Implement MaxParkedNodes, arbitrary node labels, and parking SafetyCheck (#384)

* Implement MaxParkedNodes feature to limit number of nodes parked at one time
* Add way to add arbitrary labels to parked nodes and pods
* Add SafetyCheck feature to make sure we don't force evict unlabeled pods
* update helm chart to default to latest app version

Author: sfotony

Makefile

@@ -2,7 +2,7 @@
 
 NAME ?= adobe/k8s-shredder
 K8S_SHREDDER_VERSION ?= "dev"
-KINDNODE_VERSION ?= "v1.31.9"
+KINDNODE_VERSION ?= "v1.34.0"
 COMMIT ?= $(shell git rev-parse --short HEAD)
 TEST_CLUSTERNAME ?= "k8s-shredder-test-cluster"
 TEST_CLUSTERNAME_KARPENTER ?= "k8s-shredder-test-cluster-karpenter"
@@ -106,6 +106,10 @@ build: check-license lint vet security unit-test ## Builds the local Docker cont
 	@CGO_ENABLED=0 GOOS=linux go build \
     	-ldflags="-s -w -X github.com/adobe/k8s-shredder/cmd.buildVersion=${K8S_SHREDDER_VERSION}-${COMMIT} -X github.com/adobe/k8s-shredder/cmd.gitSHA=${COMMIT} -X github.com/adobe/k8s-shredder/cmd.buildTime=$(date)" \
     	-o k8s-shredder
+	@CGO_ENABLED=0 go build \
+    	-ldflags="-s -w" \
+    	-o park-node \
+    	./cmd/park-node
 	@DOCKER_BUILDKIT=1 docker build -t ${NAME}:${K8S_SHREDDER_VERSION} .
 
 # TEST
@@ -149,13 +153,13 @@ e2e-tests:  ## Run e2e tests for k8s-shredder deployed in a local kind cluster
 	@echo "Run e2e tests for k8s-shredder..."
 	@if [ -f "${PWD}/${KUBECONFIG_KARPENTER}" ]; then \
 		echo "Using Karpenter test cluster configuration..."; \
-		KUBECONFIG=${PWD}/${KUBECONFIG_KARPENTER} go test internal/testing/e2e_test.go -v; \
+		PROJECT_ROOT=${PWD} KUBECONFIG=${PWD}/${KUBECONFIG_KARPENTER} go test internal/testing/e2e_test.go -v; \
 	elif [ -f "${PWD}/${KUBECONFIG_NODE_LABELS}" ]; then \
 		echo "Using node labels test cluster configuration..."; \
-		KUBECONFIG=${PWD}/${KUBECONFIG_NODE_LABELS} go test internal/testing/e2e_test.go -v; \
+		PROJECT_ROOT=${PWD} KUBECONFIG=${PWD}/${KUBECONFIG_NODE_LABELS} go test internal/testing/e2e_test.go -v; \
 	else \
 		echo "Using default test cluster configuration..."; \
-		KUBECONFIG=${PWD}/${KUBECONFIG_LOCALTEST} go test internal/testing/e2e_test.go -v; \
+		PROJECT_ROOT=${PWD} KUBECONFIG=${PWD}/${KUBECONFIG_LOCALTEST} go test internal/testing/e2e_test.go -v; \
 	fi
 
 # DEMO targets
@@ -187,5 +191,5 @@ clean: ## Clean up local testing environment
 	@kind delete cluster --name="${TEST_CLUSTERNAME_KARPENTER}" ## > /dev/null 2>&1 || true
 	@kind delete cluster --name="${TEST_CLUSTERNAME_NODE_LABELS}" ## > /dev/null 2>&1 || true
 	@echo "Removing all generated files and directories"
-	@rm -rf dist/ k8s-shredder kubeconfig ${KUBECONFIG_LOCALTEST} ${KUBECONFIG_KARPENTER} ${KUBECONFIG_NODE_LABELS}
+	@rm -rf dist/ k8s-shredder park-node kubeconfig ${KUBECONFIG_LOCALTEST} ${KUBECONFIG_KARPENTER} ${KUBECONFIG_NODE_LABELS}
 	@echo "Done!"

README.md

@@ -18,7 +18,7 @@ rabbitmq, redis, etc) may be sensitive to rescheduling, or application developer
 
 You can find more about node parking [here](docs/node-parking.md).
 
