From 2b68d286ef82e569913eb841f5cdbccf1864c17b Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Tue, 25 Feb 2025 17:24:15 -0600
Subject: [PATCH 01/16] Added new failing test to showcase bug ticket

---
 controllers/selfnoderemediation_controller.go |  10 +-
 controllers/tests/config/suite_test.go        |   2 +-
 .../selfnoderemediation_controller_test.go    | 645 ++++++++++++++----
 controllers/tests/controller/suite_test.go    |   8 +-
 controllers/tests/shared/shared.go            | 145 +++-
 go.mod                                        |   3 +-
 pkg/apicheck/check.go                         | 156 +++--
 pkg/controlplane/manager.go                   |   7 +
 pkg/peers/peers.go                            |  56 +-
 pkg/utils/pods.go                             |   5 +-
 .../onsi/gomega/gcustom/make_matcher.go       | 270 ++++++++
 vendor/modules.txt                            |   1 +
 12 files changed, 1088 insertions(+), 220 deletions(-)
 create mode 100644 vendor/github.com/onsi/gomega/gcustom/make_matcher.go

diff --git a/controllers/selfnoderemediation_controller.go b/controllers/selfnoderemediation_controller.go
index 34d84f72e..f8e22abaf 100644
--- a/controllers/selfnoderemediation_controller.go
+++ b/controllers/selfnoderemediation_controller.go
@@ -463,16 +463,20 @@ func (r *SelfNodeRemediationReconciler) remediateWithResourceRemoval(ctx context
 	var err error
 	switch phase {
 	case fencingStartedPhase:
+		r.logger.Info("remediateWithResourceRemoval: entered fencing start phase")
 		result, err = r.handleFencingStartedPhase(ctx, node, snr)
 	case preRebootCompletedPhase:
+		r.logger.Info("remediateWithResourceRemoval: entered pre reboot completed phase")
 		result, err = r.handlePreRebootCompletedPhase(node, snr)
 	case rebootCompletedPhase:
+		r.logger.Info("remediateWithResourceRemoval: entered reboot completed phase")
 		result, err = r.handleRebootCompletedPhase(node, snr, rmNodeResources)
 	case fencingCompletedPhase:
+		r.logger.Info("remediateWithResourceRemoval: entered fencing complete phase")
 		result, err = r.handleFencingCompletedPhase(node, snr)
 	default:
 		// this should never happen since we enforce valid values with kubebuilder
-		err = errors.New("unknown phase")
+		err = fmt.Errorf("remediateWithResourceRemoval: unknown phase (%s)", phase)
 		r.logger.Error(err, "Undefined unknown phase", "phase", phase)
 	}
 	return result, err
@@ -506,6 +510,7 @@ func (r *SelfNodeRemediationReconciler) prepareReboot(ctx context.Context, node
 	}
 
 	preRebootCompleted := string(preRebootCompletedPhase)
+	r.logger.Info("pre-reboot completed")
 	snr.Status.Phase = &preRebootCompleted
 
 	return ctrl.Result{}, nil
@@ -636,7 +641,8 @@ func (r *SelfNodeRemediationReconciler) didIRebootMyself(snr *v1alpha1.SelfNodeR
 func (r *SelfNodeRemediationReconciler) isNodeRebootCapable(node *v1.Node) bool {
 	//make sure that the unhealthy node has self node remediation pod on it which can reboot it
 	if _, err := utils.GetSelfNodeRemediationAgentPod(node.Name, r.Client); err != nil {
-		r.logger.Error(err, "failed to get self node remediation agent pod resource")
+		r.logger.Error(err, "failed to get self node remediation agent pod resource, so that makes this node "+
+			"not reboot capable")
 		return false
 	}
 
diff --git a/controllers/tests/config/suite_test.go b/controllers/tests/config/suite_test.go
index d6c2132d4..58c2a7061 100644
--- a/controllers/tests/config/suite_test.go
+++ b/controllers/tests/config/suite_test.go
@@ -126,7 +126,7 @@ var _ = BeforeSuite(func() {
 		MyNodeName:             shared.UnhealthyNodeName,
 		CheckInterval:          shared.ApiCheckInterval,
 		MaxErrorsThreshold:     shared.MaxErrorThreshold,
-		MinPeersForRemediation: shared.MinPeersForRemediation,
+		MinPeersForRemediation: shared.MinPeersForRemediationConfigDefaultValue,
 		Peers:                  peers,
 		Cfg:                    cfg,
 		CertReader:             certReader,
diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 784419088..6cdfdd22f 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -6,6 +6,7 @@ import (
 	"reflect"
 	"time"
 
+	labels2 "github.com/medik8s/common/pkg/labels"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
@@ -18,12 +19,15 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	machinev1beta1 "github.com/openshift/api/machine/v1beta1"
 
+	"github.com/medik8s/self-node-remediation/api"
 	"github.com/medik8s/self-node-remediation/api/v1alpha1"
 	"github.com/medik8s/self-node-remediation/controllers"
 	"github.com/medik8s/self-node-remediation/controllers/tests/shared"
+	"github.com/medik8s/self-node-remediation/pkg/controlplane"
 	"github.com/medik8s/self-node-remediation/pkg/utils"
 	"github.com/medik8s/self-node-remediation/pkg/watchdog"
 )
@@ -32,53 +36,49 @@ const (
 	snrNamespace = "default"
 )
 
+var remediationStrategy v1alpha1.RemediationStrategyType
+
 var _ = Describe("SNR Controller", func() {
 	var snr *v1alpha1.SelfNodeRemediation
-	var remediationStrategy v1alpha1.RemediationStrategyType
+
 	var nodeRebootCapable = "true"
-	var isAdditionalSetupNeeded = false
 
 	BeforeEach(func() {
 		nodeRebootCapable = "true"
-		snr = &v1alpha1.SelfNodeRemediation{}
-		snr.Name = shared.UnhealthyNodeName
-		snr.Namespace = snrNamespace
-		snrConfig = shared.GenerateTestConfig()
-		time.Sleep(time.Second * 2)
 
-		// reset watchdog for each test!
-		dummyDog.Reset()
-	})
+		By("Set default self-node-remediation configuration", func() {
+			snr = &v1alpha1.SelfNodeRemediation{}
+			snr.Name = shared.UnhealthyNodeName
+			snr.Namespace = snrNamespace
+
+			snrConfig = shared.GenerateTestConfig()
+			time.Sleep(time.Second * 2)
+		})
 
-	JustBeforeEach(func() {
-		if isAdditionalSetupNeeded {
-			createSelfNodeRemediationPod()
-			verifySelfNodeRemediationPodExist()
-		}
-		createConfig()
 		DeferCleanup(func() {
-			deleteConfig()
+			deleteRemediations()
+
+			//clear node's state, this is important to remove taints, label etc.
+			By(fmt.Sprintf("Clear node state for '%s'", shared.UnhealthyNodeName), func() {
+				Expect(k8sClient.Update(context.Background(), getNode(shared.UnhealthyNodeName)))
+			})
+
+			By(fmt.Sprintf("Clear node state for '%s'", shared.PeerNodeName), func() {
+				Expect(k8sClient.Update(context.Background(), getNode(shared.PeerNodeName)))
+			})
+
+			time.Sleep(time.Second * 2)
+
+			deleteRemediations()
+			clearEvents()
+			verifyCleanState()
 		})
-		updateIsRebootCapable(nodeRebootCapable)
 	})
 
-	AfterEach(func() {
-		k8sClient.ShouldSimulateFailure = false
-		k8sClient.ShouldSimulatePodDeleteFailure = false
-		isAdditionalSetupNeeded = false
-
-		By("Restore default settings for api connectivity check")
-		apiConnectivityCheckConfig.MinPeersForRemediation = shared.MinPeersForRemediation
-
-		deleteRemediations()
-		deleteSelfNodeRemediationPod()
-		//clear node's state, this is important to remove taints, label etc.
-		Expect(k8sClient.Update(context.Background(), getNode(shared.UnhealthyNodeName)))
-		Expect(k8sClient.Update(context.Background(), getNode(shared.PeerNodeName)))
-		time.Sleep(time.Second * 2)
-		deleteRemediations()
-		clearEvents()
-		verifyCleanState()
+	JustBeforeEach(func() {
+		createTestConfig()
+		updateIsRebootCapable(nodeRebootCapable)
+		resetWatchdogTimer()
 	})
 
 	It("check nodes exist", func() {
@@ -162,8 +162,8 @@ var _ = Describe("SNR Controller", func() {
 
 	Context("Unhealthy node with api-server access", func() {
 
-		BeforeEach(func() {
-			isAdditionalSetupNeeded = true
+		JustBeforeEach(func() {
+			doAdditionalSetup()
 		})
 
 		Context("Automatic strategy - ResourceDeletion selected", func() {
@@ -503,28 +503,78 @@ var _ = Describe("SNR Controller", func() {
 	})
 
 	Context("Unhealthy node without api-server access", func() {
-		BeforeEach(func() {
-			By("Simulate api-server failure")
-			k8sClient.ShouldSimulateFailure = true
-			remediationStrategy = v1alpha1.ResourceDeletionRemediationStrategy
-		})
 
-		Context("no peer found", func() {
-			It("Verify that watchdog is not triggered", func() {
+		Context("two control node peers found, they tell me I'm unhealthy", func() {
+
+			BeforeEach(func() {
+				additionalNodes := []newNodeConfig{
+					{
+						nodeName: shared.Peer2NodeName,
+						labels: map[string]string{
+							labels2.MasterRole: "true",
+						},
+
+						pods: []newPodConfig{
+							{
+								name:              shared.SnrPodName2,
+								simulatedResponse: api.Unhealthy,
+							},
+						},
+					},
+					{
+						nodeName: shared.Peer3NodeName,
+						labels: map[string]string{
+							labels2.MasterRole: "true",
+						},
+						pods: []newPodConfig{
+							{
+								name:              shared.SnrPodName3,
+								simulatedResponse: api.Unhealthy,
+							},
+						},
+					},
+				}
+
+				configureClientWrapperToRandomizePodIpAddresses()
+				setMinPeersForRemediation(0)
+				configureUnhealthyNodeAsControlNode()
+				addNodes(additionalNodes)
+
+				addControlPlaneManager()
+				resetWatchdogTimer()
+				configureApiServerSimulatedFailures(true)
+				configureRemediationStrategy(v1alpha1.ResourceDeletionRemediationStrategy)
+				configureSimulatedPeerResponses(true)
+			})
+
+			It("check that we actually get a triggered watchdog reboot", func() {
+				// it actually should be verifyWatchdogTriggered() but this is currently proving
+				//	that the code is broken!
 				verifyWatchdogNotTriggered()
 			})
 		})
 
-		Context("no peer found and MinPeersForRemediation is configured to 0", func() {
+		Context("api-server should be failing throughout the entire test", func() {
 			BeforeEach(func() {
-				By("Set MinPeersForRemedation to zero which should trigger the watchdog before the test")
-				apiConnectivityCheckConfig.MinPeersForRemediation = 0
+				configureApiServerSimulatedFailures(true)
+			})
+
+			Context("no peer found", func() {
+				It("Verify that watchdog is not triggered", func() {
+					verifyWatchdogNotTriggered()
+				})
 			})
 
-			It("Does not receive peer communication and since configured to need zero peers, initiates a reboot",
-				func() {
+			Context("no peer found and MinPeersForRemediation is configured to 0", func() {
+				BeforeEach(func() {
+					setMinPeersForRemediation(0)
+				})
+
+				It("Does not receive peer communication and since configured to need zero peers, "+
+					"initiates a reboot", func() {
 					verifyWatchdogTriggered()
 				})
+			})
 		})
 
 	})
@@ -715,26 +765,27 @@ func verifySelfNodeRemediationPodExist() {
 	}, 5*time.Second, 250*time.Millisecond).Should(Equal(1))
 }
 func deleteRemediations() {
+	By("Delete any existing remediations", func() {
+		Eventually(func(g Gomega) {
+			snrs := &v1alpha1.SelfNodeRemediationList{}
+			g.Expect(k8sClient.List(context.Background(), snrs)).To(Succeed())
+			if len(snrs.Items) == 0 {
+				return
+			}
 
-	Eventually(func(g Gomega) {
-		snrs := &v1alpha1.SelfNodeRemediationList{}
-		g.Expect(k8sClient.List(context.Background(), snrs)).To(Succeed())
-		if len(snrs.Items) == 0 {
-			return
-		}
-
-		for _, snr := range snrs.Items {
-			tmpSnr := snr
-			g.Expect(removeFinalizers(&tmpSnr)).To(Succeed())
-			g.Expect(k8sClient.Client.Delete(context.Background(), &tmpSnr)).To(Succeed())
+			for _, snr := range snrs.Items {
+				tmpSnr := snr
+				g.Expect(removeFinalizers(&tmpSnr)).To(Succeed())
+				g.Expect(k8sClient.Client.Delete(context.Background(), &tmpSnr)).To(Succeed())
 
-		}
+			}
 
-		expectedEmptySnrs := &v1alpha1.SelfNodeRemediationList{}
-		g.Expect(k8sClient.List(context.Background(), expectedEmptySnrs)).To(Succeed())
-		g.Expect(len(expectedEmptySnrs.Items)).To(Equal(0))
+			expectedEmptySnrs := &v1alpha1.SelfNodeRemediationList{}
+			g.Expect(k8sClient.List(context.Background(), expectedEmptySnrs)).To(Succeed())
+			g.Expect(len(expectedEmptySnrs.Items)).To(Equal(0))
 
-	}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
+		}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
+	})
 }
 
 func deleteSNR(snr *v1alpha1.SelfNodeRemediation) {
@@ -777,42 +828,136 @@ func createSNR(snr *v1alpha1.SelfNodeRemediation, strategy v1alpha1.RemediationS
 	ExpectWithOffset(1, k8sClient.Client.Create(context.TODO(), snr)).To(Succeed(), "failed to create snr CR")
 }
 
-func createSelfNodeRemediationPod() {
-	pod := &v1.Pod{}
-	pod.Spec.NodeName = shared.UnhealthyNodeName
-	pod.Labels = map[string]string{"app.kubernetes.io/name": "self-node-remediation",
-		"app.kubernetes.io/component": "agent"}
+func createGenericSelfNodeRemediationPod(node *v1.Node, podName string) (pod *v1.Pod) {
+	By(fmt.Sprintf("Create pod '%s' under node '%s'", podName, node.Name), func() {
+		pod = &v1.Pod{}
+		pod.Spec.NodeName = node.Name
+		pod.Labels = map[string]string{"app.kubernetes.io/name": "self-node-remediation",
+			"app.kubernetes.io/component": "agent"}
+
+		pod.Name = podName
+		pod.Namespace = shared.Namespace
+		// Some tests need the containers to exist
+		container := v1.Container{
+			Name:  "foo",
+			Image: "foo",
+		}
+		pod.Spec.Containers = []v1.Container{container}
 
-	pod.Name = "self-node-remediation"
-	pod.Namespace = shared.Namespace
-	container := v1.Container{
-		Name:  "foo",
-		Image: "foo",
+		ExpectWithOffset(1, k8sClient.Client.Create(context.Background(), pod)).To(Succeed(),
+			"failed to create self-node-remediation pod (%s) for node: '%s'", podName, node.Name)
+
+		time.Sleep(1 * time.Second)
+
+		verifySelfNodeRemediationPodByExistsByName(podName)
+
+		DeferCleanup(func() {
+			deleteSelfNodeRemediationPod(pod, false)
+		})
+	})
+
+	return
+}
+
+func verifySelfNodeRemediationPodByExistsByName(name string) {
+	By(fmt.Sprintf("Verify that pod '%s' exists", name), func() {
+		podList := &v1.PodList{}
+		selector := labels.NewSelector()
+		nameRequirement, _ := labels.NewRequirement("app.kubernetes.io/name", selection.Equals, []string{"self-node-remediation"})
+		componentRequirement, _ := labels.NewRequirement("app.kubernetes.io/component", selection.Equals, []string{"agent"})
+		selector = selector.Add(*nameRequirement, *componentRequirement)
+
+		EventuallyWithOffset(1, func() (bool, error) {
+			err := k8sClient.Client.List(context.Background(), podList, &client.ListOptions{LabelSelector: selector})
+			for _, item := range podList.Items {
+				if item.Name == name {
+					return true, nil
+				}
+			}
+			return false, err
+		}, 5*time.Second, 250*time.Millisecond).Should(BeTrue(), "expected that we should have"+
+			" found the SNR pod")
+	})
+
+	return
+}
+
+func getSnrPods() (pods *v1.PodList) {
+	pods = &v1.PodList{}
+
+	By("Listing self-node-remediation pods")
+	listOptions := &client.ListOptions{
+		LabelSelector: labels.SelectorFromSet(labels.Set{
+			"app.kubernetes.io/name":      "self-node-remediation",
+			"app.kubernetes.io/component": "agent",
+		}),
 	}
-	pod.Spec.Containers = []v1.Container{container}
-	ExpectWithOffset(1, k8sClient.Client.Create(context.Background(), pod)).To(Succeed())
+	Expect(k8sClient.List(context.Background(), pods, listOptions)).To(Succeed(),
+		"failed to list self-node-remediation pods")
+	return
 }
 
-func deleteSelfNodeRemediationPod() {
-	pod := &v1.Pod{}
+func deleteSelfNodeRemediationPod(pod *v1.Pod, throwErrorIfNotFound bool) {
+	By(fmt.Sprintf("Attempt to delete pod '%s'", pod.Name), func() {
+		var grace client.GracePeriodSeconds = 0
+		err := k8sClient.Client.Delete(context.Background(), pod, grace)
+		if throwErrorIfNotFound {
+			ExpectWithOffset(1, err).To(Succeed(), "there should have been no error "+
+				"deleting pod '%s'", pod.Name)
+		} else {
+			ExpectWithOffset(1, err).To(Or(Succeed(), shared.IsK8sNotFoundError()),
+				"expected the delete operation to succeed, or for it to have told us that node '%s'"+
+					" didn't exist", pod.Name)
+		}
+
+	})
+
+	By("Check that pod: '"+pod.Name+"' was actually deleted", func() {
+		EventuallyWithOffset(1, func() bool {
+			podTestAfterDelete := &v1.Pod{}
+			podKey := client.ObjectKey{
+				Namespace: shared.Namespace,
+				Name:      pod.Name,
+			}
+			err := k8sClient.Client.Get(context.Background(), podKey, podTestAfterDelete)
+			return apierrors.IsNotFound(err)
+		}, 10*time.Second, 100*time.Millisecond).Should(BeTrue())
+	})
+}
 
+func deleteSelfNodeRemediationPodByName(podName string, throwErrorIfNotFound bool) (err error) {
+	pod := &v1.Pod{}
 	podKey := client.ObjectKey{
 		Namespace: shared.Namespace,
-		Name:      "self-node-remediation",
+		Name:      podName,
 	}
 
-	if err := k8sClient.Get(context.Background(), podKey, pod); err != nil {
-		Expect(apierrors.IsNotFound(err)).To(BeTrue())
-		return
-	}
+	By(fmt.Sprintf("Attempting to get pod '%s' before deleting it", podName), func() {
+		if err := k8sClient.Client.Get(context.Background(), podKey, pod); err != nil {
+			if apierrors.IsNotFound(err) && !throwErrorIfNotFound {
+				logf.Log.Info("pod with name '%s' not found, we're not going to do anything", podName)
+				err = nil
+				return
+			}
 
-	var grace client.GracePeriodSeconds = 0
-	ExpectWithOffset(1, k8sClient.Client.Delete(context.Background(), pod, grace)).To(Succeed())
+			err = fmt.Errorf("unable to get pod with name '%s' in order to delete it", err)
+			return
+		}
+	})
 
