Add Pod Replacement disruption (#988)

Author: KolCrooks

api/v1beta1/disruption_types.go

@@ -58,6 +58,10 @@ type DisruptionSpec struct {
 	// +nullable
 	Pulse    *DisruptionPulse   `json:"pulse,omitempty"`    // enable pulsing diruptions and specify the duration of the active state and the dormant state of the pulsing duration
 	Duration DisruptionDuration `json:"duration,omitempty"` // time from disruption creation until chaos pods are deleted and no more are created
+	// MaxRuns specifies the maximum number of times the disruption should be executed
+	// After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
+	// +kubebuilder:validation:Minimum=1
+	MaxRuns *int `json:"maxRuns,omitempty"`
 	// Level defines what the disruption will target, either a pod or a node
 	// +kubebuilder:default=pod
 	// +kubebuilder:validation:Enum=pod;node
@@ -80,6 +84,8 @@ type DisruptionSpec struct {
 	// +nullable
 	GRPC *GRPCDisruptionSpec `json:"grpc,omitempty"`
 	// +nullable
+	PodReplacement *PodReplacementSpec `json:"podReplacement,omitempty"`
+	// +nullable
 	Reporting *Reporting `json:"reporting,omitempty"`
 }
 
@@ -292,6 +298,8 @@ type DisruptionStatus struct {
 	// timestamp of when a disruption has been cleaned last.
 	// +nullable
 	CleanedAt *metav1.Time `json:"cleanedAt,omitempty"`
+	// Number of times the disruption has been executed (chaos pods created)
+	RunCount int `json:"runCount,omitempty"`
 }
 
 type DisruptionFilter struct {
@@ -686,27 +694,38 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 	}
 
 	// Rule: At least one disruption kind must be applied
-	if s.CPUPressure == nil && s.DiskPressure == nil && s.DiskFailure == nil && s.Network == nil && s.GRPC == nil && s.ContainerFailure == nil && s.NodeFailure == nil && len(s.DNS) == 0 {
+	if s.CPUPressure == nil && s.DiskPressure == nil && s.DiskFailure == nil && s.Network == nil && s.GRPC == nil && s.ContainerFailure == nil && s.NodeFailure == nil && s.PodReplacement == nil && len(s.DNS) == 0 {
 		retErr = multierror.Append(retErr, errors.New("at least one disruption kind must be specified, please read the docs to see your options"))
 	}
 
-	// Rule: ContainerFailure and NodeFailure disruptions are not compatible with other failure types
+	// Rule: ContainerFailure, NodeFailure, and PodReplacement disruptions are not compatible with other failure types
 	if s.ContainerFailure != nil {
-		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.NodeFailure != nil || len(s.DNS) > 0 {
+		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.NodeFailure != nil || s.PodReplacement != nil || len(s.DNS) > 0 {
 			retErr = multierror.Append(retErr, errors.New("container failure disruptions are not compatible with other disruption kinds. The container failure will remove the impact of the other disruption types"))
 		}
 	}
 
 	if s.NodeFailure != nil {
-		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.ContainerFailure != nil || len(s.DNS) > 0 {
+		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.ContainerFailure != nil || s.PodReplacement != nil || len(s.DNS) > 0 {
 			retErr = multierror.Append(retErr, errors.New("node failure disruptions are not compatible with other disruption kinds. The node failure will remove the impact of the other disruption types"))
 		}
 	}
 
+	if s.PodReplacement != nil {
+		if s.CPUPressure != nil || s.DiskPressure != nil || s.DiskFailure != nil || s.Network != nil || s.GRPC != nil || s.ContainerFailure != nil || s.NodeFailure != nil || len(s.DNS) > 0 {
+			retErr = multierror.Append(retErr, errors.New("pod replacement disruptions are not compatible with other disruption kinds. The pod replacement will remove the impact of the other disruption types"))
+		}
+		// Rule: container failure not possible if disruption is node-level
+		if s.Level == chaostypes.DisruptionLevelNode {
+			retErr = multierror.Append(retErr, errors.New("cannot execute a pod replacement because the level configuration is set to node"))
+		}
+	}
+
 	// Rule: on init compatibility
 	if s.OnInit {
 		if s.CPUPressure != nil ||
 			s.NodeFailure != nil ||
+			s.PodReplacement != nil ||
 			s.ContainerFailure != nil ||
 			s.DiskPressure != nil ||
 			s.GRPC != nil ||
@@ -756,7 +775,7 @@ func (s DisruptionSpec) validateGlobalDisruptionScope(requireSelectors bool) (re
 	// Rule: pulse compatibility
 	if s.Pulse != nil {
 		if s.Pulse.ActiveDuration.Duration() > 0 || s.Pulse.DormantDuration.Duration() > 0 {
-			if s.NodeFailure != nil || s.ContainerFailure != nil {
+			if s.NodeFailure != nil || s.PodReplacement != nil || s.ContainerFailure != nil {
 				retErr = multierror.Append(retErr, errors.New("pulse is only compatible with network, cpu pressure, disk pressure, dns and grpc disruptions"))
 			}
 		}
@@ -811,6 +830,8 @@ func (s DisruptionSpec) DisruptionKindPicker(kind chaostypes.DisruptionKindName)
 		disruptionKind = s.DNS
 	case chaostypes.DisruptionKindGRPCDisruption:
 		disruptionKind = s.GRPC
+	case chaostypes.DisruptionKindPodReplacement:
+		disruptionKind = s.PodReplacement
 	case chaostypes.DisruptionKindDiskFailure:
 		disruptionKind = s.DiskFailure
 	}
@@ -891,6 +912,10 @@ func (s DisruptionSpec) DisruptionCount() int {
 		count++
 	}
 
