NVIDIA
diff --git a/‎.ko.yaml‎
Lines changed: 17 additions & 0 deletions b/‎.ko.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎distros/kubernetes/nvsentinel/values.yaml‎
Lines changed: 2 additions & 1 deletion b/‎distros/kubernetes/nvsentinel/values.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/designs/029-slurm-external-drain-health-monitor.md‎
Lines changed: 74 additions & 0 deletions b/‎docs/designs/029-slurm-external-drain-health-monitor.md‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎health-monitors/Makefile‎
Lines changed: 14 additions & 1 deletion b/‎health-monitors/Makefile‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎health-monitors/slurm-drain-monitor/Makefile‎
Lines changed: 58 additions & 0 deletions b/‎health-monitors/slurm-drain-monitor/Makefile‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎health-monitors/slurm-drain-monitor/config.example.toml‎
Lines changed: 27 additions & 0 deletions b/‎health-monitors/slurm-drain-monitor/config.example.toml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎health-monitors/slurm-drain-monitor/go.mod‎
Lines changed: 84 additions & 0 deletions b/‎health-monitors/slurm-drain-monitor/go.mod‎
Lines changed: 84 additions & 0 deletions
@@ -237,3 +237,20 @@ builds:
       org.opencontainers.image.version: "{{.Env.VERSION}}"
       org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
       org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
+
+  - id: slurm-drain-monitor
+    dir: health-monitors/slurm-drain-monitor
+    main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    annotations:
+      org.opencontainers.image.description: "Slurm drain monitor for detecting external Slurm drains and publishing health events"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Slurm Drain Monitor"
+      org.opencontainers.image.description: "Slurm drain monitor for detecting external Slurm drains and publishing health events"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
@@ -67,7 +67,8 @@ global:
     compress: true  # Compress rotated log files
 
   nodeSelector: {}
-  tolerations: []
+  tolerations:
+    - operator: Exists
   affinity: {}
   systemNodeSelector: {}
   systemNodeTolerations: []
 