-	EventuallyWithOffset(1, func() bool {
-		err := k8sClient.Client.Get(context.Background(), podKey, pod)
-		return apierrors.IsNotFound(err)
-	}, 10*time.Second, 100*time.Millisecond).Should(BeTrue())
+	deleteSelfNodeRemediationPod(pod, throwErrorIfNotFound)
+
+	return
+}
+
+func deleteAllSelfNodeRemediationPods() {
+	pods := getSnrPods()
+
+	By("Deleting self-node-remediation pods")
+
+	for _, pod := range pods.Items {
+		deleteSelfNodeRemediationPod(&pod, false)
+	}
 }
 
 func createTerminatingPod() {
@@ -916,42 +1061,43 @@ func eventuallyUpdateNode(updateFunc func(*v1.Node), isStatusUpdate bool) {
 }
 
 func verifyCleanState() {
-	//Verify nodes are at a clean state
-	nodes := &v1.NodeList{}
-	Expect(k8sClient.List(context.Background(), nodes)).To(Succeed())
-	Expect(len(nodes.Items)).To(BeEquivalentTo(2))
-	var peerNodeActual, unhealthyNodeActual *v1.Node
-	if nodes.Items[0].Name == shared.UnhealthyNodeName {
-		Expect(nodes.Items[1].Name).To(Equal(shared.PeerNodeName))
-		peerNodeActual = &nodes.Items[1]
-		unhealthyNodeActual = &nodes.Items[0]
-	} else {
-		Expect(nodes.Items[0].Name).To(Equal(shared.PeerNodeName))
-		Expect(nodes.Items[1].Name).To(Equal(shared.UnhealthyNodeName))
-		peerNodeActual = &nodes.Items[0]
-		unhealthyNodeActual = &nodes.Items[1]
-	}
-
-	peerNodeExpected, unhealthyNodeExpected := getNode(shared.PeerNodeName), getNode(shared.UnhealthyNodeName)
-	verifyNodesAreEqual(peerNodeExpected, peerNodeActual)
-	verifyNodesAreEqual(unhealthyNodeExpected, unhealthyNodeActual)
+	By("Verifying that test(s) and AfterTest functions properly left us at an expected state", func() {
+		//Verify nodes are at a clean state
+		nodes := &v1.NodeList{}
+		Expect(k8sClient.List(context.Background(), nodes)).To(Succeed())
+		Expect(len(nodes.Items)).To(BeEquivalentTo(2))
+		var peerNodeActual, unhealthyNodeActual *v1.Node
+		if nodes.Items[0].Name == shared.UnhealthyNodeName {
+			Expect(nodes.Items[1].Name).To(Equal(shared.PeerNodeName))
+			peerNodeActual = &nodes.Items[1]
+			unhealthyNodeActual = &nodes.Items[0]
+		} else {
+			Expect(nodes.Items[0].Name).To(Equal(shared.PeerNodeName))
+			Expect(nodes.Items[1].Name).To(Equal(shared.UnhealthyNodeName))
+			peerNodeActual = &nodes.Items[0]
+			unhealthyNodeActual = &nodes.Items[1]
+		}
 
-	//Verify no existing remediations
-	remediations := &v1alpha1.SelfNodeRemediationList{}
-	Expect(k8sClient.List(context.Background(), remediations)).To(Succeed())
-	Expect(len(remediations.Items)).To(BeEquivalentTo(0))
+		peerNodeExpected, unhealthyNodeExpected := getNode(shared.PeerNodeName), getNode(shared.UnhealthyNodeName)
+		verifyNodesAreEqual(peerNodeExpected, peerNodeActual)
+		verifyNodesAreEqual(unhealthyNodeExpected, unhealthyNodeActual)
 
-	//Verify SNR Pod Does not exist
-	pod := &v1.Pod{}
-	podKey := client.ObjectKey{
-		Namespace: shared.Namespace,
-		Name:      "self-node-remediation",
-	}
-	err := k8sClient.Get(context.Background(), podKey, pod)
-	Expect(apierrors.IsNotFound(err)).To(BeTrue())
+		//Verify no existing remediations
+		remediations := &v1alpha1.SelfNodeRemediationList{}
+		Expect(k8sClient.List(context.Background(), remediations)).To(Succeed())
+		Expect(len(remediations.Items)).To(BeEquivalentTo(0))
 
-	verifyOutOfServiceTaintRemoved()
+		//Verify SNR Pod Does not exist
+		pod := &v1.Pod{}
+		podKey := client.ObjectKey{
+			Namespace: shared.Namespace,
+			Name:      shared.SnrPodName1,
+		}
+		err := k8sClient.Get(context.Background(), podKey, pod)
+		Expect(apierrors.IsNotFound(err)).To(BeTrue())
 
+		verifyOutOfServiceTaintRemoved()
+	})
 }
 
 func verifyNodesAreEqual(expected *v1.Node, actual *v1.Node) {
@@ -963,14 +1109,16 @@ func verifyNodesAreEqual(expected *v1.Node, actual *v1.Node) {
 }
 
 func clearEvents() {
-	for {
-		select {
-		case _ = <-fakeRecorder.Events:
+	By("Clear any events in the channel", func() {
+		for {
+			select {
+			case _ = <-fakeRecorder.Events:
 
-		default:
-			return
+			default:
+				return
+			}
 		}
-	}
+	})
 }
 
 func verifyEvent(eventType, reason, message string) {
@@ -1016,19 +1164,20 @@ func isEventOccurred(eventType string, reason string, message string) bool {
 }
 
 func deleteConfig() {
-	snrConfigTmp := &v1alpha1.SelfNodeRemediationConfig{}
-	// make sure config is already created
-	Eventually(func(g Gomega) {
-		g.Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(snrConfig), snrConfigTmp)).To(Succeed())
-	}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
-
-	//delete config and verify it's deleted
-	Expect(k8sClient.Delete(context.Background(), snrConfigTmp)).To(Succeed())
-	Eventually(func(g Gomega) {
-		err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(snrConfig), snrConfigTmp)
-		g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
-	}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
-
+	By("Delete SelfNodeRemediationConfig", func() {
+		snrConfigTmp := &v1alpha1.SelfNodeRemediationConfig{}
+		// make sure config is already created
+		Eventually(func(g Gomega) {
+			g.Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(snrConfig), snrConfigTmp)).To(Succeed())
+		}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
+
+		//delete config and verify it's deleted
+		Expect(k8sClient.Delete(context.Background(), snrConfigTmp)).To(Succeed())
+		Eventually(func(g Gomega) {
+			err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(snrConfig), snrConfigTmp)
+			g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
+		}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
+	})
 }
 
 func createConfig() {
@@ -1041,3 +1190,217 @@ func createConfig() {
 	}, 10*time.Second, 100*time.Millisecond).Should(Succeed())
 
 }
+
+func addControlPlaneManager() {
+	By("Add a control plane manager", func() {
+		controlPlaneMgr := controlplane.NewManager(shared.UnhealthyNodeName, k8sClient)
+		Expect(controlPlaneMgr.Start(context.Background())).To(Succeed(), "we should"+
+			"have been able to enable a control plane manager for the current node")
+
+		apiCheck.SetControlPlaneManager(controlPlaneMgr)
+
+		Expect(apiConnectivityCheckConfig.Peers.UpdateControlPlanePeers(context.Background())).To(Succeed())
+
+		DeferCleanup(func() {
+			By("Removing the control plane manager", func() {
+				apiCheck.SetControlPlaneManager(nil)
+				Expect(apiConnectivityCheckConfig.Peers.UpdateControlPlanePeers(context.Background())).To(Succeed())
+			})
+		})
+	})
+}
+
+func setMinPeersForRemediation(minimumNumberOfPeers int) {
+
+	By(fmt.Sprintf("Setting MinPeersForRemediation to %d", minimumNumberOfPeers), func() {
+		orgMinPeersForRemediation := apiConnectivityCheckConfig.MinPeersForRemediation
+		apiConnectivityCheckConfig.MinPeersForRemediation = minimumNumberOfPeers
+
+		time.Sleep(1 * time.Second)
+
+		DeferCleanup(func() {
+			By("Restore MinPeersForRemediation back to its default value", func() {
+				apiConnectivityCheckConfig.MinPeersForRemediation = orgMinPeersForRemediation
+			})
+		})
+	})
+
+}
+
+func configureClientWrapperToRandomizePodIpAddresses() {
+	By("Configure k8s client wrapper to return random IP address for pods", func() {
+		orgValue := k8sClient.ShouldReturnRandomPodIPs
+
+		k8sClient.ShouldReturnRandomPodIPs = true
+
+		DeferCleanup(func() {
+			By(fmt.Sprintf("Restore k8s client wrapper random pod IP address generation to %t",
+				orgValue), func() {
+				k8sClient.ShouldReturnRandomPodIPs = orgValue
+			})
+
+			return
+		})
+	})
+}
+
+func configureUnhealthyNodeAsControlNode() {
+	var unhealthyNode = &v1.Node{}
+	By("Getting the existing unhealthy node object", func() {
+		Expect(k8sClient.Client.Get(context.TODO(), unhealthyNodeNamespacedName, unhealthyNode)).
+			To(Succeed(), "failed to get the unhealthy node object")
+
+		logf.Log.Info("Successfully retrieved node", "unhealthyNode",
+			unhealthyNode)
+	})
+
+	By("Set the existing unhealthy node as a control node", func() {
+		previousRole := unhealthyNode.Labels[labels2.MasterRole]
+		unhealthyNode.Labels[labels2.MasterRole] = "true"
+		Expect(k8sClient.Update(context.TODO(), unhealthyNode)).To(Succeed(), "failed to update unhealthy node")
+
+		DeferCleanup(func() {
+			By("Revert the unhealthy node's role to its previous value", func() {
+				unhealthyNode.Labels[labels2.MasterRole] = previousRole
+			})
+		})
+	})
+}
+
+func configureSimulatedPeerResponses(simulateResponses bool) {
+	By("Start simulating peer responses", func() {
+		orgValue := apiCheck.ShouldSimulatePeerResponses
+		apiCheck.ShouldSimulatePeerResponses = simulateResponses
+
+		DeferCleanup(func() {
+			apiCheck.ShouldSimulatePeerResponses = orgValue
+		})
+	})
+}
+
+func configureApiServerSimulatedFailures(simulateResponses bool) {
+	By("Configure k8s client to simulate API server failures", func() {
+		orgValue := k8sClient.ShouldSimulateFailure
+		k8sClient.ShouldSimulateFailure = simulateResponses
+
+		DeferCleanup(func() {
+			By(fmt.Sprintf("Restore k8s client config value for API server failure simulation to %t",
+				orgValue), func() {
+				k8sClient.ShouldSimulateFailure = orgValue
+			})
+
+		})
+	})
+
+}
+
+func configureRemediationStrategy(newRemediationStrategy v1alpha1.RemediationStrategyType) {
+	By(fmt.Sprintf("Configure remediation strategy to '%s'", newRemediationStrategy), func() {
+		orgValue := remediationStrategy
+		remediationStrategy = newRemediationStrategy
+
+		DeferCleanup(func() {
+			By(fmt.Sprintf("Restore remediation strategy to '%s'", orgValue), func() {
+				remediationStrategy = orgValue
+			})
+
+		})
+	})
+
+}
+
+type newPodConfig struct {
+	name              string
+	simulatedResponse api.HealthCheckResponseCode
+}
+type newNodeConfig struct {
+	nodeName string
+	labels   map[string]string
+
+	pods []newPodConfig
+}
+
+func addNodes(nodes []newNodeConfig) {
+	By("Add peer nodes & pods", func() {
+
+		for _, np := range nodes {
+			newNode := getNode(np.nodeName)
+
+			for key, value := range np.labels {
+				newNode.Labels[key] = value
+			}
+
+			By(fmt.Sprintf("Create node '%s'", np.nodeName), func() {
+				Expect(k8sClient.Create(context.Background(), newNode)).To(Succeed(),
+					"failed to create peer node '%s'", np.nodeName)
+
+				DeferCleanup(func() {
+					By(fmt.Sprintf("Remove node '%s'", np.nodeName), func() {
+						Expect(k8sClient.Delete(context.Background(), newNode)).To(Or(Succeed(), shared.IsK8sNotFoundError()))
+					})
+				})
+			})
+
+			createdNode := &v1.Node{}
+
+			By("Check that the newly created node actually was created", func() {
+				namespace := client.ObjectKey{
+					Name:      np.nodeName,
+					Namespace: "",
+				}
+				Eventually(func() error {
+					return k8sClient.Client.Get(context.TODO(), namespace, createdNode)
+				}, 10*time.Second, 250*time.Millisecond).Should(BeNil())
+				Expect(createdNode.Name).To(Equal(np.nodeName))
+				Expect(createdNode.CreationTimestamp).ToNot(BeZero())
+			})
+
+			for _, pod := range np.pods {
+				By(fmt.Sprintf("Create pod '%s' under node '%s'", pod.name, np.nodeName), func() {
+					_ = createGenericSelfNodeRemediationPod(createdNode, pod.name)
+					apiCheck.SimulatePeerResponses = append(apiCheck.SimulatePeerResponses, pod.simulatedResponse)
+				})
+
+			}
+
+		}
+
+		DeferCleanup(func() {
+			By("Removing the additional peer nodes when all relevant tests are complete", func() {
+				Expect(k8sClient.Delete(context.Background(), getNode(shared.Peer2NodeName))).To(Succeed())
+				Expect(k8sClient.Delete(context.Background(), getNode(shared.Peer3NodeName))).To(Succeed())
+			})
+			return
+		})
+
+	})
+}
+
+func resetWatchdogTimer() {
+	By("Resetting watchdog timer", func() {
+		dummyDog.Reset()
+	})
+}
+
+func doAdditionalSetup() {
+	By("Perform additional setups", func() {
+
+		By("Create the default self-node-remediation agent pod", func() {
+			snrPod := createGenericSelfNodeRemediationPod(unhealthyNode, shared.SnrPodName1)
+			verifySelfNodeRemediationPodExist()
+
+			DeferCleanup(func() {
+				deleteSelfNodeRemediationPod(snrPod, false)
+			})
+		})
+	})
+}
+
+func createTestConfig() {
+	By("Create test configuration", func() {
+		createConfig()
+		DeferCleanup(func() {
+			deleteConfig()
+		})
+	})
+}
diff --git a/controllers/tests/controller/suite_test.go b/controllers/tests/controller/suite_test.go
index 070b26f54..d806c420e 100644
--- a/controllers/tests/controller/suite_test.go
+++ b/controllers/tests/controller/suite_test.go
@@ -60,6 +60,7 @@ var (
 	k8sClient                  *shared.K8sClientWrapper
 	fakeRecorder               *record.FakeRecorder
 	snrConfig                  *selfnoderemediationv1alpha1.SelfNodeRemediationConfig
+	apiCheck                   *shared.ApiConnectivityCheckWrapper
 	apiConnectivityCheckConfig *apicheck.ApiConnectivityCheckConfig
 )
 
@@ -149,6 +150,7 @@ var _ = BeforeSuite(func() {
 
 	peerApiServerTimeout := 5 * time.Second
 	peers := peers.New(shared.UnhealthyNodeName, shared.PeerUpdateInterval, k8sClient, ctrl.Log.WithName("peers"), peerApiServerTimeout)
+
 	err = k8sManager.Add(peers)
 	Expect(err).ToNot(HaveOccurred())
 
@@ -161,9 +163,11 @@ var _ = BeforeSuite(func() {
 		Peers:                  peers,
 		Rebooter:               rebooter,
 		Cfg:                    cfg,
-		MinPeersForRemediation: shared.MinPeersForRemediation,
+		MinPeersForRemediation: shared.MinPeersForRemediationConfigDefaultValue,
 	}
-	apiCheck := apicheck.New(apiConnectivityCheckConfig, nil)
+
+	apiCheck = shared.NewApiConnectivityCheckWrapper(apiConnectivityCheckConfig, nil)
+
 	err = k8sManager.Add(apiCheck)
 	Expect(err).ToNot(HaveOccurred())
 
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 3e424b879..1b889f5f3 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -3,30 +3,48 @@ package shared
 import (
 	"context"
 	"errors"
+	"net"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"time"
 
+	"github.com/google/uuid"
 	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gcustom"
+	types2 "github.com/onsi/gomega/types"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	selfNodeRemediation "github.com/medik8s/self-node-remediation/api"
 	selfnoderemediationv1alpha1 "github.com/medik8s/self-node-remediation/api/v1alpha1"
+	"github.com/medik8s/self-node-remediation/pkg/apicheck"
+	"github.com/medik8s/self-node-remediation/pkg/controlplane"
 	"github.com/medik8s/self-node-remediation/pkg/reboot"
 )
 
 const (
-	PeerUpdateInterval     = 30 * time.Second
-	ApiCheckInterval       = 1 * time.Second
-	MaxErrorThreshold      = 1
-	MinPeersForRemediation = 1
+	PeerUpdateInterval = 30 * time.Second
+	ApiCheckInterval   = 1 * time.Second
+	MaxErrorThreshold  = 1
 	// CalculatedRebootDuration is the mock calculator's result
 	CalculatedRebootDuration = 3 * time.Second
 	Namespace                = "self-node-remediation"
 	UnhealthyNodeName        = "node1"
 	PeerNodeName             = "node2"
-	DsDummyImageName         = "dummy-image"
+	Peer2NodeName            = "node3"
+	Peer3NodeName            = "node4"
+
+	SnrPodName1      = "self-node-remediation"
+	SnrPodName2      = "self-node-remediation-2"
+	SnrPodName3      = "self-node-remediation-3"
+	DsDummyImageName = "dummy-image"
+
+	K8sClientReturnRandomPodIPAddressesByDefault = false
+
+	MinPeersForRemediationConfigDefaultValue = 1
 )
 
 type K8sClientWrapper struct {
@@ -35,17 +53,81 @@ type K8sClientWrapper struct {
 	ShouldSimulateFailure          bool
 	ShouldSimulatePodDeleteFailure bool
 	SimulatedFailureMessage        string
+	ShouldReturnRandomPodIPs       bool
+}
+
+type ApiConnectivityCheckWrapper struct {
+	apicheck.ApiConnectivityCheck
+	ShouldSimulatePeerResponses bool
+
+	// store responses that we should override for any peer responses
+	SimulatePeerResponses []selfNodeRemediation.HealthCheckResponseCode
 }
 
-func (kcw *K8sClientWrapper) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
-	if kcw.ShouldSimulateFailure {
-		return errors.New("simulation of client error")
-	} else if kcw.ShouldSimulatePodDeleteFailure {
+func (kcw *K8sClientWrapper) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) (err error) {
+	switch {
+	case kcw.ShouldSimulateFailure:
+		err = errors.New("simulation of client error")
+		return
+	case kcw.ShouldSimulatePodDeleteFailure:
 		if _, ok := list.(*corev1.NamespaceList); ok {
-			return errors.New(kcw.SimulatedFailureMessage)
+			err = errors.New(kcw.SimulatedFailureMessage)
+			return
+		}
+		fallthrough
+	default:
+		err = kcw.Client.List(ctx, list, opts...)
+	}
+
+	if kcw.ShouldReturnRandomPodIPs {
+		logf.Log.Info("Returning random IP addresses for all the pods because ShouldReturnRandomPodIPs is true")
+
+		if podList, ok := list.(*corev1.PodList); ok {
+			assignRandomIpAddressesPods(podList)
 		}
 	}
-	return kcw.Client.List(ctx, list, opts...)
+
+	return
+}
+
+func assignRandomIpAddressesPods(pods *corev1.PodList) {
+	for i := range pods.Items {
+		pods.Items[i].Status.PodIPs = []corev1.PodIP{{IP: GetRandomIpAddress()}}
+	}
+
+	return
+}
+
+func GetRandomIpAddress() (randomIP string) {
+	u := uuid.New()
+	ip := net.IP(u[:net.IPv6len])
+	randomIP = ip.String()
+
+	return
+}
+
+func NewApiConnectivityCheckWrapper(ck *apicheck.ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) (ckw *ApiConnectivityCheckWrapper) {
+	ckw = &ApiConnectivityCheckWrapper{
+		ApiConnectivityCheck:        *apicheck.New(ck, controlPlaneManager),
+		ShouldSimulatePeerResponses: false,
+		SimulatePeerResponses:       []selfNodeRemediation.HealthCheckResponseCode{},
+	}
+
+	ckw.ApiConnectivityCheck.SetHealthStatusFunc(func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
+		switch {
+		case ckw.ShouldSimulatePeerResponses:
+			for _, code := range ckw.SimulatePeerResponses {
+				results <- code
+			}
+
+			return
+		default:
+			ckw.ApiConnectivityCheck.GetDefaultPeerHealthCheckFunc()(endpointIp, results)
+			break
+		}
+	})
+
+	return
 }
 
 func GenerateTestConfig() *selfnoderemediationv1alpha1.SelfNodeRemediationConfig {
@@ -81,3 +163,44 @@ func VerifySNRStatusExist(k8sClient client.Client, snr *selfnoderemediationv1alp
 		g.Expect(meta.IsStatusConditionPresentAndEqual(tmpSNR.Status.Conditions, statusType, conditionStatus)).To(BeTrue())
 	}, 10*time.Second, 250*time.Millisecond).Should(Succeed())
 }
+
+type K8sErrorTestingFunc func(err error) bool
+
+// Matches one of the k8s error types that the user wants to ignore
+func IsIgnoredK8sError(k8sErrorsToIgnore []K8sErrorTestingFunc) types2.GomegaMatcher {
+	return gcustom.MakeMatcher(func(errorToTest error) (matches bool, err error) {
+		if errorToTest == nil {
+			matches = false
+			return
+		}
+
+		for _, testingFunc := range k8sErrorsToIgnore {
+			if testingFunc(errorToTest) {
+				matches = true
+				return
+			}
+		}
+
+		matches = false
+
+		return
+	})
+}
+
+func IsK8sNotFoundError() types2.GomegaMatcher {
+	return gcustom.MakeMatcher(func(errorToTest error) (matches bool, err error) {
+		if errorToTest == nil {
+			matches = false
+			return
+		}
+
+		if apierrors.IsNotFound(errorToTest) {
+			matches = true
+			return
+		}
+
+		matches = false
+
+		return
+	})
+}
diff --git a/go.mod b/go.mod
index 552158478..d1c457754 100644
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,8 @@ require (
 	sigs.k8s.io/controller-runtime v0.15.0
 )
 
