aws
diff --git a/‎go.mod‎
Lines changed: 8 additions & 8 deletions b/‎go.mod‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎go.sum‎
Lines changed: 14 additions & 14 deletions b/‎go.sum‎
Lines changed: 14 additions & 14 deletions
diff --git a/‎pkg/controllers/controllers.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/controllers/controllers.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/controllers/interruption/controller.go‎
Lines changed: 4 additions & 1 deletion b/‎pkg/controllers/interruption/controller.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎pkg/controllers/interruption/instancestatus_controller.go‎
Lines changed: 79 additions & 11 deletions b/‎pkg/controllers/interruption/instancestatus_controller.go‎
Lines changed: 79 additions & 11 deletions
diff --git a/‎pkg/controllers/interruption/interruption_benchmark_test.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/controllers/interruption/interruption_benchmark_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/controllers/interruption/messages/instancestatus/model.go‎
Lines changed: 41 additions & 0 deletions b/‎pkg/controllers/interruption/messages/instancestatus/model.go‎
Lines changed: 41 additions & 0 deletions
@@ -1,6 +1,6 @@
 module github.com/aws/karpenter-provider-aws
 
-go 1.26.2
+go 1.26.3
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0
@@ -47,7 +47,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2
 	sigs.k8s.io/controller-runtime v0.22.4
-	sigs.k8s.io/karpenter v1.12.0
+	sigs.k8s.io/karpenter v1.12.1
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -120,14 +120,14 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.34.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/term v0.41.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
-	golang.org/x/tools v0.43.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 
@@ -278,8 +278,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -289,8 +289,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -315,8 +315,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -326,8 +326,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -337,8 +337,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -347,8 +347,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
 gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
@@ -389,8 +389,8 @@ sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327U
 sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/karpenter v1.12.0 h1:SffONGtSqVfTiEBM55OZb5ZVEsBPaEcLuRLL8v98sPo=
-sigs.k8s.io/karpenter v1.12.0/go.mod h1:9eMMjkY2Wjx37QkrcPrSr+oiILoOr+DcuEV523Ygg2k=
+sigs.k8s.io/karpenter v1.12.1 h1:B73nBcw+va8eRzX3OXLexcw6vaGZuLHlN9iMksK2oa0=
+sigs.k8s.io/karpenter v1.12.1/go.mod h1:TAGfq4tY+33AnGzzwiNGRAMRHAxYNMbsqj1nmt/Kz+w=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.1 h1:JrhdFMqOd/+3ByqlP2I45kTOZmTRLBUm5pvRjeheg7E=
 
@@ -112,7 +112,7 @@ func NewControllers(
 		crexpiration.NewController(clk, kubeClient, cloudProvider, capacityReservationProvider),
 		metrics.NewController(kubeClient, cloudProvider),
 		arczonalshiftcontroller.NewController(zonalshiftProvider),
-		interruption.NewInstanceStatusController(kubeClient, cloudProvider, recorder, instanceStatusProvider),
+		interruption.NewInstanceStatusController(kubeClient, clk, cloudProvider, recorder, instanceStatusProvider),
 	}
 	// Instance profile garbage collection requires IAM API access. Skip registering the controller when running
 	// in isolated VPC mode to avoid initiating calls to public AWS endpoints that won’t be reachable.
@@ -122,7 +122,7 @@ func NewControllers(
 	if options.FromContext(ctx).InterruptionQueue != "" {
 		sqsAPI := servicesqs.NewFromConfig(cfg)
 		prov, _ := sqs.NewSQSProvider(ctx, sqsAPI)
-		controllers = append(controllers, interruption.NewController(kubeClient, cloudProvider, recorder, prov, sqsAPI, unavailableOfferings, capacityReservationProvider))
+		controllers = append(controllers, interruption.NewController(kubeClient, clk, cloudProvider, recorder, prov, sqsAPI, unavailableOfferings, capacityReservationProvider))
 	}
 	return controllers
 }
@@ -26,6 +26,7 @@ import (
 	"github.com/awslabs/operatorpkg/singleton"
 	"go.uber.org/multierr"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/clock"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -54,6 +55,7 @@ type Controller struct {
 
 func NewController(
 	kubeClient client.Client,
+	clk clock.Clock,
 	cloudProvider cloudprovider.CloudProvider,
 	recorder events.Recorder,
 	sqsProvider sqs.Provider,
@@ -64,6 +66,7 @@ func NewController(
 	return &Controller{
 		InterruptionHandler: InterruptionHandler{
 			kubeClient:                  kubeClient,
+			clk:                         clk,
 			cloudProvider:               cloudProvider,
 			recorder:                    recorder,
 			unavailableOfferingsCache:   unavailableOfferingsCache,
@@ -109,7 +112,7 @@ func (c *Controller) Reconcile(ctx context.Context) (reconciler.Result, error) {
 			return
 		}
 		ReceivedMessages.Inc(map[string]string{messageTypeLabel: string(msg.Kind())})
-		if e = c.handleMessage(ctx, msg); e != nil {
+		if _, e = c.handleMessage(ctx, msg, false); e != nil {
 			errs[i] = fmt.Errorf("handling message, %w", e)
 			return
 		}
 
