete-vm-web.adoc[leveloffset=+1]
 include::modules/virt-deleting-vms.adoc[leveloffset=+1]
diff --git a/virt/managing_vms/virt-enabling-disabling-vm-delete-protection.adoc b/virt/managing_vms/virt-enabling-disabling-vm-delete-protection.adoc
@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="virt-enabling-disabling-vm-delete-protection"]
+= Enabling or disabling virtual machine delete protection
+include::_attributes/common-attributes.adoc[]
+:context: virt-enabling-disabling-vm-delete-protection
+
+toc::[]
+
+You can prevent the inadvertent deletion of a virtual machine (VM) by enabling delete protection for the VM. You can also disable delete protection for the VM.
+
+You enable or disable delete protection from either the command line or the VM's *VirtualMachine details* page in the {product-title} web console. The option is disabled by default.
+
+You can also choose to remove availability of the delete protection option for any VMs in a cluster you administer. In this case, VMs with the feature already enabled retain the protection, while the option is unavailable for any newly created VMs.
+
+include::modules/virt-enabling-disabling-vm-delete-protection-web.adoc[leveloffset=+1]
+include::modules/virt-enabling-disabling-vm-delete-protection-cli.adoc[leveloffset=+1]
+include::modules/virt-removing-vm-delete-protection.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+* xref:../../virt/managing_vms/virt-enabling-disabling-vm-delete-protection.adoc#virt-enabling-disabling-vm-delete-protection-web_virt-enabling-disabling-vm-delete-protection[Enabling or disabling virtual machine delete protection by using the web console]
+* xref:../../virt/managing_vms/virt-enabling-disabling-vm-delete-protection.adoc#virt-enabling-disabling-vm-delete-protection-cli_virt-enabling-disabling-vm-delete-protection[Enabling or disabling virtual machine delete protection by using the CLI]