+require github.com/google/uuid v1.3.0
+
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -41,7 +43,6 @@ require (
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 55a708bc3..9151a2e41 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -35,14 +35,17 @@ const (
 
 type ApiConnectivityCheck struct {
 	client.Reader
-	config                 *ApiConnectivityCheckConfig
-	errorCount             int
-	timeOfLastPeerResponse time.Time
-	clientCreds            credentials.TransportCredentials
-	mutex                  sync.Mutex
-	controlPlaneManager    *controlplane.Manager
+	config                        *ApiConnectivityCheckConfig
+	errorCount                    int
+	timeOfLastPeerResponse        time.Time
+	clientCreds                   credentials.TransportCredentials
+	mutex                         sync.Mutex
+	controlPlaneManager           *controlplane.Manager
+	getHealthStatusFromRemoteFunc GetHealthStatusFromRemoteFunc
 }
 
+type GetHealthStatusFromRemoteFunc func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode)
+
 type ApiConnectivityCheckConfig struct {
 	Log                       logr.Logger
 	MyNodeName                string
@@ -62,13 +65,70 @@ type ApiConnectivityCheckConfig struct {
 	Recorder                  record.EventRecorder
 }
 
-func New(config *ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) *ApiConnectivityCheck {
-	return &ApiConnectivityCheck{
+func New(config *ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) (c *ApiConnectivityCheck) {
+	c = &ApiConnectivityCheck{
 		config:                 config,
 		mutex:                  sync.Mutex{},
 		controlPlaneManager:    controlPlaneManager,
 		timeOfLastPeerResponse: time.Now(),
 	}
+
+	c.SetHealthStatusFunc(c.GetDefaultPeerHealthCheckFunc())
+
+	return
+}
+
+func (c *ApiConnectivityCheck) GetDefaultPeerHealthCheckFunc() (fun GetHealthStatusFromRemoteFunc) {
+
+	fun = func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
+		logger := c.config.Log.WithValues("IP", endpointIp.IP)
+		logger.Info("getting health status from peer")
+
+		if err := c.initClientCreds(); err != nil {
+			logger.Error(err, "failed to init client credentials")
+			results <- selfNodeRemediation.RequestFailed
+			return
+		}
+
+		// TODO does this work with IPv6?
+		// MES: Yes it does, we've tested this
+		phClient, err := peerhealth.NewClient(fmt.Sprintf("%v:%v", endpointIp.IP, c.config.PeerHealthPort), c.config.PeerDialTimeout, c.config.Log.WithName("peerhealth client"), c.clientCreds)
+		if err != nil {
+			logger.Error(err, "failed to init grpc client")
+			results <- selfNodeRemediation.RequestFailed
+			return
+		}
+		defer phClient.Close()
+
+		effectiveTimeout := c.getEffectivePeerRequestTimeout()
+		ctx, cancel := context.WithTimeout(context.Background(), effectiveTimeout)
+		defer cancel()
+
+		resp, err := phClient.IsHealthy(ctx, &peerhealth.HealthRequest{
+			NodeName:    c.config.MyNodeName,
+			MachineName: c.config.MyMachineName,
+		})
+		if err != nil {
+			logger.Error(err, "failed to read health response from peer")
+			results <- selfNodeRemediation.RequestFailed
+			return
+		}
+
+		logger.Info("got response from peer", "status", resp.Status)
+
+		results <- selfNodeRemediation.HealthCheckResponseCode(resp.Status)
+		return
+	}
+
+	return
+}
+
+func (c *ApiConnectivityCheck) GetControlPlaneManager() *controlplane.Manager {
+	return c.controlPlaneManager
+}
+
+func (c *ApiConnectivityCheck) SetControlPlaneManager(manager *controlplane.Manager) {
+	c.controlPlaneManager = manager
 }
 
 func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
@@ -120,12 +180,27 @@ func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
 // isConsideredHealthy keeps track of the number of errors reported, and when a certain amount of error occur within a certain
 // time, ask peers if this node is healthy. Returns if the node is considered to be healthy or not.
 func (c *ApiConnectivityCheck) isConsideredHealthy() bool {
+	isControlPlaneManagerNil := c.controlPlaneManager == nil
+
+	isWorkerNode := isControlPlaneManagerNil || !c.controlPlaneManager.IsControlPlane()
+
+	c.config.Log.Info("isConsideredHealthy called",
+		"isControlPlaneManagerNil", isControlPlaneManagerNil,
+		"isWorkerNode", isWorkerNode)
+
 	workerPeersResponse := c.getWorkerPeersResponse()
-	isWorkerNode := c.controlPlaneManager == nil || !c.controlPlaneManager.IsControlPlane()
+
 	if isWorkerNode {
+		c.config.Log.Info("isConsideredHealthy: returning result from getWorkerPeersResponse",
+			"workerPeersResponse.IsHealthy", workerPeersResponse.IsHealthy)
 		return workerPeersResponse.IsHealthy
 	} else {
-		return c.controlPlaneManager.IsControlPlaneHealthy(workerPeersResponse, c.canOtherControlPlanesBeReached())
+		canOtherControlPlanesBeReached := c.canOtherControlPlanesBeReached()
+		isControlPlaneHealthy := c.controlPlaneManager.IsControlPlaneHealthy(workerPeersResponse, canOtherControlPlanesBeReached)
+		c.config.Log.Info("isConsideredHealthy: returning result from IsControlPlaneHealthy",
+			"c.canOtherControlPlanesBeReached()", canOtherControlPlanesBeReached,
+			"c.controlPlaneManager.IsControlPlaneHealthy", isControlPlaneHealthy)
+		return isControlPlaneHealthy
 	}
 
 }
@@ -137,9 +212,11 @@ func (c *ApiConnectivityCheck) getWorkerPeersResponse() peers.Response {
 		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseErrorsThresholdNotReached}
 	}
 
-	c.config.Log.Info("Error count exceeds threshold, trying to ask other nodes if I'm healthy")
 	peersToAsk := c.config.Peers.GetPeersAddresses(peers.Worker)
 
+	c.config.Log.Info("Error count exceeds threshold, trying to ask other peer nodes if I'm healthy",
+		"minPeersRequired", c.config.MinPeersForRemediation, "actualNumPeersFound", len(peersToAsk))
+
 	// We check to see if we have at least the number of peers that the user has configured as required.
 	//  If we don't have this many peers (for instance there are zero peers, and the default value is set
 	//  which requires at least one peer), we don't want to remediate. In this case we have some confusion
@@ -232,8 +309,15 @@ func (c *ApiConnectivityCheck) getWorkerPeersResponse() peers.Response {
 }
 
 func (c *ApiConnectivityCheck) canOtherControlPlanesBeReached() bool {
+	c.config.Log.Info("canOtherControlPlanesBeReached", "c.config.Peers",
+		c.config.Peers)
+
 	peersToAsk := c.config.Peers.GetPeersAddresses(peers.ControlPlane)
 	numOfControlPlanePeers := len(peersToAsk)
+
+	c.config.Log.Info("Getting peer control plane addresses", "peersToAsk",
+		peersToAsk, "numOfControlPlanePeers", numOfControlPlanePeers)
+
 	if numOfControlPlanePeers == 0 {
 		c.config.Log.Info("Peers list is empty and / or couldn't be retrieved from server, other control planes can't be reached")
 		return false
@@ -277,6 +361,8 @@ func (c *ApiConnectivityCheck) getHealthStatusFromPeers(addresses []corev1.PodIP
 	nrAddresses := len(addresses)
 	responsesChan := make(chan selfNodeRemediation.HealthCheckResponseCode, nrAddresses)
 
+	c.config.Log.Info("Attempting to get health status from peers", "addresses", addresses)
+
 	for _, address := range addresses {
 		go c.getHealthStatusFromPeer(address, responsesChan)
 	}
@@ -290,7 +376,6 @@ func (c *ApiConnectivityCheck) getEffectivePeerRequestTimeout() time.Duration {
 	minimumSafeTimeout := c.config.ApiServerTimeout + v1alpha1.MinimumBuffer
 
 	if c.config.PeerRequestTimeout < minimumSafeTimeout {
-		// Log warning about timeout adjustment
 		c.config.Log.Info("PeerRequestTimeout is too low, using adjusted value for safety",
 			"configuredTimeout", c.config.PeerRequestTimeout,
 			"apiServerTimeout", c.config.ApiServerTimeout,
@@ -303,47 +388,20 @@ func (c *ApiConnectivityCheck) getEffectivePeerRequestTimeout() time.Duration {
 	return c.config.PeerRequestTimeout
 }
 
-// getHealthStatusFromPeer issues a GET request to the specified IP and returns the result from the peer into the given channel
-func (c *ApiConnectivityCheck) getHealthStatusFromPeer(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
-
-	logger := c.config.Log.WithValues("IP", endpointIp.IP)
-	logger.Info("getting health status from peer")
-
-	if err := c.initClientCreds(); err != nil {
-		logger.Error(err, "failed to init client credentials")
-		results <- selfNodeRemediation.RequestFailed
-		return
-	}
-
-	// TODO does this work with IPv6?
-	phClient, err := peerhealth.NewClient(fmt.Sprintf("%v:%v", endpointIp.IP, c.config.PeerHealthPort), c.config.PeerDialTimeout, c.config.Log.WithName("peerhealth client"), c.clientCreds)
-	if err != nil {
-		logger.Error(err, "failed to init grpc client")
-		results <- selfNodeRemediation.RequestFailed
-		return
-	}
-	defer phClient.Close()
-
-	effectiveTimeout := c.getEffectivePeerRequestTimeout()
-	ctx, cancel := context.WithTimeout(context.Background(), effectiveTimeout)
-	defer cancel()
-
-	resp, err := phClient.IsHealthy(ctx, &peerhealth.HealthRequest{
-		NodeName:    c.config.MyNodeName,
-		MachineName: c.config.MyMachineName,
-	})
-	if err != nil {
-		logger.Error(err, "failed to read health response from peer")
-		results <- selfNodeRemediation.RequestFailed
-		return
-	}
-
-	logger.Info("got response from peer", "status", resp.Status)
+func (c *ApiConnectivityCheck) SetHealthStatusFunc(f GetHealthStatusFromRemoteFunc) {
+	c.getHealthStatusFromRemoteFunc = f
+}
 
-	results <- selfNodeRemediation.HealthCheckResponseCode(resp.Status)
+func (c *ApiConnectivityCheck) GetHealthStatusFunc() (f GetHealthStatusFromRemoteFunc) {
+	f = c.getHealthStatusFromRemoteFunc
 	return
 }
 
+// GetHealthStatusFromPeer issues a GET request to the specified IP and returns the result from the peer into the given channel
+func (c *ApiConnectivityCheck) getHealthStatusFromPeer(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
+	c.getHealthStatusFromRemoteFunc(endpointIp, results)
+}
+
 func (c *ApiConnectivityCheck) initClientCreds() error {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
index f7c3aaba4..a39703e14 100644
--- a/pkg/controlplane/manager.go
+++ b/pkg/controlplane/manager.go
@@ -54,6 +54,10 @@ func (manager *Manager) Start(_ context.Context) error {
 }
 
 func (manager *Manager) IsControlPlane() bool {
+	manager.log.Info("Checking to see if node is a control plane node",
+		"nodeName", manager.nodeName,
+		"controlPlaneNodeExpectedValue", peers.ControlPlane,
+		"nodeRole", manager.nodeRole)
 	return manager.nodeRole == peers.ControlPlane
 }
 
@@ -131,6 +135,9 @@ func (manager *Manager) initializeManager() error {
 }
 
 func (manager *Manager) setNodeRole(node corev1.Node) {
+	manager.log.Info("setNodeRole called",
+		"labels", node.Labels)
+
 	if nodes.IsControlPlane(&node) {
 		manager.nodeRole = peers.ControlPlane
 	} else {
diff --git a/pkg/peers/peers.go b/pkg/peers/peers.go
index bfdee63d1..3addb2684 100644
--- a/pkg/peers/peers.go
+++ b/pkg/peers/peers.go
@@ -84,13 +84,13 @@ func (p *Peers) Start(ctx context.Context) error {
 	p.log.Info("peer starting", "name", p.myNodeName)
 	wait.UntilWithContext(ctx, func(ctx context.Context) {
 		updateWorkerPeersError := p.updateWorkerPeers(ctx)
-		updateControlPlanePeersError := p.updateControlPlanePeers(ctx)
+		updateControlPlanePeersError := p.UpdateControlPlanePeers(ctx)
 		if updateWorkerPeersError != nil || updateControlPlanePeersError != nil {
 			// the default update interval is quite long, in case of an error we want to retry quicker
 			quickCtx, quickCancel := context.WithCancel(ctx)
 			wait.UntilWithContext(quickCtx, func(ctx context.Context) {
 				quickUpdateWorkerPeersError := p.updateWorkerPeers(ctx)
-				quickUpdateControlPlanePeersError := p.updateControlPlanePeers(ctx)
+				quickUpdateControlPlanePeersError := p.UpdateControlPlanePeers(ctx)
 				if quickUpdateWorkerPeersError == nil && quickUpdateControlPlanePeersError == nil {
 					quickCancel()
 				}
@@ -102,18 +102,40 @@ func (p *Peers) Start(ctx context.Context) error {
 }
 
 func (p *Peers) updateWorkerPeers(ctx context.Context) error {
-	setterFunc := func(addresses []v1.PodIP) { p.workerPeersAddresses = addresses }
-	selectorGetter := func() labels.Selector { return p.workerPeerSelector }
-	return p.updatePeers(ctx, selectorGetter, setterFunc)
+	p.log.Info("updateWorkerPeers entered")
+	setterFunc := func(addresses []v1.PodIP) {
+		p.log.Info("updateWorkerPeers setter called", "addresses", addresses)
+		p.workerPeersAddresses = addresses
+	}
+	selectorGetter := func() labels.Selector {
+		p.log.Info("updateWorkerPeers getter called", "workerPeerSelector", p.workerPeerSelector)
+		return p.workerPeerSelector
+	}
+	resetFunc := func() {
+		p.workerPeersAddresses = []v1.PodIP{}
+	}
+	return p.updatePeers(ctx, selectorGetter, setterFunc, resetFunc)
 }
 
-func (p *Peers) updateControlPlanePeers(ctx context.Context) error {
-	setterFunc := func(addresses []v1.PodIP) { p.controlPlanePeersAddresses = addresses }
-	selectorGetter := func() labels.Selector { return p.controlPlanePeerSelector }
-	return p.updatePeers(ctx, selectorGetter, setterFunc)
+func (p *Peers) UpdateControlPlanePeers(ctx context.Context) error {
+	p.log.Info("UpdateControlPlanePeers entered")
+
+	setterFunc := func(addresses []v1.PodIP) {
+		p.log.Info("UpdateControlPlanePeers setter called", "addresses", addresses)
+		p.controlPlanePeersAddresses = addresses
+	}
+	selectorGetter := func() labels.Selector {
+		p.log.Info("UpdateControlPlanePeers getter called", "workerPeerSelector", p.workerPeerSelector)
+		return p.controlPlanePeerSelector
+	}
+	resetFunc := func() {
+		p.controlPlanePeersAddresses = []v1.PodIP{}
+	}
+	return p.updatePeers(ctx, selectorGetter, setterFunc, resetFunc)
 }
 
-func (p *Peers) updatePeers(ctx context.Context, getSelector func() labels.Selector, setAddresses func(addresses []v1.PodIP)) error {
+func (p *Peers) updatePeers(ctx context.Context, getSelector func() labels.Selector, setAddresses func(addresses []v1.PodIP),
+	resetPeers func()) error {
 	p.mutex.Lock()
 	defer p.mutex.Unlock()
 
@@ -121,16 +143,19 @@ func (p *Peers) updatePeers(ctx context.Context, getSelector func() labels.Selec
 	defer cancel()
 
 	nodes := v1.NodeList{}
+
 	// get some nodes, but not ourself
 	if err := p.List(readerCtx, &nodes, client.MatchingLabelsSelector{Selector: getSelector()}); err != nil {
 		if apierrors.IsNotFound(err) {
 			// we are the only node at the moment... reset peerList
-			p.workerPeersAddresses = []v1.PodIP{}
+			resetPeers()
 		}
 		p.log.Error(err, "failed to update peer list")
 		return pkgerrors.Wrap(err, "failed to update peer list")
 	}
 
+	p.log.Info("updatePeers", "nodes", nodes)
+
 	pods := v1.PodList{}
 	listOptions := &client.ListOptions{
 		LabelSelector: labels.SelectorFromSet(labels.Set{
@@ -163,6 +188,10 @@ func (p *Peers) mapNodesToPrimaryPodIPs(nodes v1.NodeList, pods v1.PodList) ([]v
 					addresses = append(addresses, pod.Status.PodIPs[0])
 				}
 				break
+			} else {
+				p.log.Info("Skipping current node/pod combo",
+					"node.Name", node.Name,
+					"pod.Spec.NodeName", pod.Spec.NodeName)
 			}
 		}
 		if !found {
@@ -177,11 +206,16 @@ func (p *Peers) GetPeersAddresses(role Role) []v1.PodIP {
 	p.mutex.Lock()
 	defer p.mutex.Unlock()
 
+	p.log.Info("GetPeersAddresses", "workerPeersAddresses", p.workerPeersAddresses,
+		"controlPlanePeersAddresses", p.controlPlanePeersAddresses)
+
 	var addresses []v1.PodIP
 	if role == Worker {
 		addresses = p.workerPeersAddresses
+		p.log.Info("Got a request to see how many worker peers exist", "workerPeersAddresses", p.workerPeersAddresses)
 	} else {
 		addresses = p.controlPlanePeersAddresses
+		p.log.Info("Got a request to see how many control plane peers exist", "controlPlanePeersAddresses", p.controlPlanePeersAddresses)
 	}
 	//we don't want the caller to be able to change the addresses
 	//so we create a deep copy and return it
diff --git a/pkg/utils/pods.go b/pkg/utils/pods.go
index 7cb0ae37b..6b902e5d5 100644
--- a/pkg/utils/pods.go
+++ b/pkg/utils/pods.go
@@ -2,7 +2,7 @@ package utils
 
 import (
 	"context"
-	"errors"
+	"fmt"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -20,6 +20,7 @@ func GetSelfNodeRemediationAgentPod(nodeName string, r client.Reader) (*v1.Pod,
 
 	err := r.List(context.Background(), podList, &client.ListOptions{LabelSelector: selector})
 	if err != nil {
+		err = fmt.Errorf("failed to retrieve the self-node-remediation agent pod: %w", err)
 		return nil, err
 	}
 
@@ -29,5 +30,5 @@ func GetSelfNodeRemediationAgentPod(nodeName string, r client.Reader) (*v1.Pod,
 		}
 	}
 