+	if s.PodReplacement != nil {
+		count++
+	}
+
 	if s.DiskFailure != nil {
 		count++
 	}
@@ -1022,6 +1047,10 @@ func (s DisruptionSpec) Explain() []string {
 		explanation = append(explanation, s.NodeFailure.Explain()...)
 	}
 
+	if s.PodReplacement != nil {
+		explanation = append(explanation, s.PodReplacement.Explain()...)
+	}
+
 	if s.ContainerFailure != nil {
 		explanation = append(explanation, s.ContainerFailure.Explain()...)
 	}
@@ -1110,6 +1139,7 @@ func (status *DisruptionStatus) HasTarget(searchTarget string) bool {
 var NonReinjectableDisruptions = map[chaostypes.DisruptionKindName]struct{}{
 	chaostypes.DisruptionKindGRPCDisruption: {},
 	chaostypes.DisruptionKindNodeFailure:    {},
+	chaostypes.DisruptionKindPodReplacement: {},
 }
 
 func DisruptionIsNotReinjectable(kind chaostypes.DisruptionKindName) bool {
@@ -1122,6 +1152,7 @@ func DisruptionIsNotReinjectable(kind chaostypes.DisruptionKindName) bool {
 // the chaos pod. So once the chaos pod is gone, there's nothing left for us to clean.
 var NoSideEffectDisruptions = map[chaostypes.DisruptionKindName]struct{}{
 	chaostypes.DisruptionKindNodeFailure:      {},
+	chaostypes.DisruptionKindPodReplacement:   {},
 	chaostypes.DisruptionKindContainerFailure: {},
 }
 

api/v1beta1/disruption_webhook.go

@@ -448,6 +448,9 @@ func (r *Disruption) initialSafetyNets() ([]string, error) {
 		responses = append(responses, "node failure disruptions are not allowed in this cluster, please use a disruption type or test elsewhere")
 	}
 
+	// Pod replacement disruptions are pod-level and don't require node-level permissions
+	// They are allowed as long as the basic disruption requirements are met
+
 	if !allowNodeLevel && r.Spec.Level == chaostypes.DisruptionLevelNode {
 		logger.Debugw("the specified disruption is applied at the node level and will be rejected")
 

api/v1beta1/pod_replacement.go

@@ -0,0 +1,61 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025 Datadog, Inc.
+
+package v1beta1
+
+import "strconv"
+
+// PodReplacementSpec represents a pod replacement disruption
+type PodReplacementSpec struct {
+	// DeleteStorage determines if PVCs associated with the target pod should be deleted
+	// +kubebuilder:default=true
+	DeleteStorage bool `json:"deleteStorage,omitempty"`
+	// ForceDelete forces deletion of stuck pods by setting grace period to 0
+	ForceDelete bool `json:"forceDelete,omitempty"`
+	// GracePeriodSeconds specifies the grace period for pod deletion in seconds
+	// If not specified, uses the pod's default grace period
+	GracePeriodSeconds *int64 `json:"gracePeriodSeconds,omitempty"`
+}
+
+// Validate validates args for the given disruption
+func (s *PodReplacementSpec) Validate() error {
+	return nil
+}
+
+// GenerateArgs generates injection or cleanup pod arguments for the given spec
+func (s *PodReplacementSpec) GenerateArgs() []string {
+	args := []string{
+		"pod-replacement",
+		"inject",
+	}
+
+	if s.DeleteStorage {
+		args = append(args, "--delete-storage")
+	}
+
+	if s.ForceDelete {
+		args = append(args, "--force-delete")
+	}
+
+	if s.GracePeriodSeconds != nil {
+		args = append(args, "--grace-period-seconds", strconv.FormatInt(*s.GracePeriodSeconds, 10))
+	}
+
+	return args
+}
+
+func (s *PodReplacementSpec) Explain() []string {
+	explanation := "spec.podReplacement will cordon the node hosting the target pod to prevent new pods from being scheduled, " +
+		"then delete the target pod to force it to reschedule. "
+
+	if s.DeleteStorage {
+		explanation += "PersistentVolumeClaims associated with the pod will also be deleted to simulate complete storage loss. "
+	}
+
+	explanation += "This simulates a complete pod replacement scenario where both the pod and its storage are recreated. " +
+		"Unlike node-level disruptions, this only affects the specifically targeted pod."
+
+	return []string{"", explanation}
+}