-## Advantages of parking and shredding nodes
+## Advantages of parking nodes and shredding pods
 
 - allow teams running stateful apps to move their workloads off of parked nodes at their will, independent of node lifecycle
 - optimizes cloud costs by dynamically purging unschedulable workers nodes (parked nodes).
@@ -52,12 +52,14 @@ The following options can be used to customize the k8s-shredder controller:
 | AllowEvictionLabel                 | "shredder.ethos.adobe.net/allow-eviction"                   | Label used for skipping evicting pods that have explicitly set this label on false                   |
 | ToBeDeletedTaint                   | "ToBeDeletedByClusterAutoscaler"                            | Node taint used for skipping a subset of parked nodes that are already handled by cluster-autoscaler |
 | ArgoRolloutsAPIVersion             | "v1alpha1"                                                  | API version from `argoproj.io` API group to be used while handling Argo Rollouts objects             |
-
 | EnableKarpenterDriftDetection      | false                                                       | Controls whether to scan for drifted Karpenter NodeClaims and automatically label their nodes        |
 | ParkedByLabel                      | "shredder.ethos.adobe.net/parked-by"                        | Label used to identify which component parked the node                                               |
 | ParkedNodeTaint                    | "shredder.ethos.adobe.net/upgrade-status=parked:NoSchedule" | Taint to apply to parked nodes in format key=value:effect                                            |
 | EnableNodeLabelDetection           | false                                                       | Controls whether to scan for nodes with specific labels and automatically park them                  |
 | NodeLabelsToDetect                 | []                                                          | List of node labels to detect. Supports both key-only and key=value formats                          |
+| MaxParkedNodes                     | 0                                                           | Maximum number of nodes that can be parked simultaneously. Set to 0 (default) for no limit.         |
+| ExtraParkingLabels                 | {}                                                          | (Optional) Map of extra labels to apply to nodes and pods during parking. Example: `{ "example.com/owner": "infrastructure" }` |
+| EvictionSafetyCheck                | true                                                        | Controls whether to perform safety checks before force eviction. If true, nodes will be unparked if pods don't have required parking labels. |
 
 ### How it works
 
@@ -81,6 +83,7 @@ k8s-shredder includes an optional feature for automatic detection of drifted Kar
        - `UpgradeStatusLabel` (set to "parked") 
        - `ExpiresOnLabel` (set to current time + `ParkedNodeTTL`)
        - `ParkedByLabel` (set to "k8s-shredder")
+       - Any labels specified in `ExtraParkingLabels`
    - **Cordoning** the nodes to prevent new pod scheduling
    - **Tainting** the nodes with the configured `ParkedNodeTaint`
 
@@ -98,15 +101,102 @@ k8s-shredder includes optional automatic detection of nodes with specific labels
        - `UpgradeStatusLabel` (set to "parked") 
        - `ExpiresOnLabel` (set to current time + `ParkedNodeTTL`)
        - `ParkedByLabel` (set to "k8s-shredder")
+       - Any labels specified in `ExtraParkingLabels`
    - **Cordoning** the nodes to prevent new pod scheduling
    - **Tainting** the nodes with the configured `ParkedNodeTaint`
 
 This integration allows k8s-shredder to automatically handle node lifecycle management based on custom labeling strategies, enabling teams to mark nodes for parking using their own operational workflows and labels.  For example, this can be used in conjunction with [AKS cluster upgrades](https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster#set-new-cordon-behavior).
 