-	return nil, errors.New("failed to find self node remediation pod matching the given node")
+	return nil, fmt.Errorf("failed to find self node remediation pod matching the given node (%s)", nodeName)
 }
diff --git a/vendor/github.com/onsi/gomega/gcustom/make_matcher.go b/vendor/github.com/onsi/gomega/gcustom/make_matcher.go
new file mode 100644
index 000000000..5372fa441
--- /dev/null
+++ b/vendor/github.com/onsi/gomega/gcustom/make_matcher.go
@@ -0,0 +1,270 @@
+/*
+package gcustom provides a simple mechanism for creating custom Gomega matchers
+*/
+package gcustom
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"text/template"
+
+	"github.com/onsi/gomega/format"
+)
+
+var interfaceType = reflect.TypeOf((*interface{})(nil)).Elem()
+var errInterface = reflect.TypeOf((*error)(nil)).Elem()
+
+var defaultTemplate = template.Must(ParseTemplate("{{if .Failure}}Custom matcher failed for:{{else}}Custom matcher succeeded (but was expected to fail) for:{{end}}\n{{.FormattedActual}}"))
+
+func formatObject(object any, indent ...uint) string {
+	indentation := uint(0)
+	if len(indent) > 0 {
+		indentation = indent[0]
+	}
+	return format.Object(object, indentation)
+}
+
+/*
+ParseTemplate allows you to precompile templates for MakeMatcher's custom matchers.
+
+Use ParseTemplate if you are concerned about performance and would like to avoid repeatedly parsing failure message templates.  The data made available to the template is documented in the WithTemplate() method of CustomGomegaMatcher.
+
+Once parsed you can pass the template in either as an argument to MakeMatcher(matchFunc, <template>) or using MakeMatcher(matchFunc).WithPrecompiledTemplate(template)
+*/
+func ParseTemplate(templ string) (*template.Template, error) {
+	return template.New("template").Funcs(template.FuncMap{
+		"format": formatObject,
+	}).Parse(templ)
+}
+
+/*
+MakeMatcher builds a Gomega-compatible matcher from a function (the matchFunc).
+
+matchFunc must return (bool, error) and take a single argument.  If you want to perform type-checking yourself pass in a matchFunc of type `func(actual any) (bool, error)`.  If you want to only operate on a specific type, pass in `func(actual DesiredType) (bool, error)`; MakeMatcher will take care of checking types for you and notifying the user if they use the matcher with an invalid type.
+
+MakeMatcher(matchFunc) builds a matcher with generic failure messages that look like:
+
+	Custom matcher failed for:
+	    <formatted actual>
+
+for the positive failure case (i.e. when Expect(actual).To(match) fails) and
+
+	Custom matcher succeeded (but was expected to fail) for:
+	     <formatted actual>
+
+for the negative case (i.e. when Expect(actual).NotTo(match) fails).
+
+There are two ways to provide a different message.  You can either provide a simple message string:
+
+	matcher := MakeMatcher(matchFunc, message)
+	matcher := MakeMatcher(matchFunc).WithMessage(message)
+
+(where message is of type string) or a template:
+
+	matcher := MakeMatcher(matchFunc).WithTemplate(templateString)
+
+where templateString is a string that is compiled by WithTemplate into a matcher.  Alternatively you can provide a precompiled template like this:
+
+	template, err = gcustom.ParseTemplate(templateString) //use gcustom's ParseTemplate to get some additional functions mixed in
+	matcher := MakeMatcher(matchFunc, template)
+	matcher := MakeMatcher(matchFunc).WithPrecompiled(template)
+
+When a simple message string is provided the positive failure message will look like:
+
+	Expected:
+		<formatted actual>
+	to <message>
+
+and the negative failure message will look like:
+
+	Expected:
+		<formatted actual>
+	not to <message>
+
+A template allows you to have greater control over the message.  For more details see the docs for WithTemplate
+*/
+func MakeMatcher(matchFunc any, args ...any) CustomGomegaMatcher {
+	t := reflect.TypeOf(matchFunc)
+	if !(t.Kind() == reflect.Func && t.NumIn() == 1 && t.NumOut() == 2 && t.Out(0).Kind() == reflect.Bool && t.Out(1).Implements(errInterface)) {
+		panic("MakeMatcher must be passed a function that takes one argument and returns (bool, error)")
+	}
+	var finalMatchFunc func(actual any) (bool, error)
+	if t.In(0) == interfaceType {
+		finalMatchFunc = matchFunc.(func(actual any) (bool, error))
+	} else {
+		matchFuncValue := reflect.ValueOf(matchFunc)
+		finalMatchFunc = reflect.MakeFunc(reflect.TypeOf(finalMatchFunc),
+			func(args []reflect.Value) []reflect.Value {
+				actual := args[0].Interface()
+				if actual == nil && reflect.TypeOf(actual) == reflect.TypeOf(nil) {
+					return matchFuncValue.Call([]reflect.Value{reflect.New(t.In(0)).Elem()})
+				} else if reflect.TypeOf(actual).AssignableTo(t.In(0)) {
+					return matchFuncValue.Call([]reflect.Value{reflect.ValueOf(actual)})
+				} else {
+					return []reflect.Value{
+						reflect.ValueOf(false),
+						reflect.ValueOf(fmt.Errorf("Matcher expected actual of type <%s>.  Got:\n%s", t.In(0), format.Object(actual, 1))),
+					}
+				}
+			}).Interface().(func(actual any) (bool, error))
+	}
+
+	matcher := CustomGomegaMatcher{
+		matchFunc:       finalMatchFunc,
+		templateMessage: defaultTemplate,
+	}
+
+	for _, arg := range args {
+		switch v := arg.(type) {
+		case string:
+			matcher = matcher.WithMessage(v)
+		case *template.Template:
+			matcher = matcher.WithPrecompiledTemplate(v)
+		}
+	}
+
+	return matcher
+}
+
+// CustomGomegaMatcher is generated by MakeMatcher - you should always use MakeMatcher to construct custom matchers
+type CustomGomegaMatcher struct {
+	matchFunc                   func(actual any) (bool, error)
+	templateMessage             *template.Template
+	templateData                any
+	customFailureMessage        func(actual any) string
+	customNegatedFailureMessage func(actual any) string
+}
+
+/*
+WithMessage returns a CustomGomegaMatcher configured with a message to display when failure occurs.  Matchers configured this way produce a positive failure message that looks like:
+
+	Expected:
+		<formatted actual>
+	to <message>
+
+and a negative failure message that looks like:
+
+	Expected:
+		<formatted actual>
+	not to <message>
+*/
+func (c CustomGomegaMatcher) WithMessage(message string) CustomGomegaMatcher {
+	return c.WithTemplate("Expected:\n{{.FormattedActual}}\n{{.To}} " + message)
+}
+
+/*
+WithTemplate compiles the passed-in template and returns a CustomGomegaMatcher configured to use that template to generate failure messages.
+
+Templates are provided the following variables and functions:
+
+{{.Failure}} - a bool that, if true, indicates this should be a positive failure message, otherwise this should be a negated failure message
+{{.NegatedFailure}} - a bool that, if true, indicates this should be a negated failure message, otherwise this should be a positive failure message
+{{.To}} - is set to "to" if this is a positive failure message and "not to" if this is a negated failure message
+{{.Actual}} - the actual passed in to the matcher
+{{.FormattedActual}} - a string representing the formatted actual.  This can be multiple lines and is always generated with an indentation of 1
+{{format <object> <optional-indentation}} - a function that allows you to use Gomega's default formatting from within the template.  The passed-in <object> is formatted and <optional-indentation> can be set to an integer to control indentation.
+
+In addition, you can provide custom data to the template by calling WithTemplate(templateString, data) (where data can be anything).  This is provided to the template as {{.Data}}.
+
+Here's a simple example of all these pieces working together:
+
+	func HaveWidget(widget Widget) OmegaMatcher {
+		return MakeMatcher(func(machine Machine) (bool, error) {
+			return machine.HasWidget(widget), nil
+		}).WithTemplate("Expected:\n{{.FormattedActual}}\n{{.To}} have widget named {{.Data.Name}}:\n{{format .Data 1}}", widget)
+	}
+
+	Expect(machine).To(HaveWidget(Widget{Name: "sprocket", Version: 2}))
+
+Would generate a failure message that looks like:
+
+	Expected:
+		<formatted machine>
+	to have widget named sprocket:
+		<formatted sprocket>
+*/
+func (c CustomGomegaMatcher) WithTemplate(templ string, data ...any) CustomGomegaMatcher {
+	return c.WithPrecompiledTemplate(template.Must(ParseTemplate(templ)), data...)
+}
+
+/*
+WithPrecompiledTemplate returns a CustomGomegaMatcher configured to use the passed-in template.  The template should be precompiled with gcustom.ParseTemplate().
+
+As with WithTemplate() you can provide a single pice of additional data as an optional argument.  This is accessed in the template via {{.Data}}
+*/
+func (c CustomGomegaMatcher) WithPrecompiledTemplate(templ *template.Template, data ...any) CustomGomegaMatcher {
+	c.templateMessage = templ
+	c.templateData = nil
+	if len(data) > 0 {
+		c.templateData = data[0]
+	}
+	return c
+}
+
+/*
+WithTemplateData() returns a CustomGomegaMatcher configured to provide it's template with the passed-in data.  The following are equivalent:
+
+MakeMatcher(matchFunc).WithTemplate(templateString, data)
+MakeMatcher(matchFunc).WithTemplate(templateString).WithTemplateData(data)
+*/
+func (c CustomGomegaMatcher) WithTemplateData(data any) CustomGomegaMatcher {
+	c.templateData = data
+	return c
+}
+
+// Match runs the passed-in match func and satisfies the GomegaMatcher interface
+func (c CustomGomegaMatcher) Match(actual any) (bool, error) {
+	return c.matchFunc(actual)
+}
+
+// FailureMessage generates the positive failure message configured via WithMessage or WithTemplate/WithPrecompiledTemplate
+// i.e. this is the failure message when Expect(actual).To(match) fails
+func (c CustomGomegaMatcher) FailureMessage(actual any) string {
+	return c.renderTemplateMessage(actual, true)
+}
+
+// NegatedFailureMessage generates the negative failure message configured via WithMessage or WithTemplate/WithPrecompiledTemplate
+// i.e. this is the failure message when Expect(actual).NotTo(match) fails
+func (c CustomGomegaMatcher) NegatedFailureMessage(actual any) string {
+	return c.renderTemplateMessage(actual, false)
+}
+
+type templateData struct {
+	Failure         bool
+	NegatedFailure  bool
+	To              string
+	FormattedActual string
+	Actual          any
+	Data            any
+}
+
+func (c CustomGomegaMatcher) renderTemplateMessage(actual any, isFailure bool) string {
+	var data templateData
+	formattedActual := format.Object(actual, 1)
+	if isFailure {
+		data = templateData{
+			Failure:         true,
+			NegatedFailure:  false,
+			To:              "to",
+			FormattedActual: formattedActual,
+			Actual:          actual,
+			Data:            c.templateData,
+		}
+	} else {
+		data = templateData{
+			Failure:         false,
+			NegatedFailure:  true,
+			To:              "not to",
+			FormattedActual: formattedActual,
+			Actual:          actual,
+			Data:            c.templateData,
+		}
+	}
+	b := &strings.Builder{}
+	err := c.templateMessage.Execute(b, data)
+	if err != nil {
+		return fmt.Sprintf("Failed to render failure message template: %s", err.Error())
+	}
+	return b.String()
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 63d8ba050..9e4fdf61d 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -141,6 +141,7 @@ github.com/onsi/ginkgo/v2/types
 ## explicit; go 1.22
 github.com/onsi/gomega
 github.com/onsi/gomega/format
+github.com/onsi/gomega/gcustom
 github.com/onsi/gomega/internal
 github.com/onsi/gomega/internal/gutil
 github.com/onsi/gomega/matchers

From cb32b84434a4f3a3f37f1d06fea2e75b55f48be9 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Thu, 27 Feb 2025 09:34:05 -0600
Subject: [PATCH 02/16] This test intentionally breaks, because it proves that
 defect #251 exists and is a real problem.

---
 .../tests/controller/selfnoderemediation_controller_test.go  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 6cdfdd22f..6df8c2458 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -548,9 +548,8 @@ var _ = Describe("SNR Controller", func() {
 			})
 
 			It("check that we actually get a triggered watchdog reboot", func() {
-				// it actually should be verifyWatchdogTriggered() but this is currently proving
-				//	that the code is broken!
-				verifyWatchdogNotTriggered()
+				// It's expected that the next line will fail, even though it shouldn't!
+				verifyWatchdogTriggered()
 			})
 		})
 

From eec805a4a8e376d28ecad432020804cd1e6cdab2 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Thu, 27 Feb 2025 10:06:43 -0600
Subject: [PATCH 03/16] Fixing breaking unit test with proposed changes to
 IsConsideredHealthy and getWorkerPeersResponse for issue #251

---
 pkg/apicheck/check.go | 51 +++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 14 deletions(-)

diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 9151a2e41..389d87764 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -178,8 +178,10 @@ func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
 }
 
 // isConsideredHealthy keeps track of the number of errors reported, and when a certain amount of error occur within a certain
-// time, ask peers if this node is healthy. Returns if the node is considered to be healthy or not.
+// time, ask peers if this node is healthy. Returns if the node is considered to be healthy or not.  It is usable
+// whether this is a control plane node or a worker node
 func (c *ApiConnectivityCheck) isConsideredHealthy() bool {
+
 	isControlPlaneManagerNil := c.controlPlaneManager == nil
 
 	isWorkerNode := isControlPlaneManagerNil || !c.controlPlaneManager.IsControlPlane()
@@ -188,31 +190,52 @@ func (c *ApiConnectivityCheck) isConsideredHealthy() bool {
 		"isControlPlaneManagerNil", isControlPlaneManagerNil,
 		"isWorkerNode", isWorkerNode)
 
-	workerPeersResponse := c.getWorkerPeersResponse()
+	workerPeersResponse := c.getPeersResponse(peers.Worker)
 
 	if isWorkerNode {
-		c.config.Log.Info("isConsideredHealthy: returning result from getWorkerPeersResponse",
-			"workerPeersResponse.IsHealthy", workerPeersResponse.IsHealthy)
-		return workerPeersResponse.IsHealthy
-	} else {
-		canOtherControlPlanesBeReached := c.canOtherControlPlanesBeReached()
-		isControlPlaneHealthy := c.controlPlaneManager.IsControlPlaneHealthy(workerPeersResponse, canOtherControlPlanesBeReached)
-		c.config.Log.Info("isConsideredHealthy: returning result from IsControlPlaneHealthy",
-			"c.canOtherControlPlanesBeReached()", canOtherControlPlanesBeReached,
-			"c.controlPlaneManager.IsControlPlaneHealthy", isControlPlaneHealthy)
-		return isControlPlaneHealthy
+		if workerPeersResponse.IsHealthy {
+			c.config.Log.Info("isConsideredHealthy: I'm a worker node and my peers say I'm healthy",
+				"workerPeersResponse.IsHealthy", workerPeersResponse.IsHealthy)
+			return true
+		}
+
+		controlPlanePeersResponse := c.getPeersResponse(peers.ControlPlane)
+
+		c.config.Log.Info("isConsideredHealthy: since peers think I'm unhealthy, double checking "+
+			"by returning what the control plane nodes think of my state",
+			"controlPlanePeersResponse.IsHealthy", controlPlanePeersResponse.IsHealthy)
+		return controlPlanePeersResponse.IsHealthy
+
 	}
 
+	controlPlanePeersResponse := c.getPeersResponse(peers.ControlPlane)
+
+	c.config.Log.Info("isConsideredHealthy: control planes report my health status",
+		"controlPlanePeersResponse.IsHealthy", controlPlanePeersResponse.IsHealthy)
+
+	isControlPlaneHealthy := c.controlPlaneManager.IsControlPlaneHealthy(controlPlanePeersResponse,
+		c.canOtherControlPlanesBeReached())
+
+	c.config.Log.Info("isConsideredHealthy: we have checked the control plane peer responses and cross "+
+		"checked it against the control plane diagnostics ",
+		"isControlPlaneHealthy", controlPlanePeersResponse.IsHealthy)
+
+	return isControlPlaneHealthy
+
 }
 
-func (c *ApiConnectivityCheck) getWorkerPeersResponse() peers.Response {
+func (c *ApiConnectivityCheck) getPeersResponse(role peers.Role) peers.Response {
 	c.errorCount++
 	if c.errorCount < c.config.MaxErrorsThreshold {
 		c.config.Log.Info("Ignoring api-server error, error count below threshold", "current count", c.errorCount, "threshold", c.config.MaxErrorsThreshold)
 		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseErrorsThresholdNotReached}
 	}
+	c.config.Log.Info("Error count was above threshold, we will continue and attempt to get the addressess" +
+		" for our peers, I consider myself a WORKER at the moment")
 
-	peersToAsk := c.config.Peers.GetPeersAddresses(peers.Worker)
+	// MES: This gets called even if the current node is a control plane node.  Hopefully
+	//	in an actual environment it is returning actual worker peers
+	peersToAsk := c.config.Peers.GetPeersAddresses(role)
 
 	c.config.Log.Info("Error count exceeds threshold, trying to ask other peer nodes if I'm healthy",
 		"minPeersRequired", c.config.MinPeersForRemediation, "actualNumPeersFound", len(peersToAsk))

From 17bde373e079a1b4a638af662949911c40ececc4 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Fri, 28 Feb 2025 08:51:20 -0600
Subject: [PATCH 04/16] gofmt updates to watchdog_test after running the local
 "make test" command.

---
 controllers/tests/shared/shared.go   | 2 +-
 pkg/peerhealth/peerhealth.pb.go      | 5 ++---
 pkg/peerhealth/peerhealth_grpc.pb.go | 1 -
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 1b889f5f3..5c04e18f8 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"net"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"time"
 
 	"github.com/google/uuid"
@@ -17,6 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	selfNodeRemediation "github.com/medik8s/self-node-remediation/api"
 	selfnoderemediationv1alpha1 "github.com/medik8s/self-node-remediation/api/v1alpha1"
diff --git a/pkg/peerhealth/peerhealth.pb.go b/pkg/peerhealth/peerhealth.pb.go
index e97011753..6d86fdbeb 100644
--- a/pkg/peerhealth/peerhealth.pb.go
+++ b/pkg/peerhealth/peerhealth.pb.go
@@ -7,11 +7,10 @@
 package peerhealth
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
diff --git a/pkg/peerhealth/peerhealth_grpc.pb.go b/pkg/peerhealth/peerhealth_grpc.pb.go
index 4c1c8a582..cf883900b 100644
--- a/pkg/peerhealth/peerhealth_grpc.pb.go
+++ b/pkg/peerhealth/peerhealth_grpc.pb.go
@@ -4,7 +4,6 @@ package peerhealth
 
 import (
 	context "context"
-
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"

From 281a674455839d383110ac77a21ec78cc8f0aadd Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Tue, 7 Oct 2025 14:39:06 -0500
Subject: [PATCH 05/16] Mostly cleanup + clarifications

---
 .../selfnoderemediation_controller_test.go    | 15 ++--
 controllers/tests/controller/suite_test.go    |  3 +
 controllers/tests/shared/shared.go            | 77 +++++++++++++++----
 pkg/apicheck/check.go                         | 19 +++--
 4 files changed, 84 insertions(+), 30 deletions(-)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 6df8c2458..0f032eb1c 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -1269,10 +1269,15 @@ func configureUnhealthyNodeAsControlNode() {
 func configureSimulatedPeerResponses(simulateResponses bool) {
 	By("Start simulating peer responses", func() {
 		orgValue := apiCheck.ShouldSimulatePeerResponses
+		orgResponses := apiCheck.SnapshotSimulatedPeerResponses()
 		apiCheck.ShouldSimulatePeerResponses = simulateResponses
+		if simulateResponses {
+			apiCheck.ClearSimulatedPeerResponses()
+		}
 
 		DeferCleanup(func() {
 			apiCheck.ShouldSimulatePeerResponses = orgValue
+			apiCheck.RestoreSimulatedPeerResponses(orgResponses)
 		})
 	})
 }
@@ -1357,21 +1362,13 @@ func addNodes(nodes []newNodeConfig) {
 			for _, pod := range np.pods {
 				By(fmt.Sprintf("Create pod '%s' under node '%s'", pod.name, np.nodeName), func() {
 					_ = createGenericSelfNodeRemediationPod(createdNode, pod.name)
-					apiCheck.SimulatePeerResponses = append(apiCheck.SimulatePeerResponses, pod.simulatedResponse)
+					apiCheck.AppendSimulatedPeerResponse(pod.simulatedResponse)
 				})
 
 			}
 
 		}
 
-		DeferCleanup(func() {
-			By("Removing the additional peer nodes when all relevant tests are complete", func() {
-				Expect(k8sClient.Delete(context.Background(), getNode(shared.Peer2NodeName))).To(Succeed())
-				Expect(k8sClient.Delete(context.Background(), getNode(shared.Peer3NodeName))).To(Succeed())
-			})
-			return
-		})
-
 	})
 }
 
diff --git a/controllers/tests/controller/suite_test.go b/controllers/tests/controller/suite_test.go
index d806c420e..44852b26f 100644
--- a/controllers/tests/controller/suite_test.go
+++ b/controllers/tests/controller/suite_test.go
@@ -168,6 +168,9 @@ var _ = BeforeSuite(func() {
 
 	apiCheck = shared.NewApiConnectivityCheckWrapper(apiConnectivityCheckConfig, nil)
 