@@ -17,12 +17,14 @@ package interruption
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/awslabs/operatorpkg/reconciler"
 	"github.com/awslabs/operatorpkg/singleton"
 	"go.uber.org/multierr"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/clock"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -31,36 +33,59 @@ import (
 	"sigs.k8s.io/karpenter/pkg/events"
 	"sigs.k8s.io/karpenter/pkg/operator/injection"
 
-	"github.com/aws/karpenter-provider-aws/pkg/controllers/interruption/messages/instancestatusfailure"
+	"github.com/aws/karpenter-provider-aws/pkg/controllers/interruption/messages"
+	instancestatusmsg "github.com/aws/karpenter-provider-aws/pkg/controllers/interruption/messages/instancestatus"
 	awserrors "github.com/aws/karpenter-provider-aws/pkg/errors"
 	"github.com/aws/karpenter-provider-aws/pkg/providers/instancestatus"
 )
 
+// unhealthyKey uniquely identifies an unhealthy status check for deduplication.
+// The metric is only incremented the first time a given instance+category is observed.
+type unhealthyKey struct {
+	instanceID string
+	category   string
+}
+
 var (
 	// InstanceStatusInterval is the polling interval for the EC2 DescribeInstanceStatus API.
 	InstanceStatusInterval = 1 * time.Minute
+	// InstanceStatusDryRun controls whether the instance status controller takes action on
+	// unhealthy instances. When true, the controller only emits metrics without cordoning
+	// and draining affected nodes. Default is false (full remediation enabled).
+	InstanceStatusDryRun = false
+	// categoryToKind maps EC2 DescribeInstanceStatus categories to message kinds.
+	categoryToKind = map[instancestatus.Category]messages.Kind{
+		instancestatus.InstanceStatus: messages.InstanceStatusKind,
+		instancestatus.SystemStatus:   messages.SystemStatusKind,
+		instancestatus.EventStatus:    messages.EventStatusKind,
+	}
 )
 
 // InstanceStatusController polls EC2 DescribeInstanceStatus to detect unhealthy instances
 // and scheduled maintenance events, then cordons and drains affected nodes.
 type InstanceStatusController struct {
 	InterruptionHandler
 	instanceStatusProvider instancestatus.Provider
+	seen                   map[unhealthyKey]struct{}
+	mu                     sync.Mutex
 }
 
 func NewInstanceStatusController(
 	kubeClient client.Client,
+	clk clock.Clock,
 	cloudProvider cloudprovider.CloudProvider,
 	recorder events.Recorder,
 	instanceStatusProvider instancestatus.Provider,
 ) *InstanceStatusController {
 	return &InstanceStatusController{
 		InterruptionHandler: InterruptionHandler{
 			kubeClient:    kubeClient,
+			clk:           clk,
 			cloudProvider: cloudProvider,
 			recorder:      recorder,
 		},
 		instanceStatusProvider: instanceStatusProvider,
+		seen:                   map[unhealthyKey]struct{}{},
 	}
 }
 
@@ -76,25 +101,68 @@ func (c *InstanceStatusController) Reconcile(ctx context.Context) (reconciler.Re
 		return reconciler.Result{}, fmt.Errorf("getting instance statuses, %w", err)
 	}
 
+	// Build the set of keys observed in this poll cycle for pruning stale entries.
+	currentKeys := make(map[unhealthyKey]struct{})
 	errs := make([]error, len(instanceStatuses))
 	workqueue.ParallelizeUntil(ctx, 10, len(instanceStatuses), func(i int) {
-		categories := map[string]bool{}
-		for _, d := range instanceStatuses[i].Details {
-			categories[string(d.Category)] = true
-		}
-		for cat := range categories {
-			InstanceStatusUnhealthy.Inc(map[string]string{categoryLabel: cat})
-		}
-		if err := c.handleMessage(ctx, instancestatusfailure.Message(instanceStatuses[i])); err != nil {
-			errs[i] = fmt.Errorf("handling instance status check message, %w", err)
-		}
+		errs[i] = c.handleHealthStatus(ctx, instanceStatuses[i], currentKeys)
 	})
+
+	// Prune entries for instances that are no longer reported as unhealthy,
+	// so that if the same instance becomes unhealthy again later it gets counted again.
+	c.mu.Lock()
+	for key := range c.seen {
+		if _, ok := currentKeys[key]; !ok {
+			delete(c.seen, key)
+		}
+	}
+	c.mu.Unlock()
+
 	if err = multierr.Combine(errs...); err != nil {
 		return reconciler.Result{}, err
 	}
 	return reconciler.Result{RequeueAfter: InstanceStatusInterval}, nil
 }
 