+#### Parking Limits with MaxParkedNodes
+
+k8s-shredder supports limiting the maximum number of nodes that can be parked simultaneously using the `MaxParkedNodes` configuration option. This feature helps prevent overwhelming the cluster with too many parked nodes at once, which could impact application availability.
+
+When `MaxParkedNodes` is set to a positive integer:
+
+1. **Before parking nodes**: k8s-shredder counts the number of currently parked nodes
+2. **Calculate available slots**: `availableSlots = MaxParkedNodes - currentlyParked`
+3. **Limit parking**: If the number of eligible nodes exceeds available slots, only the first `availableSlots` nodes are parked
+4. **Skip if full**: If no slots are available (currentlyParked >= MaxParkedNodes), parking is skipped for that eviction interval
+
+**Examples:**
+- `MaxParkedNodes: 0` (default): No limit, all eligible nodes are parked
+- `MaxParkedNodes: 5`: Maximum 5 nodes can be parked at any time
+- `MaxParkedNodes: -1`: Invalid value, treated as 0 (no limit) with a warning logged
+
+This limit applies to both Karpenter drift detection and node label detection features. When multiple nodes are eligible for parking but the limit would be exceeded, k8s-shredder will park the nodes in the order they are discovered and skip the remaining nodes until the next eviction interval.
+
+**Use cases:**
+- **Gradual node replacement**: Control the pace of node cycling during cluster upgrades
+- **Resource management**: Prevent excessive resource pressure from too many parked nodes
+- **Application stability**: Ensure applications have sufficient capacity during node transitions
+- **Cost optimization**: Balance between node replacement speed and cluster stability
+
+#### ExtraParkingLabels
+
+The `ExtraParkingLabels` option allows you to specify a map of additional Kubernetes labels that will be applied to all nodes and pods during the parking process. This is useful for custom automation, monitoring, or compliance workflows.
+
+**Configuration:**
+```yaml
+ExtraParkingLabels:
+  example.com/owner: "infrastructure"
+  example.com/maintenance: "true"
+  example.com/upgrade-batch: "batch-1"
+```
+
+**Use cases:**
+- **Team ownership**: Mark parked nodes with team ownership labels for accountability
+- **Maintenance tracking**: Add labels to track maintenance windows or upgrade batches
+- **Compliance**: Apply labels required by compliance or governance policies
+- **Monitoring**: Enable custom alerting or monitoring based on parking labels
+- **Automation**: Trigger external automation workflows based on parking labels
+
+**Behavior:**
+- Labels are applied to both nodes and their non-DaemonSet pods during parking
+- Labels are removed during the unparking process (if `EvictionSafetyCheck` triggers unparking)
+- If not set or empty, no extra labels are applied
+- Labels are applied in addition to the standard parking labels (`UpgradeStatusLabel`, `ExpiresOnLabel`, `ParkedByLabel`)
+
+#### EvictionSafetyCheck
+
+The `EvictionSafetyCheck` feature provides an additional safety mechanism to prevent force eviction of pods that weren't properly prepared for parking. When enabled (default: `true`), k8s-shredder performs a safety check before force evicting pods from expired parked nodes.
+
+**How it works:**
+
+1. **Before force eviction**: When a node's TTL expires and force eviction is about to begin, k8s-shredder checks all non-DaemonSet and non-static pods on the node
+2. **Required labels check**: Each pod must have:
+   - `UpgradeStatusLabel` set to "parked"
+   - `ExpiresOnLabel` present with any value
+3. **Safety decision**: 
+   - If **all** pods have the required labels → proceed with force eviction
+   - If **any** pod is missing required labels → unpark the node instead of force evicting
+
+**Unparking process:**
+When safety check fails, k8s-shredder automatically unparks the node by:
+- Removing `ExpiresOnLabel` and `ExtraParkingLabels` from nodes and pods
+- Removing the `ParkedNodeTaint`
+- Uncordoning the node (making it schedulable again)
+- Setting `UpgradeStatusLabel` to "unparked" on nodes and pods
+- Setting `ParkedByLabel` to the configured `ParkedByValue`
+
+**Use cases:**
+- **Safety during manual parking**: If nodes are manually parked but pods weren't properly labeled
+- **Partial parking failures**: When parking automation fails to label all pods
+- **Emergency recovery**: Provides a safe way to recover from parking mistakes
+- **Compliance**: Ensures only properly prepared workloads are force evicted
+
+**Configuration:**
+```yaml
+EvictionSafetyCheck: true  # Enable safety checks (default)
+EvictionSafetyCheck: false # Disable safety checks (force eviction always proceeds)
+```
+
+**Logging:**
+When safety checks fail, k8s-shredder logs detailed information about which pods are missing required labels, helping operators understand why the node was unparked instead of force evicted.
+
 ## Metrics
 
 k8s-shredder exposes comprehensive metrics for monitoring its operation. You can find detailed information about all available metrics in the [metrics documentation](docs/metrics.md).
 