api/v1beta1/zz_generated.deepcopy.go

@@ -271,6 +271,12 @@ spec:
                         - pod
                         - node
                       type: string
+                    maxRuns:
+                      description: |-
+                        MaxRuns specifies the maximum number of times the disruption should be executed
+                        After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
+                      minimum: 1
+                      type: integer
                     network:
                       description: NetworkDisruptionSpec represents a network disruption injection
                       nullable: true
@@ -492,6 +498,24 @@ spec:
                       type: object
                     onInit:
                       type: boolean
+                    podReplacement:
+                      description: PodReplacementSpec represents a pod replacement disruption
+                      nullable: true
+                      properties:
+                        deleteStorage:
+                          default: true
+                          description: DeleteStorage determines if PVCs associated with the target pod should be deleted
+                          type: boolean
+                        forceDelete:
+                          description: ForceDelete forces deletion of stuck pods by setting grace period to 0
+                          type: boolean
+                        gracePeriodSeconds:
+                          description: |-
+                            GracePeriodSeconds specifies the grace period for pod deletion in seconds
+                            If not specified, uses the pod's default grace period
+                          format: int64
+                          type: integer
+                      type: object
                     pulse:
                       description: DisruptionPulse contains the active disruption duration and the dormant disruption duration
                       nullable: true

chart/templates/generated/chaos.datadoghq.com_disruptioncrons.yaml

@@ -272,6 +272,12 @@ spec:
                         - pod
                         - node
                       type: string
+                    maxRuns:
+                      description: |-
+                        MaxRuns specifies the maximum number of times the disruption should be executed
+                        After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
+                      minimum: 1
+                      type: integer
                     network:
                       description: NetworkDisruptionSpec represents a network disruption injection
                       nullable: true
@@ -493,6 +499,24 @@ spec:
                       type: object
                     onInit:
                       type: boolean
+                    podReplacement:
+                      description: PodReplacementSpec represents a pod replacement disruption
+                      nullable: true
+                      properties:
+                        deleteStorage:
+                          default: true
+                          description: DeleteStorage determines if PVCs associated with the target pod should be deleted
+                          type: boolean
+                        forceDelete:
+                          description: ForceDelete forces deletion of stuck pods by setting grace period to 0
+                          type: boolean
+                        gracePeriodSeconds:
+                          description: |-
+                            GracePeriodSeconds specifies the grace period for pod deletion in seconds
+                            If not specified, uses the pod's default grace period
+                          format: int64
+                          type: integer
+                      type: object
                     pulse:
                       description: DisruptionPulse contains the active disruption duration and the dormant disruption duration
                       nullable: true

chart/templates/generated/chaos.datadoghq.com_disruptionrollouts.yaml

@@ -262,6 +262,12 @@ spec:
                     - pod
                     - node
                   type: string
+                maxRuns:
+                  description: |-
+                    MaxRuns specifies the maximum number of times the disruption should be executed
+                    After this many runs, the disruption will become idle (default: unlimited for continuous disruptions)
+                  minimum: 1
+                  type: integer
                 network:
                   description: NetworkDisruptionSpec represents a network disruption injection
                   nullable: true
@@ -483,6 +489,24 @@ spec:
                   type: object
                 onInit:
                   type: boolean
+                podReplacement:
+                  description: PodReplacementSpec represents a pod replacement disruption
+                  nullable: true
+                  properties:
+                    deleteStorage:
+                      default: true
+                      description: DeleteStorage determines if PVCs associated with the target pod should be deleted
+                      type: boolean
+                    forceDelete:
+                      description: ForceDelete forces deletion of stuck pods by setting grace period to 0
+                      type: boolean
+                    gracePeriodSeconds:
+                      description: |-
+                        GracePeriodSeconds specifies the grace period for pod deletion in seconds
+                        If not specified, uses the pod's default grace period
+                      format: int64
+                      type: integer
+                  type: object
                 pulse:
                   description: DisruptionPulse contains the active disruption duration and the dormant disruption duration
                   nullable: true
@@ -645,6 +669,9 @@ spec:
                   type: boolean
                 isStuckOnRemoval:
                   type: boolean
+                runCount:
+                  description: Number of times the disruption has been executed (chaos pods created)
+                  type: integer
                 selectedTargetsCount:
                   description: Actual targets selected by the disruption
                   type: integer