+	// default to simulation so the ApiConnectivityCheck doesn't try to dial peers before tests install handlers
+	apiCheck.ShouldSimulatePeerResponses = true
+
 	err = k8sManager.Add(apiCheck)
 	Expect(err).ToNot(HaveOccurred())
 
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 5c04e18f8..3544bb2a6 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net"
+	"sync"
 	"time"
 
 	"github.com/google/uuid"
@@ -57,11 +58,11 @@ type K8sClientWrapper struct {
 }
 
 type ApiConnectivityCheckWrapper struct {
-	apicheck.ApiConnectivityCheck
+	*apicheck.ApiConnectivityCheck
 	ShouldSimulatePeerResponses bool
 
-	// store responses that we should override for any peer responses
-	SimulatePeerResponses []selfNodeRemediation.HealthCheckResponseCode
+	responsesMu            sync.Mutex
+	simulatedPeerResponses []selfNodeRemediation.HealthCheckResponseCode
 }
 
 func (kcw *K8sClientWrapper) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) (err error) {
@@ -107,29 +108,75 @@ func GetRandomIpAddress() (randomIP string) {
 }
 
 func NewApiConnectivityCheckWrapper(ck *apicheck.ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) (ckw *ApiConnectivityCheckWrapper) {
+	inner := apicheck.New(ck, controlPlaneManager)
 	ckw = &ApiConnectivityCheckWrapper{
-		ApiConnectivityCheck:        *apicheck.New(ck, controlPlaneManager),
+		ApiConnectivityCheck:        inner,
 		ShouldSimulatePeerResponses: false,
-		SimulatePeerResponses:       []selfNodeRemediation.HealthCheckResponseCode{},
+		simulatedPeerResponses:      []selfNodeRemediation.HealthCheckResponseCode{},
 	}
 
-	ckw.ApiConnectivityCheck.SetHealthStatusFunc(func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
-		switch {
-		case ckw.ShouldSimulatePeerResponses:
-			for _, code := range ckw.SimulatePeerResponses {
-				results <- code
-			}
-
+	inner.SetHealthStatusFunc(func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
+		if ckw.ShouldSimulatePeerResponses {
+			results <- ckw.nextSimulatedPeerResponse()
 			return
-		default:
-			ckw.ApiConnectivityCheck.GetDefaultPeerHealthCheckFunc()(endpointIp, results)
-			break
 		}
+
+		ckw.GetDefaultPeerHealthCheckFunc()(endpointIp, results)
 	})
 
 	return
 }
 
+func (ckw *ApiConnectivityCheckWrapper) nextSimulatedPeerResponse() selfNodeRemediation.HealthCheckResponseCode {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+
+	if len(ckw.simulatedPeerResponses) == 0 {
+		return selfNodeRemediation.RequestFailed
+	}
+
+	code := ckw.simulatedPeerResponses[0]
+	if len(ckw.simulatedPeerResponses) > 1 {
+		ckw.simulatedPeerResponses = append([]selfNodeRemediation.HealthCheckResponseCode{}, ckw.simulatedPeerResponses[1:]...)
+	}
+
+	return code
+}
+
+func (ckw *ApiConnectivityCheckWrapper) AppendSimulatedPeerResponse(code selfNodeRemediation.HealthCheckResponseCode) {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.simulatedPeerResponses = append(ckw.simulatedPeerResponses, code)
+}
+
+func (ckw *ApiConnectivityCheckWrapper) ClearSimulatedPeerResponses() {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.simulatedPeerResponses = nil
+}
+
+func (ckw *ApiConnectivityCheckWrapper) SnapshotSimulatedPeerResponses() []selfNodeRemediation.HealthCheckResponseCode {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	if len(ckw.simulatedPeerResponses) == 0 {
+		return nil
+	}
+	snapshot := make([]selfNodeRemediation.HealthCheckResponseCode, len(ckw.simulatedPeerResponses))
+	copy(snapshot, ckw.simulatedPeerResponses)
+	return snapshot
+}
+
+func (ckw *ApiConnectivityCheckWrapper) RestoreSimulatedPeerResponses(codes []selfNodeRemediation.HealthCheckResponseCode) {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	if len(codes) == 0 {
+		ckw.simulatedPeerResponses = nil
+		return
+	}
+	ckw.simulatedPeerResponses = make([]selfNodeRemediation.HealthCheckResponseCode, len(codes))
+	copy(ckw.simulatedPeerResponses, codes)
+}
+
 func GenerateTestConfig() *selfnoderemediationv1alpha1.SelfNodeRemediationConfig {
 	return &selfnoderemediationv1alpha1.SelfNodeRemediationConfig{
 		TypeMeta: metav1.TypeMeta{
diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 389d87764..80fecd98e 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -230,15 +230,22 @@ func (c *ApiConnectivityCheck) getPeersResponse(role peers.Role) peers.Response
 		c.config.Log.Info("Ignoring api-server error, error count below threshold", "current count", c.errorCount, "threshold", c.config.MaxErrorsThreshold)
 		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseErrorsThresholdNotReached}
 	}
-	c.config.Log.Info("Error count was above threshold, we will continue and attempt to get the addressess" +
-		" for our peers, I consider myself a WORKER at the moment")
+	roleName := "worker"
+	if role == peers.ControlPlane {
+		roleName = "control-plane"
+	}
+
+	c.config.Log.Info("Error count was above threshold, attempting to collect peer addresses",
+		"role", roleName)
 
-	// MES: This gets called even if the current node is a control plane node.  Hopefully
-	//	in an actual environment it is returning actual worker peers
+	// MES: This gets called even if the current node is a control plane node. Hopefully
+	// in an actual environment it is returning actual worker peers when the role is worker.
 	peersToAsk := c.config.Peers.GetPeersAddresses(role)
 
-	c.config.Log.Info("Error count exceeds threshold, trying to ask other peer nodes if I'm healthy",
-		"minPeersRequired", c.config.MinPeersForRemediation, "actualNumPeersFound", len(peersToAsk))
+	c.config.Log.Info("Error count exceeds threshold, querying peer nodes for health",
+		"role", roleName,
+		"minPeersRequired", c.config.MinPeersForRemediation,
+		"actualNumPeersFound", len(peersToAsk))
 
 	// We check to see if we have at least the number of peers that the user has configured as required.
 	//  If we don't have this many peers (for instance there are zero peers, and the default value is set

From 7d3b4f9875dfe2df7bf47a6959da9b5a01658167 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 09:51:42 -0500
Subject: [PATCH 06/16] Working on fencing logic redesign

---
 controllers/tests/shared/shared.go | 60 +++++++++++++++++++++++++++++-
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 3544bb2a6..9d0bfa401 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -23,6 +23,7 @@ import (
 	selfnoderemediationv1alpha1 "github.com/medik8s/self-node-remediation/api/v1alpha1"
 	"github.com/medik8s/self-node-remediation/pkg/apicheck"
 	"github.com/medik8s/self-node-remediation/pkg/controlplane"
+	"github.com/medik8s/self-node-remediation/pkg/peers"
 	"github.com/medik8s/self-node-remediation/pkg/reboot"
 )
 
@@ -61,10 +62,18 @@ type ApiConnectivityCheckWrapper struct {
 	*apicheck.ApiConnectivityCheck
 	ShouldSimulatePeerResponses bool
 
-	responsesMu            sync.Mutex
-	simulatedPeerResponses []selfNodeRemediation.HealthCheckResponseCode
+	responsesMu              sync.Mutex
+	simulatedPeerResponses   []selfNodeRemediation.HealthCheckResponseCode
+	peersOverride            PeersOverrideFunc
+	workerLastResponse       time.Time
+	controlPlaneLastResponse time.Time
 }
 
+// PeersOverrideFunc allows tests to supply synthetic peer address lists without
+// altering the production wiring. Phase 0 only stores the function; upcoming
+// phases decide how the ApiConnectivityCheck consumes it.
+type PeersOverrideFunc func(role peers.Role) []corev1.PodIP
+
 func (kcw *K8sClientWrapper) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) (err error) {
 	switch {
 	case kcw.ShouldSimulateFailure:
@@ -177,6 +186,53 @@ func (ckw *ApiConnectivityCheckWrapper) RestoreSimulatedPeerResponses(codes []se
 	copy(ckw.simulatedPeerResponses, codes)
 }
 
+// SetPeersOverride registers a custom provider for peer address lists.
+func (ckw *ApiConnectivityCheckWrapper) SetPeersOverride(fn PeersOverrideFunc) {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.peersOverride = fn
+}
+
+// ClearPeersOverride removes any previously configured peer provider.
+func (ckw *ApiConnectivityCheckWrapper) ClearPeersOverride() {
+	ckw.SetPeersOverride(nil)
+}
+
+// PeersOverride exposes the currently configured override, if any.
+func (ckw *ApiConnectivityCheckWrapper) PeersOverride() PeersOverrideFunc {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	return ckw.peersOverride
+}
+
+// RecordWorkerPeerResponse updates the last time a worker-role peer responded.
+func (ckw *ApiConnectivityCheckWrapper) RecordWorkerPeerResponse(t time.Time) {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.workerLastResponse = t
+}
+
+// WorkerPeerLastResponse returns the timestamp captured via RecordWorkerPeerResponse.
+func (ckw *ApiConnectivityCheckWrapper) WorkerPeerLastResponse() time.Time {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	return ckw.workerLastResponse
+}
+
+// RecordControlPlanePeerResponse updates the last time a control-plane peer responded.
+func (ckw *ApiConnectivityCheckWrapper) RecordControlPlanePeerResponse(t time.Time) {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.controlPlaneLastResponse = t
+}
+
+// ControlPlanePeerLastResponse returns the timestamp captured via RecordControlPlanePeerResponse.
+func (ckw *ApiConnectivityCheckWrapper) ControlPlanePeerLastResponse() time.Time {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	return ckw.controlPlaneLastResponse
+}
+
 func GenerateTestConfig() *selfnoderemediationv1alpha1.SelfNodeRemediationConfig {
 	return &selfnoderemediationv1alpha1.SelfNodeRemediationConfig{
 		TypeMeta: metav1.TypeMeta{

From 4a6630453c36cfc34fb860848dff96425e8077fa Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 09:54:44 -0500
Subject: [PATCH 07/16] Working on fencing logic redesign

---
 pkg/apicheck/failure_tracker.go      | 33 +++++++++++++++
 pkg/apicheck/failure_tracker_test.go | 63 ++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 pkg/apicheck/failure_tracker.go
 create mode 100644 pkg/apicheck/failure_tracker_test.go

diff --git a/pkg/apicheck/failure_tracker.go b/pkg/apicheck/failure_tracker.go
new file mode 100644
index 000000000..6c6e13c38
--- /dev/null
+++ b/pkg/apicheck/failure_tracker.go
@@ -0,0 +1,33 @@
+package apicheck
+
+import "time"
+
+// FailureTracker keeps lightweight state about recent API failures so callers can
+// decide when to escalate to peer queries. The initial implementation is a stub
+// and will be fleshed out in subsequent phases.
+type FailureTracker struct {
+	consecutive  int
+	firstFailure time.Time
+}
+
+// NewFailureTracker creates an empty tracker.
+func NewFailureTracker() *FailureTracker {
+	return &FailureTracker{}
+}
+
+// RecordFailure notes that a failure occurred at the supplied time.
+func (ft *FailureTracker) RecordFailure(_ time.Time) {
+	ft.consecutive++
+}
+
+// Reset clears any recorded failures.
+func (ft *FailureTracker) Reset() {
+	ft.consecutive = 0
+	ft.firstFailure = time.Time{}
+}
+
+// ShouldEscalate reports whether the accumulated failures warrant escalation.
+// The stub always returns false; behaviour will be implemented in later phases.
+func (ft *FailureTracker) ShouldEscalate(_ time.Time, _ time.Duration) bool {
+	return false
+}
diff --git a/pkg/apicheck/failure_tracker_test.go b/pkg/apicheck/failure_tracker_test.go
new file mode 100644
index 000000000..724a1c478
--- /dev/null
+++ b/pkg/apicheck/failure_tracker_test.go
@@ -0,0 +1,63 @@
+package apicheck
+
+import (
+	"testing"
+	"time"
+)
+
+func TestFailureTrackerEscalatesAfterWindow(t *testing.T) {
+	tracker := NewFailureTracker()
+	window := 3 * time.Second
+	start := time.Unix(0, 0)
+
+	tracker.RecordFailure(start)
+	if tracker.ShouldEscalate(start, window) {
+		t.Fatalf("unexpected escalation after initial failure")
+	}
+
+	tracker.RecordFailure(start.Add(1 * time.Second))
+	if tracker.ShouldEscalate(start.Add(1*time.Second), window) {
+		t.Fatalf("unexpected escalation before window elapsed")
+	}
+
+	tracker.RecordFailure(start.Add(window))
+	if !tracker.ShouldEscalate(start.Add(window), window) {
+		t.Fatalf("expected escalation after sustained failures")
+	}
+}
+
+func TestFailureTrackerResetClearsState(t *testing.T) {
+	tracker := NewFailureTracker()
+	window := 2 * time.Second
+	start := time.Unix(0, 0)
+
+	tracker.RecordFailure(start)
+	tracker.RecordFailure(start.Add(1 * time.Second))
+	if tracker.ShouldEscalate(start.Add(1*time.Second), window) {
+		t.Fatalf("unexpected escalation before reset")
+	}
+
+	tracker.Reset()
+
+	tracker.RecordFailure(start.Add(3 * time.Second))
+	if tracker.ShouldEscalate(start.Add(3*time.Second), window) {
+		t.Fatalf("reset should clear escalation state")
+	}
+}
+
+func TestFailureTrackerIntermittentFailuresDoNotEscalate(t *testing.T) {
+	tracker := NewFailureTracker()
+	window := 2 * time.Second
+	start := time.Unix(0, 0)
+
+	tracker.RecordFailure(start)
+	if tracker.ShouldEscalate(start, window) {
+		t.Fatalf("unexpected escalation on first intermittent failure")
+	}
+
+	// next failure occurs after the window, so escalation should not trigger
+	tracker.RecordFailure(start.Add(3 * time.Second))
+	if tracker.ShouldEscalate(start.Add(3*time.Second), window) {
+		t.Fatalf("intermittent failures should not escalate")
+	}
+}

From 6cae9e26e0c5c22c7745a2d831722b2ccc222e64 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 09:59:43 -0500
Subject: [PATCH 08/16] failing test added

---
 pkg/apicheck/check_internal_test.go | 48 +++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 pkg/apicheck/check_internal_test.go

diff --git a/pkg/apicheck/check_internal_test.go b/pkg/apicheck/check_internal_test.go
new file mode 100644
index 000000000..79fb755e8
--- /dev/null
+++ b/pkg/apicheck/check_internal_test.go
@@ -0,0 +1,48 @@
+package apicheck
+
+import (
+	"reflect"
+	"testing"
+	"unsafe"
+
+	corev1 "k8s.io/api/core/v1"
+
+	selfnode "github.com/medik8s/self-node-remediation/api"
+	"github.com/medik8s/self-node-remediation/pkg/peers"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// helper to mutate unexported slice fields in peers.Peers for test purposes.
+func setPeerAddresses(p *peers.Peers, field string, addrs []corev1.PodIP) {
+	val := reflect.ValueOf(p).Elem().FieldByName(field)
+	ptr := unsafe.Pointer(val.UnsafeAddr())
+	slice := (*[]corev1.PodIP)(ptr)
+	*slice = addrs
+}
+
+func TestWorkerEscalatesWhenControlPlanePeersUnavailable(t *testing.T) {
+	workerAddr := []corev1.PodIP{{IP: "10.0.0.10"}}
+	peerStore := &peers.Peers{}
+	setPeerAddresses(peerStore, "workerPeersAddresses", workerAddr)
+	setPeerAddresses(peerStore, "controlPlanePeersAddresses", nil)
+
+	cfg := &ApiConnectivityCheckConfig{
+		Log:                    logf.Log.WithName("test"),
+		MyNodeName:             "worker-1",
+		MyMachineName:          "machine-1",
+		MaxErrorsThreshold:     1,
+		Peers:                  peerStore,
+		MinPeersForRemediation: 1,
+	}
+
+	check := &ApiConnectivityCheck{config: cfg}
+	check.SetHealthStatusFunc(func(_ corev1.PodIP, results chan<- selfnode.HealthCheckResponseCode) {
+		results <- selfnode.Unhealthy
+	})
+
+	check.errorCount = cfg.MaxErrorsThreshold
+
+	if healthy := check.isConsideredHealthy(); healthy {
+		t.Fatalf("expected worker to treat lack of control-plane peers as unhealthy")
+	}
+}

From 638a365152a526666a031058a8030df7b667510a Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 10:17:25 -0500
Subject: [PATCH 09/16] failing test added

---
 pkg/controlplane/manager_internal_test.go | 32 +++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 pkg/controlplane/manager_internal_test.go

diff --git a/pkg/controlplane/manager_internal_test.go b/pkg/controlplane/manager_internal_test.go
new file mode 100644
index 000000000..0d5e390d9
--- /dev/null
+++ b/pkg/controlplane/manager_internal_test.go
@@ -0,0 +1,32 @@
+package controlplane
+
+import (
+	"testing"
+
+	"github.com/medik8s/self-node-remediation/pkg/peers"
+)
+
+type fakePeerResponse struct {
+	response peers.Response
+	canReach bool
+}
+
+func TestIsControlPlaneHealthyFlagsIsolation(t *testing.T) {
+	mgr := &Manager{}
+	mgr.nodeName = "cp-1"
+
+	resp := peers.Response{IsHealthy: false, Reason: peers.UnHealthyBecauseNodeIsIsolated}
+	if healthy := mgr.IsControlPlaneHealthy(resp, false); healthy {
+		t.Fatalf("expected isolation to mark node unhealthy when other control planes unreachable")
+	}
+}
+
+func TestIsControlPlaneHealthyChecksDiagnosticsWhenPeersReportAPIFailure(t *testing.T) {
+	mgr := &Manager{}
+	mgr.nodeName = "cp-1"
+
+	resp := peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseMostPeersCantAccessAPIServer}
+	if healthy := mgr.IsControlPlaneHealthy(resp, true); healthy {
+		t.Fatalf("expected diagnostics to influence decision when peers report API outage")
+	}
+}

From 153947b401c0ba8d7d22d731c6a8dbd02e730312 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 10:25:03 -0500
Subject: [PATCH 10/16] failing test added

---
 .../selfnoderemediation_controller_test.go    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 0f032eb1c..8ab7125b2 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -28,6 +28,7 @@ import (
 	"github.com/medik8s/self-node-remediation/controllers"
 	"github.com/medik8s/self-node-remediation/controllers/tests/shared"
 	"github.com/medik8s/self-node-remediation/pkg/controlplane"
+	"github.com/medik8s/self-node-remediation/pkg/peers"
 	"github.com/medik8s/self-node-remediation/pkg/utils"
 	"github.com/medik8s/self-node-remediation/pkg/watchdog"
 )
@@ -502,6 +503,22 @@ var _ = Describe("SNR Controller", func() {
 		})
 	})
 
+	Context("Control-plane isolation (pre-redesign)", func() {
+		It("should mark control-plane unhealthy when workers report CR but no control-plane peers respond", func() {
+			configureUnhealthyNodeAsControlNode()
+			configureSimulatedPeerResponses(true)
+			configurePeersOverride(func(role peers.Role) []v1.PodIP {
+				if role == peers.ControlPlane {
+					return nil
+				}
+				return []v1.PodIP{{IP: "10.0.0.11"}}
+			})
+			apiCheck.AppendSimulatedPeerResponse(api.Unhealthy)
+
+			Expect(true).To(BeFalse(), "expected isolation redesign to flag control-plane unhealthy")
+		})
+	})
+
 	Context("Unhealthy node without api-server access", func() {
 
 		Context("two control node peers found, they tell me I'm unhealthy", func() {
@@ -1278,10 +1295,19 @@ func configureSimulatedPeerResponses(simulateResponses bool) {
 		DeferCleanup(func() {
 			apiCheck.ShouldSimulatePeerResponses = orgValue
 			apiCheck.RestoreSimulatedPeerResponses(orgResponses)
+			if !simulateResponses {
+				apiCheck.SetPeersOverride(nil)
+			}
 		})
 	})
 }
 
+func configurePeersOverride(fn shared.PeersOverrideFunc) {
+	By("Configure peer override", func() {
+		apiCheck.SetPeersOverride(fn)
+	})
+}
+
 func configureApiServerSimulatedFailures(simulateResponses bool) {
 	By("Configure k8s client to simulate API server failures", func() {
 		orgValue := k8sClient.ShouldSimulateFailure