+// handleHealthStatus dispatches a message per EC2 status category and records metrics.
+func (c *InstanceStatusController) handleHealthStatus(ctx context.Context, hs instancestatus.HealthStatus, currentKeys map[unhealthyKey]struct{}) error {
+	categories := make(map[instancestatus.Category]struct{})
+	for _, d := range hs.Details {
+		categories[d.Category] = struct{}{}
+	}
+	for category := range categories {
+		kind, ok := categoryToKind[category]
+		if !ok {
+			continue
+		}
+		f, err := c.handleMessage(ctx, instancestatusmsg.New(hs.InstanceID, kind, hs.ImpairedSince), InstanceStatusDryRun)
+		if err != nil {
+			return fmt.Errorf("handling instance status check message, %w", err)
+		}
+		if f {
+			c.recordUnhealthyInstance(ctx, hs.InstanceID, category, currentKeys)
+		}
+	}
+	return nil
+}
+
+func (c *InstanceStatusController) recordUnhealthyInstance(ctx context.Context, instanceID string, category instancestatus.Category, currentKeys map[unhealthyKey]struct{}) {
+	key := unhealthyKey{instanceID: instanceID, category: string(category)}
+	c.mu.Lock()
+	currentKeys[key] = struct{}{}
+	_, already := c.seen[key]
+	if !already {
+		c.seen[key] = struct{}{}
+	}
+	c.mu.Unlock()
+	if !already {
+		log.FromContext(ctx).Info("detected unhealthy instance owned by cluster",
+			"instanceID", instanceID,
+			"category", string(category))
+		InstanceStatusUnhealthy.Inc(map[string]string{categoryLabel: string(category)})
+	}
+}
+
 func (c *InstanceStatusController) Register(_ context.Context, m manager.Manager) error {
 	return controllerruntime.NewControllerManagedBy(m).
 		Named("interruption.instancestatus").
 
@@ -110,7 +110,7 @@ func benchmarkNotificationController(b *testing.B, messageCount int) {
 	unavailableOfferingsCache = awscache.NewUnavailableOfferings()
 
 	// Set-up the controllers
-	interruptionController := interruption.NewController(env.Client, fakeClock, recorder, providers.sqsProvider, unavailableOfferingsCache)
+	interruptionController := interruption.NewController(env.Client, fakeClock, nil, recorder, providers.sqsProvider, nil, unavailableOfferingsCache, nil)
 
 	messages, nodes := makeDiverseMessagesAndNodes(messageCount)
 	log.FromContext(ctx).Info("provisioning nodes")
 
@@ -0,0 +1,41 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package instancestatus
+
+import (
+	"time"
+
+	"github.com/aws/karpenter-provider-aws/pkg/controllers/interruption/messages"
+)
+
+// Message represents a single category from an EC2 DescribeInstanceStatus response.
+// The Kind maps directly to the EC2 status category (instance_status, system_status, event_status).
+type Message struct {
+	instanceID string
+	kind       messages.Kind
+	startTime  time.Time
+}
+
+func New(instanceID string, kind messages.Kind, startTime time.Time) Message {
+	return Message{
+		instanceID: instanceID,
+		kind:       kind,
+		startTime:  startTime,
+	}
+}
+
+func (m Message) EC2InstanceIDs() []string { return []string{m.instanceID} }
+func (m Message) Kind() messages.Kind      { return m.kind }
+func (m Message) StartTime() time.Time     { return m.startTime }
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ func NewControllers(`
`112`	`112`	`crexpiration.NewController(clk, kubeClient, cloudProvider, capacityReservationProvider),`
`113`	`113`	`metrics.NewController(kubeClient, cloudProvider),`
`114`	`114`	`arczonalshiftcontroller.NewController(zonalshiftProvider),`
`115`		`- interruption.NewInstanceStatusController(kubeClient, cloudProvider, recorder, instanceStatusProvider),`
	`115`	`+ interruption.NewInstanceStatusController(kubeClient, clk, cloudProvider, recorder, instanceStatusProvider),`
`116`	`116`	`}`
`117`	`117`	`// Instance profile garbage collection requires IAM API access. Skip registering the controller when running`
`118`	`118`	`// in isolated VPC mode to avoid initiating calls to public AWS endpoints that won’t be reachable.`
`@@ -122,7 +122,7 @@ func NewControllers(`
`122`	`122`	`if options.FromContext(ctx).InterruptionQueue != "" {`
`123`	`123`	`sqsAPI := servicesqs.NewFromConfig(cfg)`
`124`	`124`	`prov, _ := sqs.NewSQSProvider(ctx, sqsAPI)`
`125`		`- controllers = append(controllers, interruption.NewController(kubeClient, cloudProvider, recorder, prov, sqsAPI, unavailableOfferings, capacityReservationProvider))`
	`125`	`+ controllers = append(controllers, interruption.NewController(kubeClient, clk, cloudProvider, recorder, prov, sqsAPI, unavailableOfferings, capacityReservationProvider))`
`126`	`126`	`}`
`127`	`127`	`return controllers`
`128`	`128`	`}`