 #### Creating a new release
 
-See [RELEASE.md](RELEASE.md).
+See [RELEASE.md](RELEASE.md).

charts/k8s-shredder/Chart.yaml

@@ -12,5 +12,5 @@ maintainers:
   - name: sfotony
     email: [email protected]
     url: https://adobe.com
-version: 0.2.4
-appVersion: v0.3.1
+version: 0.2.5
+appVersion: v0.3.5

charts/k8s-shredder/README.md

@@ -1,6 +1,6 @@
 # k8s-shredder
 
-![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.1](https://img.shields.io/badge/AppVersion-v0.3.1-informational?style=flat-square)
+![Version: 0.2.5](https://img.shields.io/badge/Version-0.2.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.5](https://img.shields.io/badge/AppVersion-v0.3.5-informational?style=flat-square)
 
 a novel way of dealing with kubernetes nodes blocked from draining
 
@@ -23,9 +23,10 @@ a novel way of dealing with kubernetes nodes blocked from draining
 | dryRun | bool | `false` | Enable dry-run mode - when true, k8s-shredder will log actions but not execute them |
 | environmentVars | list | `[]` | Additional environment variables to set in the container |
 | fullnameOverride | string | `""` | Override the full name used for resources |
-| image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io/adobe/k8s-shredder"}` | Container image configuration |
+| image | object | `{"pullPolicy":"IfNotPresent","registry":"ghcr.io/adobe/k8s-shredder","tag":"latest"}` | Container image configuration |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy - IfNotPresent, Always, or Never |
 | image.registry | string | `"ghcr.io/adobe/k8s-shredder"` | Container registry where the k8s-shredder image is hosted |
+| image.tag | string | `"latest"` | Image tag to use |
 | imagePullSecrets | list | `[]` | Secrets for pulling images from private registries |
 | initContainers | list | `[]` | Init containers to run before the main k8s-shredder container starts |
 | logFormat | string | `"text"` | Log output format: text (human-readable) or json (structured logging) |
@@ -63,13 +64,16 @@ a novel way of dealing with kubernetes nodes blocked from draining
 | serviceAccount.annotations | object | `{}` | Additional annotations for the service account (useful for IAM roles, etc.) |
 | serviceAccount.create | bool | `true` | Create a service account for k8s-shredder |
 | serviceAccount.name | string | `"k8s-shredder"` | Name of the service account |
-| shredder | object | `{"AllowEvictionLabel":"shredder.ethos.adobe.net/allow-eviction","ArgoRolloutsAPIVersion":"v1alpha1","EnableKarpenterDriftDetection":false,"EnableNodeLabelDetection":false,"EvictionLoopInterval":"1h","ExpiresOnLabel":"shredder.ethos.adobe.net/parked-node-expires-on","NamespacePrefixSkipInitialEviction":"ns-ethos-","NodeLabelsToDetect":[],"ParkedByLabel":"shredder.ethos.adobe.net/parked-by","ParkedByValue":"k8s-shredder","ParkedNodeTTL":"168h","ParkedNodeTaint":"shredder.ethos.adobe.net/upgrade-status=parked:NoSchedule","RestartedAtAnnotation":"shredder.ethos.adobe.net/restartedAt","RollingRestartThreshold":0.1,"ToBeDeletedTaint":"ToBeDeletedByClusterAutoscaler","UpgradeStatusLabel":"shredder.ethos.adobe.net/upgrade-status"}` | Core k8s-shredder configuration |
+| shredder | object | `{"AllowEvictionLabel":"shredder.ethos.adobe.net/allow-eviction","ArgoRolloutsAPIVersion":"v1alpha1","EnableKarpenterDriftDetection":false,"EnableNodeLabelDetection":false,"EvictionLoopInterval":"1h","EvictionSafetyCheck":true,"ExpiresOnLabel":"shredder.ethos.adobe.net/parked-node-expires-on","ExtraParkingLabels":{},"MaxParkedNodes":0,"NamespacePrefixSkipInitialEviction":"ns-ethos-","NodeLabelsToDetect":[],"ParkedByLabel":"shredder.ethos.adobe.net/parked-by","ParkedByValue":"k8s-shredder","ParkedNodeTTL":"168h","ParkedNodeTaint":"shredder.ethos.adobe.net/upgrade-status=parked:NoSchedule","RestartedAtAnnotation":"shredder.ethos.adobe.net/restartedAt","RollingRestartThreshold":0.1,"ToBeDeletedTaint":"ToBeDeletedByClusterAutoscaler","UpgradeStatusLabel":"shredder.ethos.adobe.net/upgrade-status"}` | Core k8s-shredder configuration |
 | shredder.AllowEvictionLabel | string | `"shredder.ethos.adobe.net/allow-eviction"` | Label to explicitly allow eviction on specific resources |
 | shredder.ArgoRolloutsAPIVersion | string | `"v1alpha1"` | API version for Argo Rollouts integration |
 | shredder.EnableKarpenterDriftDetection | bool | `false` | Enable Karpenter drift detection for node lifecycle management |
 | shredder.EnableNodeLabelDetection | bool | `false` | Enable detection of nodes based on specific labels |
 | shredder.EvictionLoopInterval | string | `"1h"` | How often to run the main eviction loop |
+| shredder.EvictionSafetyCheck | bool | `true` | Controls whether to perform safety checks before force eviction |
 | shredder.ExpiresOnLabel | string | `"shredder.ethos.adobe.net/parked-node-expires-on"` | Label used to track when a parked node expires |
+| shredder.ExtraParkingLabels | object | `{}` | Additional labels to apply to nodes and pods during parking |
+| shredder.MaxParkedNodes | int | `0` | Maximum number of nodes that can be parked simultaneously (0 = no limit) |
 | shredder.NamespacePrefixSkipInitialEviction | string | `"ns-ethos-"` | Namespace prefix to skip during initial eviction (useful for system namespaces) |
 | shredder.NodeLabelsToDetect | list | `[]` | List of node labels to monitor for triggering shredder actions |
 | shredder.ParkedByLabel | string | `"shredder.ethos.adobe.net/parked-by"` | Label to track which component parked a node |