From 8d6eb2053101feac49ad6d90b19c70bdc4f373be Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 11:46:00 -0500
Subject: [PATCH 11/16] implementation wip

---
 .../control_plane_isolation_testdata.md       |  12 +
 .../selfnoderemediation_controller_test.go    |   5 +-
 controllers/tests/shared/shared.go            |  10 +-
 main.go                                       |  17 +
 pkg/apicheck/check.go                         | 420 ++++++++++++------
 pkg/apicheck/check_internal_test.go           |  10 +-
 pkg/apicheck/failure_tracker.go               |  71 ++-
 pkg/controlplane/manager.go                   |  60 ++-
 pkg/controlplane/manager_internal_test.go     |  17 +-
 9 files changed, 430 insertions(+), 192 deletions(-)
 create mode 100644 controllers/tests/controller/control_plane_isolation_testdata.md

diff --git a/controllers/tests/controller/control_plane_isolation_testdata.md b/controllers/tests/controller/control_plane_isolation_testdata.md
new file mode 100644
index 000000000..0104f49d1
--- /dev/null
+++ b/controllers/tests/controller/control_plane_isolation_testdata.md
@@ -0,0 +1,12 @@
+# Control Plane Isolation Test Data
+
+Legacy behaviour:
+- Worker-only feedback; no escalation to control-plane peers.
+- Diagnostics run only after worker peers declare CR.
+- Isolation inferred late, leading to false healthy outcome.
+
+Redesigned behaviour expectations:
+- workers report CR -> query control-plane quorum -> treat absence as unhealthy.
+- isolate after `PeerQuorumTimeout` without waiting for worker chatter.
+
+This file documents test expectations to keep the scenario reproducible.
diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 8ab7125b2..0e8141ad5 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -506,6 +506,8 @@ var _ = Describe("SNR Controller", func() {
 	Context("Control-plane isolation (pre-redesign)", func() {
 		It("should mark control-plane unhealthy when workers report CR but no control-plane peers respond", func() {
 			configureUnhealthyNodeAsControlNode()
+			configureRemediationStrategy(v1alpha1.AutomaticRemediationStrategy)
+			configureApiServerSimulatedFailures(true)
 			configureSimulatedPeerResponses(true)
 			configurePeersOverride(func(role peers.Role) []v1.PodIP {
 				if role == peers.ControlPlane {
@@ -513,9 +515,10 @@ var _ = Describe("SNR Controller", func() {
 				}
 				return []v1.PodIP{{IP: "10.0.0.11"}}
 			})
+			createSNR(snr, v1alpha1.AutomaticRemediationStrategy)
 			apiCheck.AppendSimulatedPeerResponse(api.Unhealthy)
 
-			Expect(true).To(BeFalse(), "expected isolation redesign to flag control-plane unhealthy")
+			verifyWatchdogTriggered()
 		})
 	})
 
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 9d0bfa401..3457e18a4 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -189,8 +189,16 @@ func (ckw *ApiConnectivityCheckWrapper) RestoreSimulatedPeerResponses(codes []se
 // SetPeersOverride registers a custom provider for peer address lists.
 func (ckw *ApiConnectivityCheckWrapper) SetPeersOverride(fn PeersOverrideFunc) {
 	ckw.responsesMu.Lock()
-	defer ckw.responsesMu.Unlock()
 	ckw.peersOverride = fn
+	ckw.responsesMu.Unlock()
+
+	var wrapped apicheck.PeersOverrideFunc
+	if fn != nil {
+		wrapped = func(role peers.Role) []corev1.PodIP {
+			return fn(role)
+		}
+	}
+	ckw.ApiConnectivityCheck.SetPeersOverride(wrapped)
 }
 
 // ClearPeersOverride removes any previously configured peer provider.
diff --git a/main.go b/main.go
index a2785a312..fbca63e71 100644
--- a/main.go
+++ b/main.go
@@ -251,6 +251,19 @@ func getDurEnvVarOrDie(varName string) time.Duration {
 	return time.Duration(intVar)
 }
 
+func getOptionalDurEnvVar(varName string, fallback time.Duration) time.Duration {
+	val, exists := os.LookupEnv(varName)
+	if !exists || val == "" {
+		return fallback
+	}
+	parsed, err := strconv.Atoi(val)
+	if err != nil {
+		setupLog.Error(err, "failed to convert env variable to int", "var name", varName, "var value", val)
+		os.Exit(1)
+	}
+	return time.Duration(parsed)
+}
+
 func getIntEnvVarOrDie(varName string) int {
 	// determine safe reboot time
 	varVal := os.Getenv(varName)
@@ -316,6 +329,8 @@ func initSelfNodeRemediationAgent(mgr manager.Manager) {
 	peerDialTimeout := getDurEnvVarOrDie("PEER_DIAL_TIMEOUT")         //timeout for establishing connection to peer
 	peerRequestTimeout := getDurEnvVarOrDie("PEER_REQUEST_TIMEOUT")   //timeout for each peer request
 	peerHealthDefaultPort := getIntEnvVarOrDie("HOST_PORT")
+	failureWindow := getOptionalDurEnvVar("MAX_API_FAILURE_WINDOW", apiCheckInterval*time.Duration(maxErrorThreshold))
+	peerQuorumTimeout := getOptionalDurEnvVar("PEER_QUORUM_TIMEOUT", reboot.MaxTimeForNoPeersResponse)
 
 	// it's fine when the watchdog is nil!
 	rebooter := reboot.NewWatchdogRebooter(wd, ctrl.Log.WithName("rebooter"))
@@ -345,6 +360,8 @@ func initSelfNodeRemediationAgent(mgr manager.Manager) {
 		PeerHealthPort:            peerHealthDefaultPort,
 		MaxTimeForNoPeersResponse: reboot.MaxTimeForNoPeersResponse,
 		Recorder:                  mgr.GetEventRecorderFor("ApiConnectivityCheck"),
+		FailureWindow:             failureWindow,
+		PeerQuorumTimeout:         peerQuorumTimeout,
 	}
 
 	controlPlaneManager := controlplane.NewManager(myNodeName, mgr.GetClient())
diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 80fecd98e..54dea973f 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -33,15 +33,19 @@ const (
 	eventReasonPeerTimeoutAdjusted = "PeerTimeoutAdjusted"
 )
 
+type PeersOverrideFunc func(role peers.Role) []corev1.PodIP
+
 type ApiConnectivityCheck struct {
 	client.Reader
 	config                        *ApiConnectivityCheckConfig
-	errorCount                    int
-	timeOfLastPeerResponse        time.Time
+	failureTracker                *FailureTracker
+	workerLastPeerResponse        time.Time
+	controlPlaneLastPeerResponse  time.Time
 	clientCreds                   credentials.TransportCredentials
 	mutex                         sync.Mutex
 	controlPlaneManager           *controlplane.Manager
 	getHealthStatusFromRemoteFunc GetHealthStatusFromRemoteFunc
+	peerOverride                  PeersOverrideFunc
 }
 
 type GetHealthStatusFromRemoteFunc func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode)
@@ -63,14 +67,18 @@ type ApiConnectivityCheckConfig struct {
 	MaxTimeForNoPeersResponse time.Duration
 	MinPeersForRemediation    int
 	Recorder                  record.EventRecorder
+	FailureWindow             time.Duration
+	PeerQuorumTimeout         time.Duration
 }
 
 func New(config *ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) (c *ApiConnectivityCheck) {
 	c = &ApiConnectivityCheck{
-		config:                 config,
-		mutex:                  sync.Mutex{},
-		controlPlaneManager:    controlPlaneManager,
-		timeOfLastPeerResponse: time.Now(),
+		config:                       config,
+		mutex:                        sync.Mutex{},
+		controlPlaneManager:          controlPlaneManager,
+		failureTracker:               NewFailureTracker(),
+		workerLastPeerResponse:       time.Now(),
+		controlPlaneLastPeerResponse: time.Now(),
 	}
 
 	c.SetHealthStatusFunc(c.GetDefaultPeerHealthCheckFunc())
@@ -131,6 +139,12 @@ func (c *ApiConnectivityCheck) SetControlPlaneManager(manager *controlplane.Mana
 	c.controlPlaneManager = manager
 }
 
+func (c *ApiConnectivityCheck) SetPeersOverride(fn PeersOverrideFunc) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+	c.peerOverride = fn
+}
+
 func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
 
 	cs, err := clientset.NewForConfig(c.config.Cfg)
@@ -169,8 +183,10 @@ func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
 			return
 		}
 
-		// reset error count after a successful API call
-		c.errorCount = 0
+		// reset failure tracker after a successful API call
+		if c.failureTracker != nil {
+			c.failureTracker.Reset()
+		}
 
 	}, c.config.CheckInterval)
 
@@ -181,183 +197,317 @@ func (c *ApiConnectivityCheck) Start(ctx context.Context) error {
 // time, ask peers if this node is healthy. Returns if the node is considered to be healthy or not.  It is usable
 // whether this is a control plane node or a worker node
 func (c *ApiConnectivityCheck) isConsideredHealthy() bool {
+	now := time.Now()
+	tracker := c.ensureFailureTracker()
+	window := c.effectiveFailureWindow()
+	tracker.RecordFailure(now)
+
+	if !tracker.ShouldEscalate(now, window) {
+		c.config.Log.V(1).Info("failure threshold not met, remaining healthy",
+			"now", now,
+			"window", window)
+		return true
+	}
 
-	isControlPlaneManagerNil := c.controlPlaneManager == nil
+	if c.isWorkerNode() {
+		outcome := c.evaluateWorker(now)
+		c.config.Log.Info("worker evaluation complete", "outcome", outcome)
+		return c.outcomeIsHealthyForWorker(outcome)
+	}
 
-	isWorkerNode := isControlPlaneManagerNil || !c.controlPlaneManager.IsControlPlane()
+	outcome := c.evaluateControlPlane(now)
+	c.config.Log.Info("control-plane evaluation complete", "outcome", outcome)
+	if c.controlPlaneManager == nil {
+		return c.outcomeIsHealthyForControlPlane(outcome)
+	}
+	return c.controlPlaneManager.IsControlPlaneHealthy(outcome)
+}
 
-	c.config.Log.Info("isConsideredHealthy called",
-		"isControlPlaneManagerNil", isControlPlaneManagerNil,
-		"isWorkerNode", isWorkerNode)
+type peerSummary struct {
+	role       peers.Role
+	addresses  []corev1.PodIP
+	healthy    int
+	unhealthy  int
+	apiErrors  int
+	failures   int
+	responded  bool
+	hadMinimum bool
+}
 
-	workerPeersResponse := c.getPeersResponse(peers.Worker)
+func (ps peerSummary) totalPeers() int {
+	return len(ps.addresses)
+}
+
+func (ps peerSummary) responseCount() int {
+	return ps.healthy + ps.unhealthy + ps.apiErrors
+}
 
-	if isWorkerNode {
-		if workerPeersResponse.IsHealthy {
-			c.config.Log.Info("isConsideredHealthy: I'm a worker node and my peers say I'm healthy",
-				"workerPeersResponse.IsHealthy", workerPeersResponse.IsHealthy)
-			return true
+func (ps peerSummary) majorityApiError() bool {
+	total := ps.totalPeers()
+	if total == 0 {
+		return false
+	}
+	return ps.apiErrors > total/2
+}
+
+func (c *ApiConnectivityCheck) evaluateWorker(now time.Time) controlplane.EvaluationOutcome {
+	summary := c.gatherPeerResponses(peers.Worker, now)
+
+	if summary.totalPeers() == 0 {
+		if c.peerTimeoutExceeded(peers.Worker, now) {
+			return controlplane.EvaluationIsolation
 		}
+		return controlplane.EvaluationAwaitQuorum
+	}
 
-		controlPlanePeersResponse := c.getPeersResponse(peers.ControlPlane)
+	if summary.healthy > 0 {
+		return controlplane.EvaluationHealthy
+	}
 
-		c.config.Log.Info("isConsideredHealthy: since peers think I'm unhealthy, double checking "+
-			"by returning what the control plane nodes think of my state",
-			"controlPlanePeersResponse.IsHealthy", controlPlanePeersResponse.IsHealthy)
-		return controlPlanePeersResponse.IsHealthy
+	if summary.unhealthy > 0 {
+		outcome := c.escalateToControlPlanes(now)
+		if outcome == controlplane.EvaluationAwaitQuorum && c.peerTimeoutExceeded(peers.ControlPlane, now) {
+			return controlplane.EvaluationIsolation
+		}
+		return outcome
+	}
 
+	if summary.majorityApiError() {
+		return controlplane.EvaluationGlobalOutage
 	}
 
-	controlPlanePeersResponse := c.getPeersResponse(peers.ControlPlane)
+	if !summary.responded || !summary.hadMinimum {
+		if c.peerTimeoutExceeded(peers.Worker, now) {
+			return controlplane.EvaluationIsolation
+		}
+		return controlplane.EvaluationAwaitQuorum
+	}
 
-	c.config.Log.Info("isConsideredHealthy: control planes report my health status",
-		"controlPlanePeersResponse.IsHealthy", controlPlanePeersResponse.IsHealthy)
+	return controlplane.EvaluationHealthy
+}
 
-	isControlPlaneHealthy := c.controlPlaneManager.IsControlPlaneHealthy(controlPlanePeersResponse,
-		c.canOtherControlPlanesBeReached())
+func (c *ApiConnectivityCheck) evaluateControlPlane(now time.Time) controlplane.EvaluationOutcome {
+	workerSummary := c.gatherPeerResponses(peers.Worker, now)
 
-	c.config.Log.Info("isConsideredHealthy: we have checked the control plane peer responses and cross "+
-		"checked it against the control plane diagnostics ",
-		"isControlPlaneHealthy", controlPlanePeersResponse.IsHealthy)
+	if workerSummary.majorityApiError() {
+		return controlplane.EvaluationGlobalOutage
+	}
 
-	return isControlPlaneHealthy
+	if workerSummary.unhealthy > 0 {
+		outcome := c.escalateToControlPlanes(now)
+		if outcome == controlplane.EvaluationAwaitQuorum && c.peerTimeoutExceeded(peers.ControlPlane, now) {
+			return controlplane.EvaluationIsolation
+		}
+		return outcome
+	}
 
-}
+	controlSummary := c.gatherPeerResponses(peers.ControlPlane, now)
+	if controlSummary.totalPeers() == 0 {
+		return controlplane.EvaluationIsolation
+	}
+
+	if controlSummary.unhealthy > 0 {
+		return controlplane.EvaluationRemediate
+	}
 
-func (c *ApiConnectivityCheck) getPeersResponse(role peers.Role) peers.Response {
-	c.errorCount++
-	if c.errorCount < c.config.MaxErrorsThreshold {
-		c.config.Log.Info("Ignoring api-server error, error count below threshold", "current count", c.errorCount, "threshold", c.config.MaxErrorsThreshold)
-		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseErrorsThresholdNotReached}
+	if controlSummary.majorityApiError() {
+		return controlplane.EvaluationGlobalOutage
 	}
-	roleName := "worker"
-	if role == peers.ControlPlane {
-		roleName = "control-plane"
+
+	if controlSummary.healthy > 0 {
+		return controlplane.EvaluationHealthy
 	}
 
-	c.config.Log.Info("Error count was above threshold, attempting to collect peer addresses",
-		"role", roleName)
+	if !controlSummary.responded || !controlSummary.hadMinimum {
+		if c.peerTimeoutExceeded(peers.ControlPlane, now) {
+			return controlplane.EvaluationIsolation
+		}
+		return controlplane.EvaluationAwaitQuorum
+	}
 
-	// MES: This gets called even if the current node is a control plane node. Hopefully
-	// in an actual environment it is returning actual worker peers when the role is worker.
-	peersToAsk := c.config.Peers.GetPeersAddresses(role)
+	if workerSummary.responded && workerSummary.healthy > 0 {
+		return controlplane.EvaluationHealthy
+	}
 
-	c.config.Log.Info("Error count exceeds threshold, querying peer nodes for health",
-		"role", roleName,
-		"minPeersRequired", c.config.MinPeersForRemediation,
-		"actualNumPeersFound", len(peersToAsk))
+	if !workerSummary.responded && c.peerTimeoutExceeded(peers.Worker, now) {
+		return controlplane.EvaluationIsolation
+	}
 
-	// We check to see if we have at least the number of peers that the user has configured as required.
-	//  If we don't have this many peers (for instance there are zero peers, and the default value is set
-	//  which requires at least one peer), we don't want to remediate. In this case we have some confusion
-	//  and don't want to remediate a node when we shouldn't.  Note: It would be unusual for MinPeersForRemediation
-	//  to be greater than 1 unless the environment has specific requirements.
-	if len(peersToAsk) < c.config.MinPeersForRemediation {
-		c.config.Log.Info("Ignoring api-server error as we have an insufficient number of peers found, "+
-			"so we aren't going to attempt to contact any to check for a SelfNodeRemediation CR"+
-			" - we will consider it as if there was no CR present & as healthy.", "minPeersRequired",
-			c.config.MinPeersForRemediation, "actualNumPeersFound", len(peersToAsk))
+	return controlplane.EvaluationHealthy
+}
 
-		// TODO: maybe we need to check if this happens too much and reboot
-		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseNoPeersWereFound}
+func (c *ApiConnectivityCheck) escalateToControlPlanes(now time.Time) controlplane.EvaluationOutcome {
+	summary := c.gatherPeerResponses(peers.ControlPlane, now)
+
+	if summary.totalPeers() == 0 {
+		return controlplane.EvaluationIsolation
 	}
 
-	// If we make it here and there are no peers, we can't proceed because we need at least one peer
-	//  to check.  So it doesn't make sense to continue on - we'll mark as unhealthy and exit fast
-	if len(peersToAsk) == 0 {
-		c.config.Log.Info("Marking node as unhealthy due to being isolated.  We don't have any peers to ask "+
-			"and MinPeersForRemediation must be greater than zero", "minPeersRequired",
-			c.config.MinPeersForRemediation, "actualNumPeersFound", len(peersToAsk))
-		return peers.Response{IsHealthy: false, Reason: peers.UnHealthyBecauseNodeIsIsolated}
+	if summary.unhealthy > 0 {
+		return controlplane.EvaluationRemediate
 	}
 
-	apiErrorsResponsesSum := 0
-	nrAllPeers := len(peersToAsk)
-	// peersToAsk is being reduced at every iteration, iterate until no peers left to ask
-	for i := 0; len(peersToAsk) > 0; i++ {
+	if summary.majorityApiError() {
+		return controlplane.EvaluationGlobalOutage
+	}
 
-		batchSize := utils.GetNextBatchSize(nrAllPeers, len(peersToAsk))
-		chosenPeersIPs := c.popPeerIPs(&peersToAsk, batchSize)
-		healthyResponses, unhealthyResponses, apiErrorsResponses, _ := c.getHealthStatusFromPeers(chosenPeersIPs)
-		if healthyResponses+unhealthyResponses+apiErrorsResponses > 0 {
-			c.timeOfLastPeerResponse = time.Now()
-		}
-		c.config.Log.Info("Aggregate peer health responses", "healthyResponses", healthyResponses,
-			"unhealthyResponses", unhealthyResponses, "apiErrorsResponses", apiErrorsResponses)
-
-		if healthyResponses > 0 {
-			c.config.Log.Info("There is at least one peer who thinks this node healthy, so we'll respond "+
-				"with a healthy status", "healthyResponses", healthyResponses, "reason",
-				"peers.HealthyBecauseCRNotFound")
-			c.errorCount = 0
-			return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseCRNotFound}
+	if summary.healthy > 0 {
+		return controlplane.EvaluationHealthy
+	}
+
+	if !summary.responded || !summary.hadMinimum {
+		if c.peerTimeoutExceeded(peers.ControlPlane, now) {
+			return controlplane.EvaluationIsolation
 		}
+		return controlplane.EvaluationAwaitQuorum
+	}
+
+	return controlplane.EvaluationHealthy
+}
 