@@ -0,0 +1,74 @@
+# ADR-029: Slurm External Drain Health Monitor
+
+## Context
+
+Slurm nodes can be drained by sources other than the slurm-operator (e.g. Slurm's native HealthCheckProgram, admins via `scontrol`, or the native health_check script with `[HC]` reason). The slurm-operator treats any drain reason **not** prefixed with `slurm-operator:` as externally owned and does not modify or clear it. NodeSet pod conditions already reflect the Slurm node state and reason (`SlurmNodeStateDrain` + `Message`).
+
+NVSentinel needs to treat these external Slurm drains as health events so the **full remediation cycle** runs (quarantine → drain → remediate). The DrainRequest is in the **middle** of that pipeline, so we cannot start from a DrainRequest—we must start at the **health event** and publish to the NVSentinel API. The logic is the same as other health monitors; only the **source** (pod conditions) and **publishing endpoint** (NVSentinel API) differ. We also need a **generic** way to parse multi-check drain reasons (e.g. split by a delimiter and regex match) so other consumers can reuse the same contract.
+
+When NVSentinel cordons the node in response to an external drain, it must **not** set the `nodeset.slinky.slurm.net/node-cordon-reason` annotation, so the slurm-operator never overwrites or takes ownership of the external reason.
+
+## Decision
+
+Add a **health monitor** that watches NodeSet pod conditions for external Slurm drains, parses the reason string with a **generic split + regex** contract, and **publishes health events to the NVSentinel API** (same as other monitors). Events enter the normal pipeline (fault-quarantine, node-drainer, fault-remediation). The monitor only publishes events; it does not cordon. When NVSentinel cordons the node downstream (via fault-quarantine / node-drainer) for this event source, it does **not** set the `node-cordon-reason` annotation; cordon node only. This gives the full remediation cycle from a single entry point (health event) and keeps the design reusable via generic parsing.
+
+## Implementation
+
+### 1. Slurm-drain health monitor
+
+**Placement:** `NVSentinel/health-monitors/slurm-drain-monitor/`. Structure follows kubernetes-object-monitor: `main.go`, `pkg/{config,controller,parser,publisher,initializer}`. Go, controller-runtime, same `pb` and gRPC client.
+
+**Detection:**
+- **Watch:** NodeSet pods (namespace / label selector). Read `status.conditions`.
+- **Detect external drain:** Condition type `SlurmNodeStateDrain` (matches operator constant `PodConditionDrain`), status `True`, and `Message` non-empty and **not** starting with `slurm-operator:` (matches operator constant `nodeReasonPrefix`).
+
+**Parsing (pkg/parser):**
+- **Split** `Message` by configurable delimiter (if omitted, the full message is treated as a single segment) → list of segments.
+- **Match** each segment against configurable regex rules. Each rule: `regex`, `checkName`, `componentClass`, optional `message`, `recommendedAction`, `isFatal`. If multiple rules match one segment, produce one structured reason per match.
+
+**Health event mapping:**
+- Build `pb.HealthEvent` per matched reason: `Agent` = `"slurm-drain-monitor"`, `CheckName`, `Message`, `IsFatal`, `RecommendedAction`, `EntitiesImpacted` = pod (v1/Pod GVK + namespace/name) and node name (from `pod.Spec.NodeName`). Same protos as other monitors.
+
+**Publishing:**
+- Call `PlatformConnectorClient.HealthEventOccurredV1` (same API and retry logic as kubernetes-object-monitor). Event flows through fault-quarantine → node-drainer → fault-remediation.
+
+**State transitions:**
+- **Unhealthy:** External drain newly detected or reason text changed → publish unhealthy event, store state.
+- **Healthy:** External drain clears (condition status `False`, condition removed, `Message` changes to `slurm-operator:`-prefixed, or pod deleted) → publish healthy event, clear state.
+- **Deduplication:** Track last-published `message` per pod. Only publish on transition.
+
+**Startup:** Re-scan all matching pods on startup and reconcile against current conditions. Publishing is idempotent so re-publishing existing drains on restart is acceptable.
+
+**Config (TOML):** `namespace`/`labelSelector` for NodeSet pods, `reasonDelimiter`, list of `patterns` (regex + optional fields). Flags: `--platform-connector-socket`, `--processing-strategy`.
+
+### 2. NVSentinel pipeline (downstream)
+
+The monitor only publishes health events; it does not cordon. When fault-quarantine or node-drainer cordons a node for events from the `slurm-drain-monitor` source, the cordon path must **not** set `node-cordon-reason`. This is a configuration / policy constraint in fault-quarantine or node-drainer, not in the monitor.
+
+### 3. Shared parser (future)
+
+The split+regex parser lives in `pkg/parser` within the monitor. If a second consumer appears, extract to a shared NVSentinel package. Until then, keep it colocated.
+
+## Rationale
+
+- **Full cycle:** Starting at the health event gives the full remediation cycle; starting from DrainRequest would be mid-pipeline.
+- **Same pattern as other monitors:** Same publishing endpoint and pipeline; only the source (pod conditions) differs. The monitor does not cordon; the "don't set node-cordon-reason" constraint is a downstream pipeline policy.
+- **Generic parsing:** Split by delimiter + regex keeps the design reusable for other consumers.
+- **No overwrite:** Not setting `node-cordon-reason` when cordoning preserves the slurm-operator's ownership model and avoids losing the audit trail in Slurm.
+
+## Consequences
+
+- **Positive:** Full remediation cycle for external Slurm drains; same NVSentinel API and pipeline; generic parsing usable elsewhere; clear separation between monitor (publish) and pipeline (cordon policy).
+- **Negative:** New monitor to deploy and configure.
+- **Mitigation:** Config-driven (TOML); follow existing health-monitor patterns (kubernetes-object-monitor).
+
+## Alternatives Considered
+
+- **DrainRequest as entry point:** Rejected because it is mid-pipeline; we need the health event first for the full cycle.
+- **Override external reason via node-cordon-reason:** Rejected; would overwrite audit trail and change slurm-operator semantics.
+- **CEL-based policy (like kubernetes-object-monitor):** CEL is well-suited for evaluating arbitrary object properties but overkill for string parsing; split+regex is simpler and more explicit for reason parsing.
+
+## References
+
+- kubernetes-object-monitor: `health-monitors/kubernetes-object-monitor` (publisher, controller, config pattern).
+- Slurm-operator constants: `SlurmNodeStateDrain` (`PodConditionDrain`), `slurm-operator:` (`nodeReasonPrefix`), `nodeset.slinky.slurm.net/node-cordon-reason` (`AnnotationNodeCordonReason`).
@@ -11,7 +11,8 @@ GOCOVER_COBERTURA := gocover-cobertura
 GO_HEALTH_MONITORS := \
 	syslog-health-monitor \
 	csp-health-monitor \
-	kubernetes-object-monitor
+	kubernetes-object-monitor \
+	slurm-drain-monitor
 
 PYTHON_HEALTH_MONITORS := \
 	gpu-health-monitor
@@ -59,6 +60,10 @@ lint-test-gpu-health-monitor:
 lint-test-kubernetes-object-monitor:
 	$(MAKE) -C kubernetes-object-monitor lint-test
 
+.PHONY: lint-test-slurm-drain-monitor
+lint-test-slurm-drain-monitor:
+	$(MAKE) -C slurm-drain-monitor lint-test
+
 # Build targets for health monitors (delegate to module Makefiles)
 .PHONY: build-all
 build-all:
@@ -87,6 +92,10 @@ build-gpu-health-monitor:
 build-kubernetes-object-monitor:
 	$(MAKE) -C kubernetes-object-monitor build
 