charts/k8s-shredder/templates/configmap.yaml

@@ -23,3 +23,6 @@ data:
     ParkedNodeTaint: "{{.Values.shredder.ParkedNodeTaint}}"
     EnableNodeLabelDetection: {{.Values.shredder.EnableNodeLabelDetection}}
     NodeLabelsToDetect: {{.Values.shredder.NodeLabelsToDetect | toJson}}
+    MaxParkedNodes: {{.Values.shredder.MaxParkedNodes}}
+    EvictionSafetyCheck: {{.Values.shredder.EvictionSafetyCheck}}
+    ExtraParkingLabels: {{.Values.shredder.ExtraParkingLabels | toJson}}

charts/k8s-shredder/values.yaml

@@ -5,6 +5,8 @@ image:
   registry: ghcr.io/adobe/k8s-shredder
   # -- Image pull policy - IfNotPresent, Always, or Never
   pullPolicy: IfNotPresent
+  # -- Image tag to use
+  tag: latest
 # -- Number of k8s-shredder pods to run
 replicaCount: 1
 # -- Deployment strategy for rolling updates (e.g., RollingUpdate, Recreate)
@@ -58,6 +60,15 @@ shredder:
   EnableNodeLabelDetection: false
   # -- List of node labels to monitor for triggering shredder actions
   NodeLabelsToDetect: []
+  # -- Maximum number of nodes that can be parked simultaneously (0 = no limit)
+  MaxParkedNodes: 0
+  # -- Controls whether to perform safety checks before force eviction
+  EvictionSafetyCheck: true
+  # -- Additional labels to apply to nodes and pods during parking
+  ExtraParkingLabels: {}
+    # Example configuration:
+    # example.com/owner: "infrastructure"
+    # example.com/maintenance: "true"
 # -- RBAC (Role-Based Access Control) configuration
 rbac:
   # -- Create RBAC resources (ClusterRole, ClusterRoleBinding)

cmd/park-node/main.go

@@ -0,0 +1,36 @@
+// Copyright 2025 Adobe. All rights reserved.
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+
+	e2e "github.com/adobe/k8s-shredder/internal/testing"
+)
+
+func main() {
+	var nodeName, kubeconfigPath string
+
+	// Use a custom flag set to avoid conflicts with client-go flags
+	fs := flag.NewFlagSet("park-node", flag.ExitOnError)
+	fs.StringVar(&nodeName, "node", "", "Name of the node to park")
+	fs.StringVar(&kubeconfigPath, "park-kubeconfig", "", "Path to kubeconfig file")
+	if err := fs.Parse(os.Args[1:]); err != nil {
+		log.Fatal(err)
+	}
+
+	if nodeName == "" {
+		log.Fatal("Node name is required. Use -node flag")
+	}
+	if kubeconfigPath == "" {
+		log.Fatal("Kubeconfig path is required. Use -park-kubeconfig flag")
+	}
+
+	if err := e2e.ParkNodeForTesting(nodeName, kubeconfigPath); err != nil {
+		log.Fatalf("Failed to park node: %v", err)
+	}
+
+	log.Printf("Successfully parked node %s", nodeName)
+	os.Exit(0)
+}