-		if unhealthyResponses > 0 {
-			c.config.Log.Info("I got at least one peer who thinks I'm unhealthy, so we'll respond "+
-				"with unhealthy", "unhealthyResponses", unhealthyResponses, "reason",
-				"peers.UnHealthyBecausePeersResponse")
-			return peers.Response{IsHealthy: false, Reason: peers.UnHealthyBecausePeersResponse}
+func (c *ApiConnectivityCheck) gatherPeerResponses(role peers.Role, now time.Time) peerSummary {
+	addresses := c.listPeers(role)
+	summary := peerSummary{
+		role:      role,
+		addresses: addresses,
+	}
+
+	minimum := c.config.MinPeersForRemediation
+	if minimum <= 0 {
+		summary.hadMinimum = true
+	} else {
+		summary.hadMinimum = len(addresses) >= minimum
+	}
+
+	if len(addresses) == 0 {
+		return summary
+	}
+
+	peersToAsk := make([]corev1.PodIP, len(addresses))
+	copy(peersToAsk, addresses)
+	allPeers := len(peersToAsk)
+
+	for len(peersToAsk) > 0 {
+		batchSize := utils.GetNextBatchSize(allPeers, len(peersToAsk))
+		chosen := c.popPeerIPs(&peersToAsk, batchSize)
+		healthy, unhealthy, apiErrors, failures := c.getHealthStatusFromPeers(chosen)
+		summary.healthy += healthy
+		summary.unhealthy += unhealthy
+		summary.apiErrors += apiErrors
+		summary.failures += failures
+		if healthy+unhealthy+apiErrors > 0 {
+			summary.responded = true
 		}
+	}
 
-		if apiErrorsResponses > 0 {
-			c.config.Log.Info("If you see this, I didn't get any healthy or unhealthy peer responses, "+
-				"instead they told me they can't access the API server either", "apiErrorsResponses",
-				apiErrorsResponses)
-			apiErrorsResponsesSum += apiErrorsResponses
-			// TODO: consider using [m|n]hc.spec.maxUnhealthy instead of 50%
-			if apiErrorsResponsesSum > nrAllPeers/2 { // already reached more than 50% of the peers and all of them returned api error
-				// assuming this is a control plane failure as others can't access api-server as well
-				c.config.Log.Info("More than 50% of the nodes couldn't access the api-server, assuming "+
-					"this is a control plane failure, so we are going to return healthy in that case",
-					"reason", "HealthyBecauseMostPeersCantAccessAPIServer")
-				return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseMostPeersCantAccessAPIServer}
-			}
+	if summary.responded {
+		c.recordPeerActivity(role, now)
+	}
+
+	return summary
+}
+
+func (c *ApiConnectivityCheck) listPeers(role peers.Role) []corev1.PodIP {
+	c.mutex.Lock()
+	override := c.peerOverride
+	c.mutex.Unlock()
+
+	if override != nil {
+		if custom := override(role); custom != nil {
+			copySlice := make([]corev1.PodIP, len(custom))
+			copy(copySlice, custom)
+			return copySlice
 		}
+	}
 
+	if c.config == nil || c.config.Peers == nil {
+		return nil
 	}
 
-	c.config.Log.Info("We have attempted communication with all known peers, and haven't gotten either: " +
-		"a peer that believes we are healthy, a peer that believes we are unhealthy, or we haven't decided that " +
-		"there is a control plane failure")
+	return c.config.Peers.GetPeersAddresses(role)
+}
 
-	//we asked all peers
-	now := time.Now()
-	// MaxTimeForNoPeersResponse check prevents the node from being considered unhealthy in case of short network outages
-	if now.After(c.timeOfLastPeerResponse.Add(c.config.MaxTimeForNoPeersResponse)) {
-		c.config.Log.Error(fmt.Errorf("failed health check"), "Failed to get health status peers. "+
-			"Assuming unhealthy", "reason", "UnHealthyBecauseNodeIsIsolated")
-		return peers.Response{IsHealthy: false, Reason: peers.UnHealthyBecauseNodeIsIsolated}
+func (c *ApiConnectivityCheck) recordPeerActivity(role peers.Role, now time.Time) {
+	if role == peers.Worker {
+		c.workerLastPeerResponse = now
 	} else {
-		c.config.Log.Info("Ignoring no peers response error, time is below threshold for no peers response",
-			"time without peers response (seconds)", now.Sub(c.timeOfLastPeerResponse).Seconds(),
-			"threshold (seconds)", c.config.MaxTimeForNoPeersResponse.Seconds(),
-			"reason", "HealthyBecauseNoPeersResponseNotReachedTimeout")
-		return peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseNoPeersResponseNotReachedTimeout}
+		c.controlPlaneLastPeerResponse = now
+	}
+}
+
+func (c *ApiConnectivityCheck) outcomeIsHealthyForWorker(outcome controlplane.EvaluationOutcome) bool {
+	switch outcome {
+	case controlplane.EvaluationRemediate, controlplane.EvaluationIsolation:
+		return false
+	default:
+		return true
 	}
+}
 
+func (c *ApiConnectivityCheck) outcomeIsHealthyForControlPlane(outcome controlplane.EvaluationOutcome) bool {
+	switch outcome {
+	case controlplane.EvaluationRemediate, controlplane.EvaluationIsolation:
+		return false
+	default:
+		return true
+	}
 }
 
-func (c *ApiConnectivityCheck) canOtherControlPlanesBeReached() bool {
-	c.config.Log.Info("canOtherControlPlanesBeReached", "c.config.Peers",
-		c.config.Peers)
+func (c *ApiConnectivityCheck) isWorkerNode() bool {
+	if c.controlPlaneManager == nil {
+		return true
+	}
+	return !c.controlPlaneManager.IsControlPlane()
+}
 
-	peersToAsk := c.config.Peers.GetPeersAddresses(peers.ControlPlane)
-	numOfControlPlanePeers := len(peersToAsk)
+func (c *ApiConnectivityCheck) ensureFailureTracker() *FailureTracker {
+	if c.failureTracker == nil {
+		c.failureTracker = NewFailureTracker()
+	}
+	return c.failureTracker
+}
+
+func (c *ApiConnectivityCheck) effectiveFailureWindow() time.Duration {
+	if c.config == nil {
+		return 0
+	}
+	if c.config.FailureWindow > 0 {
+		return c.config.FailureWindow
+	}
+	if c.config.CheckInterval > 0 && c.config.MaxErrorsThreshold > 0 {
+		return c.config.CheckInterval * time.Duration(c.config.MaxErrorsThreshold)
+	}
+	return 0
+}
 
-	c.config.Log.Info("Getting peer control plane addresses", "peersToAsk",
-		peersToAsk, "numOfControlPlanePeers", numOfControlPlanePeers)
+func (c *ApiConnectivityCheck) effectivePeerQuorumTimeout() time.Duration {
+	if c.config == nil {
+		return 0
+	}
+	if c.config.PeerQuorumTimeout > 0 {
+		return c.config.PeerQuorumTimeout
+	}
+	return c.config.MaxTimeForNoPeersResponse
+}
 
-	if numOfControlPlanePeers == 0 {
-		c.config.Log.Info("Peers list is empty and / or couldn't be retrieved from server, other control planes can't be reached")
+func (c *ApiConnectivityCheck) peerTimeoutExceeded(role peers.Role, now time.Time) bool {
+	deadline := c.effectivePeerQuorumTimeout()
+	if deadline <= 0 {
 		return false
 	}
 
-	chosenPeersIPs := c.popPeerIPs(&peersToAsk, numOfControlPlanePeers)
-	healthyResponses, unhealthyResponses, apiErrorsResponses, _ := c.getHealthStatusFromPeers(chosenPeersIPs)
+	var last time.Time
+	if role == peers.Worker {
+		last = c.workerLastPeerResponse
+	} else {
+		last = c.controlPlaneLastPeerResponse
+	}
+
+	if last.IsZero() {
+		return false
+	}
 
-	// Any response is an indication of communication with a peer
-	return (healthyResponses + unhealthyResponses + apiErrorsResponses) > 0
+	return now.Sub(last) >= deadline
 }
 
 func (c *ApiConnectivityCheck) popPeerIPs(peersIPs *[]corev1.PodIP, count int) []corev1.PodIP {
diff --git a/pkg/apicheck/check_internal_test.go b/pkg/apicheck/check_internal_test.go
index 79fb755e8..008826aef 100644
--- a/pkg/apicheck/check_internal_test.go
+++ b/pkg/apicheck/check_internal_test.go
@@ -3,6 +3,7 @@ package apicheck
 import (
 	"reflect"
 	"testing"
+	"time"
 	"unsafe"
 
 	corev1 "k8s.io/api/core/v1"
@@ -30,17 +31,22 @@ func TestWorkerEscalatesWhenControlPlanePeersUnavailable(t *testing.T) {
 		Log:                    logf.Log.WithName("test"),
 		MyNodeName:             "worker-1",
 		MyMachineName:          "machine-1",
+		CheckInterval:          50 * time.Millisecond,
+		FailureWindow:          50 * time.Millisecond,
+		PeerQuorumTimeout:      100 * time.Millisecond,
 		MaxErrorsThreshold:     1,
 		Peers:                  peerStore,
 		MinPeersForRemediation: 1,
 	}
 
-	check := &ApiConnectivityCheck{config: cfg}
+	check := New(cfg, nil)
 	check.SetHealthStatusFunc(func(_ corev1.PodIP, results chan<- selfnode.HealthCheckResponseCode) {
 		results <- selfnode.Unhealthy
 	})
 
-	check.errorCount = cfg.MaxErrorsThreshold
+	tracker := check.ensureFailureTracker()
+	tracker.RecordFailure(time.Now().Add(-cfg.FailureWindow))
+	tracker.RecordFailure(time.Now().Add(-cfg.FailureWindow / 2))
 
 	if healthy := check.isConsideredHealthy(); healthy {
 		t.Fatalf("expected worker to treat lack of control-plane peers as unhealthy")
diff --git a/pkg/apicheck/failure_tracker.go b/pkg/apicheck/failure_tracker.go
index 6c6e13c38..8357011c8 100644
--- a/pkg/apicheck/failure_tracker.go
+++ b/pkg/apicheck/failure_tracker.go
@@ -3,11 +3,14 @@ package apicheck
 import "time"
 
 // FailureTracker keeps lightweight state about recent API failures so callers can
-// decide when to escalate to peer queries. The initial implementation is a stub
-// and will be fleshed out in subsequent phases.
+// decide when to escalate to peer queries. It tracks the timestamp of the first
+// failure in the current observation window and the spacing between subsequent
+// failures so intermittent blips do not trigger escalation.
 type FailureTracker struct {
 	consecutive  int
 	firstFailure time.Time
+	lastFailure  time.Time
+	lastGap      time.Duration
 }
 
 // NewFailureTracker creates an empty tracker.
@@ -16,18 +19,74 @@ func NewFailureTracker() *FailureTracker {
 }
 
 // RecordFailure notes that a failure occurred at the supplied time.
-func (ft *FailureTracker) RecordFailure(_ time.Time) {
+func (ft *FailureTracker) RecordFailure(at time.Time) {
+	if ft == nil {
+		return
+	}
+
+	if ft.consecutive == 0 {
+		ft.consecutive = 1
+		ft.firstFailure = at
+		ft.lastFailure = at
+		ft.lastGap = 0
+		return
+	}
+
+	if ft.lastFailure.IsZero() {
+		ft.lastFailure = at
+	}
+
+	gap := at.Sub(ft.lastFailure)
+	if gap < 0 {
+		gap = 0
+	}
+
+	ft.lastGap = gap
+	ft.lastFailure = at
 	ft.consecutive++
 }
 
 // Reset clears any recorded failures.
 func (ft *FailureTracker) Reset() {
+	if ft == nil {
+		return
+	}
+
 	ft.consecutive = 0
 	ft.firstFailure = time.Time{}
+	ft.lastFailure = time.Time{}
+	ft.lastGap = 0
 }
 
 // ShouldEscalate reports whether the accumulated failures warrant escalation.
-// The stub always returns false; behaviour will be implemented in later phases.
-func (ft *FailureTracker) ShouldEscalate(_ time.Time, _ time.Duration) bool {
-	return false
+// When the spacing between the most recent failures exceeds the observation window
+// the tracker resets itself, treating the latest failure as the start of a new
+// window so intermittent blips do not trip escalation.
+func (ft *FailureTracker) ShouldEscalate(now time.Time, window time.Duration) bool {
+	if ft == nil || ft.consecutive == 0 {
+		return false
+	}
+
+	if window <= 0 {
+		return true
+	}
+
+	// If the most recent failure occurred after a large gap reset the window so
+	// intermittent failures outside the observation window do not escalate. Allow a
+	// small buffer above the configured window to tolerate scheduling jitter.
+	threshold := window + window/2
+	if threshold <= 0 {
+		threshold = 0
+	}
+	if threshold > 0 && ft.lastGap >= threshold {
+		ft.firstFailure = ft.lastFailure
+		ft.consecutive = 1
+		ft.lastGap = 0
+	}
+
+	if now.Before(ft.firstFailure) {
+		return false
+	}
+
+	return now.Sub(ft.firstFailure) >= window
 }
diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
index a39703e14..59b4b194b 100644
--- a/pkg/controlplane/manager.go
+++ b/pkg/controlplane/manager.go
@@ -25,6 +25,16 @@ const (
 	kubeletPort = "10250"
 )
 
+type EvaluationOutcome int
+
+const (
+	EvaluationHealthy EvaluationOutcome = iota
+	EvaluationRemediate
+	EvaluationGlobalOutage
+	EvaluationIsolation
+	EvaluationAwaitQuorum
+)
+
 // Manager contains logic and info needed to fence and remediate controlplane nodes
 type Manager struct {
 	nodeName                     string
@@ -61,45 +71,29 @@ func (manager *Manager) IsControlPlane() bool {
 	return manager.nodeRole == peers.ControlPlane
 }
 
-func (manager *Manager) IsControlPlaneHealthy(workerPeerResponse peers.Response, canOtherControlPlanesBeReached bool) bool {
-	switch workerPeerResponse.Reason {
-	//reported unhealthy by worker peers
-	case peers.UnHealthyBecausePeersResponse:
-		manager.log.Info("We are deciding the control plane is not healthy because the peer response was UnHealthyBecausePeersResponse")
+func (manager *Manager) IsControlPlaneHealthy(outcome EvaluationOutcome) bool {
+	switch outcome {
+	case EvaluationRemediate:
+		manager.log.Info("control-plane evaluation requested remediation")
 		return false
-	case peers.UnHealthyBecauseNodeIsIsolated:
-		manager.log.Info("While trying to determine if the control plane is healthy, the peer response was "+
-			"UnHealthyBecauseNodeIsIsolated, so we are returning true if we could reach other control plane nodes",
-			"canOtherControlPlanesBeReached", canOtherControlPlanesBeReached)
-		return canOtherControlPlanesBeReached
-	//reported healthy by worker peers
-	case peers.HealthyBecauseErrorsThresholdNotReached, peers.HealthyBecauseCRNotFound, peers.HealthyBecauseNoPeersResponseNotReachedTimeout:
-		manager.log.Info("We are deciding that the control plane is healthy because either: "+
-			"HealthyBecauseErrorsThresholdNotReached "+
-			", HealthyBecauseCRNotFound,  or HealthyBecauseNoPeersResponseNotReachedTimeout",
-			"reason", workerPeerResponse.Reason)
-		return true
-	//controlPlane node has connection to most workers, we assume it's not isolated (or at least that the controlPlane node that does not have worker peers quorum will reboot)
-	case peers.HealthyBecauseMostPeersCantAccessAPIServer:
+	case EvaluationIsolation:
+		manager.log.Info("control-plane evaluation detected isolation")
+		return false
+	case EvaluationGlobalOutage:
 		didDiagnosticsPass := manager.isDiagnosticsPassed()
-		manager.log.Info("The peers couldn't access the API server, so we are returning whether "+
-			"diagnostics passed", "didDiagnosticsPass", didDiagnosticsPass)
+		manager.log.Info("peers report API outage, relying on diagnostics",
+			"diagnosticsPassed", didDiagnosticsPass)
 		return didDiagnosticsPass
-	case peers.HealthyBecauseNoPeersWereFound:
-		didDiagnosticsPass := manager.isDiagnosticsPassed()
-
-		manager.log.Info("We couldn't find any peers so we are returning didDiagnosticsPass && "+
-			"canOtherControlPlanesBeReached", "didDiagnosticsPass", didDiagnosticsPass,
-			"canOtherControlPlanesBeReached", canOtherControlPlanesBeReached)
-
-		return didDiagnosticsPass && canOtherControlPlanesBeReached
-
+	case EvaluationAwaitQuorum:
+		manager.log.Info("peer quorum pending, deferring remediation")
+		return true
+	case EvaluationHealthy:
+		return true
 	default:
-		errorText := "node is considered unhealthy by worker peers for an unknown reason"
-		manager.log.Error(errors.New(errorText), errorText, "reason", workerPeerResponse.Reason, "node name", manager.nodeName)
+		errorText := "unknown evaluation outcome"
+		manager.log.Error(errors.New(errorText), errorText, "outcome", outcome, "node name", manager.nodeName)
 		return false
 	}
-
 }
 
 func (manager *Manager) isDiagnosticsPassed() bool {
diff --git a/pkg/controlplane/manager_internal_test.go b/pkg/controlplane/manager_internal_test.go
index 0d5e390d9..4aa79f1d9 100644
--- a/pkg/controlplane/manager_internal_test.go
+++ b/pkg/controlplane/manager_internal_test.go
@@ -1,22 +1,12 @@
 package controlplane
 
-import (
-	"testing"
-
-	"github.com/medik8s/self-node-remediation/pkg/peers"
-)
-
-type fakePeerResponse struct {
-	response peers.Response
-	canReach bool
-}
+import "testing"
 
 func TestIsControlPlaneHealthyFlagsIsolation(t *testing.T) {
 	mgr := &Manager{}
 	mgr.nodeName = "cp-1"
 
-	resp := peers.Response{IsHealthy: false, Reason: peers.UnHealthyBecauseNodeIsIsolated}
-	if healthy := mgr.IsControlPlaneHealthy(resp, false); healthy {
+	if healthy := mgr.IsControlPlaneHealthy(EvaluationIsolation); healthy {
 		t.Fatalf("expected isolation to mark node unhealthy when other control planes unreachable")
 	}
 }
@@ -25,8 +15,7 @@ func TestIsControlPlaneHealthyChecksDiagnosticsWhenPeersReportAPIFailure(t *test
 	mgr := &Manager{}
 	mgr.nodeName = "cp-1"
 
-	resp := peers.Response{IsHealthy: true, Reason: peers.HealthyBecauseMostPeersCantAccessAPIServer}
-	if healthy := mgr.IsControlPlaneHealthy(resp, true); healthy {
+	if healthy := mgr.IsControlPlaneHealthy(EvaluationGlobalOutage); healthy {
 		t.Fatalf("expected diagnostics to influence decision when peers report API outage")
 	}
 }

From 7d434455c583834dc95ea1dfe946f0f11dca7008 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 12:29:41 -0500
Subject: [PATCH 12/16] wip

---
 .../selfnoderemediation_controller_test.go    |  3 +
 controllers/tests/shared/shared.go            |  4 ++
 pkg/apicheck/check.go                         | 59 ++++++++++++++-----
 3 files changed, 51 insertions(+), 15 deletions(-)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 0e8141ad5..6451a2dbd 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -1315,11 +1315,13 @@ func configureApiServerSimulatedFailures(simulateResponses bool) {
 	By("Configure k8s client to simulate API server failures", func() {
 		orgValue := k8sClient.ShouldSimulateFailure
 		k8sClient.ShouldSimulateFailure = simulateResponses
+		apiCheck.ResetPeerTimers()
 
 		DeferCleanup(func() {
 			By(fmt.Sprintf("Restore k8s client config value for API server failure simulation to %t",
 				orgValue), func() {
 				k8sClient.ShouldSimulateFailure = orgValue
+				apiCheck.ResetPeerTimers()
 			})
 
 		})
@@ -1404,6 +1406,7 @@ func addNodes(nodes []newNodeConfig) {
 func resetWatchdogTimer() {
 	By("Resetting watchdog timer", func() {
 		dummyDog.Reset()
+		apiCheck.ResetPeerTimers()
 	})
 }
 
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 3457e18a4..a55b16275 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -241,6 +241,10 @@ func (ckw *ApiConnectivityCheckWrapper) ControlPlanePeerLastResponse() time.Time
 	return ckw.controlPlaneLastResponse
 }
 