+.PHONY: build-slurm-drain-monitor
+build-slurm-drain-monitor:
+	$(MAKE) -C slurm-drain-monitor build
+
 # Clean targets (delegate to module Makefiles)
 .PHONY: clean-all
 clean-all:
@@ -115,6 +124,10 @@ clean-gpu-health-monitor:
 clean-kubernetes-object-monitor:
 	$(MAKE) -C kubernetes-object-monitor clean
 
+.PHONY: clean-slurm-drain-monitor
+clean-slurm-drain-monitor:
+	$(MAKE) -C slurm-drain-monitor clean
+
 # Help target
 .PHONY: help
 help:
 
@@ -0,0 +1,58 @@
+# slurm-drain-monitor Makefile
+# Copyright (c) 2026, NVIDIA CORPORATION. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# =============================================================================
+# MODULE-SPECIFIC CONFIGURATION
+# =============================================================================
+
+IS_GO_MODULE := 1
+IS_KO_MODULE := 1
+CLEAN_EXTRA_FILES := slurm-drain-monitor
+
+# =============================================================================
+# INCLUDE SHARED DEFINITIONS
+# =============================================================================
+
+include ../../make/common.mk
+include ../../make/go.mk
+
+# Test setup commands for kubebuilder envtest
+TEST_SETUP_COMMANDS := \
+	go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(SETUP_ENVTEST_VERSION) && \
+	eval $$(setup-envtest use --use-env -p env) &&
+
+# =============================================================================
+# DEFAULT TARGET
+# =============================================================================
+
+.PHONY: all
+all: lint-test
+
+# =============================================================================
+# MODULE HELP
+# =============================================================================
+
+.PHONY: help
+help:
+	@echo "slurm-drain-monitor - Watches NodeSet pod conditions for external Slurm drains, publishes health events to NVSentinel API"
+	@echo ""
+	@echo "Main targets: all, lint-test, build, test, lint, clean"
+	@echo "Ko targets: ko-build, ko-publish"
+	@echo ""
+	@echo "Build notes:"
+	@echo "  - Container images are built using ko"
+	@echo "  - Use 'make ko-build' for local builds (KO_DOCKER_REPO=ko.local by default)"
+	@echo "  - Use 'make ko-publish' to build and push (set KO_DOCKER_REPO and VERSION)"
+	@echo "  - Platforms configured in .ko.yaml (linux/amd64, linux/arm64)"
@@ -0,0 +1,27 @@
+# Example configuration for slurm-drain-monitor.
+# Copy to /etc/nvsentinel/config/slurm-drain-monitor.toml and adjust.
+#
+# The monitor watches NodeSet pods for external Slurm drain conditions
+# (SlurmNodeStateDrain=True, Message not starting with "slurm-operator:"),
+# parses the reason string with split+regex, and publishes health events
+# to the NVSentinel API.
+
+namespace = "slurm"
+labelSelector = "app.kubernetes.io/name=slurmd,app.kubernetes.io/component=worker"
+reasonDelimiter = "; "
+
+[[patterns]]
+name = "slurm-healthcheck"
+regex = '^\[HC\]'
+checkName = "SlurmHealthCheck"
+componentClass = "NODE"
+isFatal = false
+recommendedAction = "CONTACT_SUPPORT"
+
+[[patterns]]
+name = "slurm-not-responding"
+regex = 'Not responding'
+checkName = "SlurmNotResponding"
+componentClass = "NODE"
+isFatal = true
+recommendedAction = "REPLACE_VM"
@@ -0,0 +1,84 @@
+module github.com/nvidia/nvsentinel/health-monitors/slurm-drain-monitor
+
+go 1.25.4
+
+require (
+	github.com/go-logr/logr v1.4.3
+	github.com/nvidia/nvsentinel/commons v0.0.0
+	github.com/nvidia/nvsentinel/data-models v0.0.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/stretchr/testify v1.11.1
+	google.golang.org/grpc v1.79.1
+	google.golang.org/protobuf v1.36.11
+	k8s.io/api v0.35.2
+	k8s.io/apimachinery v0.35.2
+	sigs.k8s.io/controller-runtime v0.22.4
+)
+
+require (
+	github.com/BurntSushi/toml v1.6.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.3 // indirect
+	github.com/go-openapi/jsonreference v0.21.3 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
+	github.com/go-openapi/swag/mangling v0.25.4 // indirect
+	github.com/go-openapi/swag/netutils v0.25.4 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.7.1 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/yandex/protoc-gen-crd v1.1.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/term v0.39.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.34.1 // indirect
+	k8s.io/client-go v0.35.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.1 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)
+
+replace github.com/nvidia/nvsentinel/commons => ../../commons
+
+replace github.com/nvidia/nvsentinel/data-models => ../../data-models