+func (ckw *ApiConnectivityCheckWrapper) ResetPeerTimers() {
+	ckw.ApiConnectivityCheck.ResetPeerTimers()
+}
+
 func GenerateTestConfig() *selfnoderemediationv1alpha1.SelfNodeRemediationConfig {
 	return &selfnoderemediationv1alpha1.SelfNodeRemediationConfig{
 		TypeMeta: metav1.TypeMeta{
diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 54dea973f..7385ff2df 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -41,6 +41,8 @@ type ApiConnectivityCheck struct {
 	failureTracker                *FailureTracker
 	workerLastPeerResponse        time.Time
 	controlPlaneLastPeerResponse  time.Time
+	workerPeerSilenceSince        time.Time
+	controlPlanePeerSilenceSince  time.Time
 	clientCreds                   credentials.TransportCredentials
 	mutex                         sync.Mutex
 	controlPlaneManager           *controlplane.Manager
@@ -73,12 +75,10 @@ type ApiConnectivityCheckConfig struct {
 
 func New(config *ApiConnectivityCheckConfig, controlPlaneManager *controlplane.Manager) (c *ApiConnectivityCheck) {
 	c = &ApiConnectivityCheck{
-		config:                       config,
-		mutex:                        sync.Mutex{},
-		controlPlaneManager:          controlPlaneManager,
-		failureTracker:               NewFailureTracker(),
-		workerLastPeerResponse:       time.Now(),
-		controlPlaneLastPeerResponse: time.Now(),
+		config:              config,
+		mutex:               sync.Mutex{},
+		controlPlaneManager: controlPlaneManager,
+		failureTracker:      NewFailureTracker(),
 	}
 
 	c.SetHealthStatusFunc(c.GetDefaultPeerHealthCheckFunc())
@@ -254,6 +254,9 @@ func (c *ApiConnectivityCheck) evaluateWorker(now time.Time) controlplane.Evalua
 	summary := c.gatherPeerResponses(peers.Worker, now)
 
 	if summary.totalPeers() == 0 {
+		if c.config.MinPeersForRemediation == 0 {
+			return controlplane.EvaluationIsolation
+		}
 		if c.peerTimeoutExceeded(peers.Worker, now) {
 			return controlplane.EvaluationIsolation
 		}
@@ -380,6 +383,7 @@ func (c *ApiConnectivityCheck) gatherPeerResponses(role peers.Role, now time.Tim
 	}
 
 	if len(addresses) == 0 {
+		c.recordPeerSilence(role, now)
 		return summary
 	}
 
@@ -402,6 +406,8 @@ func (c *ApiConnectivityCheck) gatherPeerResponses(role peers.Role, now time.Tim
 
 	if summary.responded {
 		c.recordPeerActivity(role, now)
+	} else {
+		c.recordPeerSilence(role, now)
 	}
 
 	return summary
@@ -413,11 +419,13 @@ func (c *ApiConnectivityCheck) listPeers(role peers.Role) []corev1.PodIP {
 	c.mutex.Unlock()
 
 	if override != nil {
-		if custom := override(role); custom != nil {
-			copySlice := make([]corev1.PodIP, len(custom))
-			copy(copySlice, custom)
-			return copySlice
+		custom := override(role)
+		if len(custom) == 0 {
+			return nil
 		}
+		copySlice := make([]corev1.PodIP, len(custom))
+		copy(copySlice, custom)
+		return copySlice
 	}
 
 	if c.config == nil || c.config.Peers == nil {
@@ -430,11 +438,32 @@ func (c *ApiConnectivityCheck) listPeers(role peers.Role) []corev1.PodIP {
 func (c *ApiConnectivityCheck) recordPeerActivity(role peers.Role, now time.Time) {
 	if role == peers.Worker {
 		c.workerLastPeerResponse = now
+		c.workerPeerSilenceSince = time.Time{}
 	} else {
 		c.controlPlaneLastPeerResponse = now
+		c.controlPlanePeerSilenceSince = time.Time{}
+	}
+}
+
+func (c *ApiConnectivityCheck) recordPeerSilence(role peers.Role, now time.Time) {
+	if role == peers.Worker {
+		if c.workerPeerSilenceSince.IsZero() {
+			c.workerPeerSilenceSince = now
+		}
+	} else {
+		if c.controlPlanePeerSilenceSince.IsZero() {
+			c.controlPlanePeerSilenceSince = now
+		}
 	}
 }
 
+func (c *ApiConnectivityCheck) ResetPeerTimers() {
+	c.workerLastPeerResponse = time.Time{}
+	c.workerPeerSilenceSince = time.Time{}
+	c.controlPlaneLastPeerResponse = time.Time{}
+	c.controlPlanePeerSilenceSince = time.Time{}
+}
+
 func (c *ApiConnectivityCheck) outcomeIsHealthyForWorker(outcome controlplane.EvaluationOutcome) bool {
 	switch outcome {
 	case controlplane.EvaluationRemediate, controlplane.EvaluationIsolation:
@@ -496,18 +525,18 @@ func (c *ApiConnectivityCheck) peerTimeoutExceeded(role peers.Role, now time.Tim
 		return false
 	}
 
-	var last time.Time
+	var silenceSince time.Time
 	if role == peers.Worker {
-		last = c.workerLastPeerResponse
+		silenceSince = c.workerPeerSilenceSince
 	} else {
-		last = c.controlPlaneLastPeerResponse
+		silenceSince = c.controlPlanePeerSilenceSince
 	}
 
-	if last.IsZero() {
+	if silenceSince.IsZero() {
 		return false
 	}
 
-	return now.Sub(last) >= deadline
+	return now.Sub(silenceSince) >= deadline
 }
 
 func (c *ApiConnectivityCheck) popPeerIPs(peersIPs *[]corev1.PodIP, count int) []corev1.PodIP {

From 3d815d2af70bbd5a1a59e8ba4c5b6e2bd4a035e8 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Wed, 8 Oct 2025 13:22:57 -0500
Subject: [PATCH 13/16] wip

---
 .../selfnoderemediation_controller_test.go    | 19 +++++++++++++
 controllers/tests/shared/shared.go            | 28 +++++++++++++++++++
 pkg/apicheck/check.go                         |  5 ++++
 3 files changed, 52 insertions(+)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 6451a2dbd..20f0d5afe 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -579,6 +579,9 @@ var _ = Describe("SNR Controller", func() {
 			})
 
 			Context("no peer found", func() {
+				BeforeEach(func() {
+					clearSimulatedPeerResponses()
+				})
 				It("Verify that watchdog is not triggered", func() {
 					verifyWatchdogNotTriggered()
 				})
@@ -1298,6 +1301,7 @@ func configureSimulatedPeerResponses(simulateResponses bool) {
 		DeferCleanup(func() {
 			apiCheck.ShouldSimulatePeerResponses = orgValue
 			apiCheck.RestoreSimulatedPeerResponses(orgResponses)
+			apiCheck.RememberSimulatedPeerResponses()
 			if !simulateResponses {
 				apiCheck.SetPeersOverride(nil)
 			}
@@ -1400,6 +1404,8 @@ func addNodes(nodes []newNodeConfig) {
 
 		}
 
+		apiCheck.RememberSimulatedPeerResponses()
+
 	})
 }
 
@@ -1407,6 +1413,19 @@ func resetWatchdogTimer() {
 	By("Resetting watchdog timer", func() {
 		dummyDog.Reset()
 		apiCheck.ResetPeerTimers()
+		if apiCheck.ShouldSimulatePeerResponses {
+			apiCheck.RestoreBaselineSimulatedResponses()
+			apiCheck.RememberSimulatedPeerResponses()
+		} else {
+			apiCheck.ClearBaselineSimulatedResponses()
+		}
+	})
+}
+
+func clearSimulatedPeerResponses() {
+	By("Clearing simulated peer responses", func() {
+		apiCheck.ClearSimulatedPeerResponses()
+		apiCheck.ClearBaselineSimulatedResponses()
 	})
 }
 
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index a55b16275..f899213b3 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -67,6 +67,7 @@ type ApiConnectivityCheckWrapper struct {
 	peersOverride            PeersOverrideFunc
 	workerLastResponse       time.Time
 	controlPlaneLastResponse time.Time
+	baselineResponses        []selfNodeRemediation.HealthCheckResponseCode
 }
 
 // PeersOverrideFunc allows tests to supply synthetic peer address lists without
@@ -186,6 +187,33 @@ func (ckw *ApiConnectivityCheckWrapper) RestoreSimulatedPeerResponses(codes []se
 	copy(ckw.simulatedPeerResponses, codes)
 }
 
+func (ckw *ApiConnectivityCheckWrapper) RememberSimulatedPeerResponses() {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	if len(ckw.simulatedPeerResponses) == 0 {
+		ckw.baselineResponses = nil
+		return
+	}
+	ckw.baselineResponses = make([]selfNodeRemediation.HealthCheckResponseCode, len(ckw.simulatedPeerResponses))
+	copy(ckw.baselineResponses, ckw.simulatedPeerResponses)
+}
+
+func (ckw *ApiConnectivityCheckWrapper) RestoreBaselineSimulatedResponses() {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	if len(ckw.baselineResponses) == 0 {
+		return
+	}
+	ckw.simulatedPeerResponses = make([]selfNodeRemediation.HealthCheckResponseCode, len(ckw.baselineResponses))
+	copy(ckw.simulatedPeerResponses, ckw.baselineResponses)
+}
+
+func (ckw *ApiConnectivityCheckWrapper) ClearBaselineSimulatedResponses() {
+	ckw.responsesMu.Lock()
+	defer ckw.responsesMu.Unlock()
+	ckw.baselineResponses = nil
+}
+
 // SetPeersOverride registers a custom provider for peer address lists.
 func (ckw *ApiConnectivityCheckWrapper) SetPeersOverride(fn PeersOverrideFunc) {
 	ckw.responsesMu.Lock()
diff --git a/pkg/apicheck/check.go b/pkg/apicheck/check.go
index 7385ff2df..0e736120c 100644
--- a/pkg/apicheck/check.go
+++ b/pkg/apicheck/check.go
@@ -280,6 +280,9 @@ func (c *ApiConnectivityCheck) evaluateWorker(now time.Time) controlplane.Evalua
 	}
 
 	if !summary.responded || !summary.hadMinimum {
+		if !summary.responded && c.config.MinPeersForRemediation == 0 {
+			return controlplane.EvaluationIsolation
+		}
 		if c.peerTimeoutExceeded(peers.Worker, now) {
 			return controlplane.EvaluationIsolation
 		}
@@ -410,6 +413,8 @@ func (c *ApiConnectivityCheck) gatherPeerResponses(role peers.Role, now time.Tim
 		c.recordPeerSilence(role, now)
 	}
 
+	c.config.Log.Info("peer summary", "role", role, "total", summary.totalPeers(), "healthy", summary.healthy, "unhealthy", summary.unhealthy, "apiErrors", summary.apiErrors, "failures", summary.failures, "responded", summary.responded, "hadMinimum", summary.hadMinimum)
+
 	return summary
 }
 

From ac5306e299530ec47eb48bcdba89732a16045d7a Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Mon, 27 Oct 2025 12:13:22 -0500
Subject: [PATCH 14/16] Implementing changes for code review feedback.

---
 .../selfnoderemediation_controller_test.go    | 30 ++++++++++++++++---
 controllers/tests/shared/shared.go            | 22 ++++++++++----
 pkg/controlplane/manager.go                   |  5 +++-
 3 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 20f0d5afe..0023fa45a 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -61,11 +61,25 @@ var _ = Describe("SNR Controller", func() {
 
 			//clear node's state, this is important to remove taints, label etc.
 			By(fmt.Sprintf("Clear node state for '%s'", shared.UnhealthyNodeName), func() {
-				Expect(k8sClient.Update(context.Background(), getNode(shared.UnhealthyNodeName)))
+				live := &v1.Node{}
+				Expect(k8sClient.Client.Get(context.Background(), unhealthyNodeNamespacedName, live)).To(Succeed())
+				clean := getNode(shared.UnhealthyNodeName)
+				patch := client.MergeFrom(live.DeepCopy())
+				live.Spec = clean.Spec
+				live.Labels = clean.Labels
+				live.Annotations = clean.Annotations
+				Expect(k8sClient.Client.Patch(context.Background(), live, patch)).To(Succeed())
 			})
 
 			By(fmt.Sprintf("Clear node state for '%s'", shared.PeerNodeName), func() {
-				Expect(k8sClient.Update(context.Background(), getNode(shared.PeerNodeName)))
+				live := &v1.Node{}
+				Expect(k8sClient.Client.Get(context.Background(), peerNodeNamespacedName, live)).To(Succeed())
+				clean := getNode(shared.PeerNodeName)
+				patch := client.MergeFrom(live.DeepCopy())
+				live.Spec = clean.Spec
+				live.Labels = clean.Labels
+				live.Annotations = clean.Annotations
+				Expect(k8sClient.Client.Patch(context.Background(), live, patch)).To(Succeed())
 			})
 
 			time.Sleep(time.Second * 2)
@@ -1277,13 +1291,21 @@ func configureUnhealthyNodeAsControlNode() {
 	})
 
 	By("Set the existing unhealthy node as a control node", func() {
-		previousRole := unhealthyNode.Labels[labels2.MasterRole]
+		previousRole, hadMasterLabel := unhealthyNode.Labels[labels2.MasterRole]
 		unhealthyNode.Labels[labels2.MasterRole] = "true"
 		Expect(k8sClient.Update(context.TODO(), unhealthyNode)).To(Succeed(), "failed to update unhealthy node")
 
 		DeferCleanup(func() {
 			By("Revert the unhealthy node's role to its previous value", func() {
-				unhealthyNode.Labels[labels2.MasterRole] = previousRole
+				updated := &v1.Node{}
+				Expect(k8sClient.Client.Get(context.TODO(), unhealthyNodeNamespacedName, updated)).To(Succeed())
+				if hadMasterLabel {
+					updated.Labels[labels2.MasterRole] = previousRole
+				} else {
+					delete(updated.Labels, labels2.MasterRole)
+				}
+				Expect(k8sClient.Update(context.TODO(), updated)).To(Succeed(),
+					"failed to restore the unhealthy node label after control-plane override")
 			})
 		})
 	})
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index f899213b3..107398fdc 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -2,12 +2,12 @@ package shared
 
 import (
 	"context"
+	"crypto/rand"
 	"errors"
 	"net"
 	"sync"
 	"time"
 
-	"github.com/google/uuid"
 	. "github.com/onsi/gomega"
 	"github.com/onsi/gomega/gcustom"
 	types2 "github.com/onsi/gomega/types"
@@ -103,16 +103,23 @@ func (kcw *K8sClientWrapper) List(ctx context.Context, list client.ObjectList, o
 
 func assignRandomIpAddressesPods(pods *corev1.PodList) {
 	for i := range pods.Items {
-		pods.Items[i].Status.PodIPs = []corev1.PodIP{{IP: GetRandomIpAddress()}}
+		randomIP := GetRandomIpAddress()
+		pods.Items[i].Status.PodIP = randomIP
+		pods.Items[i].Status.PodIPs = []corev1.PodIP{{IP: randomIP}}
 	}
 
 	return
 }
 
 func GetRandomIpAddress() (randomIP string) {
-	u := uuid.New()
-	ip := net.IP(u[:net.IPv6len])
-	randomIP = ip.String()
+	// Generate a Unique Local Address (fd00::/8). This keeps addresses valid
+	// while avoiding collisions with routable ranges.
+	bytes := make([]byte, net.IPv6len)
+	bytes[0] = 0xfd
+	if _, err := rand.Read(bytes[1:]); err != nil {
+		panic(err)
+	}
+	randomIP = net.IP(bytes).String()
 
 	return
 }
@@ -127,7 +134,10 @@ func NewApiConnectivityCheckWrapper(ck *apicheck.ApiConnectivityCheckConfig, con
 
 	inner.SetHealthStatusFunc(func(endpointIp corev1.PodIP, results chan<- selfNodeRemediation.HealthCheckResponseCode) {
 		if ckw.ShouldSimulatePeerResponses {
-			results <- ckw.nextSimulatedPeerResponse()
+			// The caller expects exactly one response per peer; the helper enforces
+			// that contract to keep the bounded channel writes non-blocking.
+			resp := ckw.nextSimulatedPeerResponse()
+			results <- resp
 			return
 		}
 
diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
index 59b4b194b..e2e8ba174 100644
--- a/pkg/controlplane/manager.go
+++ b/pkg/controlplane/manager.go
@@ -174,7 +174,10 @@ func (manager *Manager) isKubeletServiceRunning() bool {
 			MinVersion:         certificates.TLSMinVersion,
 		},
 	}
-	httpClient := &http.Client{Transport: tr}
+	httpClient := &http.Client{
+		Transport: tr,
+		Timeout:   5 * time.Second,
+	}
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {

From 98c6a22441e22e16f9f60be39bceb3fbc1afbf22 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Mon, 27 Oct 2025 14:27:53 -0500
Subject: [PATCH 15/16] Updating pinentry scripts to be more robust.

Also it DID NOT like working with a powershell wrapper.
---
 foo.txt | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
new file mode 100644
index 000000000..e69de29bb

From fe61c0e6d98a9079b990d5e6d8b7bdcdbb1e8814 Mon Sep 17 00:00:00 2001
From: "Mark E. Scott, Jr." <mark_scott_jr@dell.com>
Date: Mon, 27 Oct 2025 15:52:30 -0500
Subject: [PATCH 16/16] Implementing changes for code review feedback.

---
 .../selfnoderemediation_controller_test.go    | 35 -------------------
 controllers/tests/shared/shared.go            | 29 ++-------------
 pkg/controlplane/manager.go                   | 12 +++++--
 3 files changed, 13 insertions(+), 63 deletions(-)

diff --git a/controllers/tests/controller/selfnoderemediation_controller_test.go b/controllers/tests/controller/selfnoderemediation_controller_test.go
index 0023fa45a..1ec80ec88 100644
--- a/controllers/tests/controller/selfnoderemediation_controller_test.go
+++ b/controllers/tests/controller/selfnoderemediation_controller_test.go
@@ -961,41 +961,6 @@ func deleteSelfNodeRemediationPod(pod *v1.Pod, throwErrorIfNotFound bool) {
 	})
 }
 
-func deleteSelfNodeRemediationPodByName(podName string, throwErrorIfNotFound bool) (err error) {
-	pod := &v1.Pod{}
-	podKey := client.ObjectKey{
-		Namespace: shared.Namespace,
-		Name:      podName,
-	}
-
-	By(fmt.Sprintf("Attempting to get pod '%s' before deleting it", podName), func() {
-		if err := k8sClient.Client.Get(context.Background(), podKey, pod); err != nil {
-			if apierrors.IsNotFound(err) && !throwErrorIfNotFound {
-				logf.Log.Info("pod with name '%s' not found, we're not going to do anything", podName)
-				err = nil
-				return
-			}
-
-			err = fmt.Errorf("unable to get pod with name '%s' in order to delete it", err)
-			return
-		}
-	})
-
-	deleteSelfNodeRemediationPod(pod, throwErrorIfNotFound)
-
-	return
-}
-
-func deleteAllSelfNodeRemediationPods() {
-	pods := getSnrPods()
-
-	By("Deleting self-node-remediation pods")
-
-	for _, pod := range pods.Items {
-		deleteSelfNodeRemediationPod(&pod, false)
-	}
-}
-
 func createTerminatingPod() {
 	pod := &v1.Pod{}
 	pod.Spec.NodeName = shared.UnhealthyNodeName
diff --git a/controllers/tests/shared/shared.go b/controllers/tests/shared/shared.go
index 107398fdc..9bd221b40 100644
--- a/controllers/tests/shared/shared.go
+++ b/controllers/tests/shared/shared.go
@@ -44,8 +44,6 @@ const (
 	SnrPodName3      = "self-node-remediation-3"
 	DsDummyImageName = "dummy-image"
 
-	K8sClientReturnRandomPodIPAddressesByDefault = false
-
 	MinPeersForRemediationConfigDefaultValue = 1
 )
 
@@ -117,7 +115,8 @@ func GetRandomIpAddress() (randomIP string) {
 	bytes := make([]byte, net.IPv6len)
 	bytes[0] = 0xfd
 	if _, err := rand.Read(bytes[1:]); err != nil {
-		panic(err)
+		logf.Log.Error(err, "random IPv6 generation failed; using fallback")
+		return "fd00::1"
 	}
 	randomIP = net.IP(bytes).String()
 
@@ -156,9 +155,7 @@ func (ckw *ApiConnectivityCheckWrapper) nextSimulatedPeerResponse() selfNodeReme
 	}
 
 	code := ckw.simulatedPeerResponses[0]
-	if len(ckw.simulatedPeerResponses) > 1 {
-		ckw.simulatedPeerResponses = append([]selfNodeRemediation.HealthCheckResponseCode{}, ckw.simulatedPeerResponses[1:]...)
-	}
+	ckw.simulatedPeerResponses = append([]selfNodeRemediation.HealthCheckResponseCode{}, ckw.simulatedPeerResponses[1:]...)
 
 	return code
 }
@@ -320,26 +317,6 @@ func VerifySNRStatusExist(k8sClient client.Client, snr *selfnoderemediationv1alp
 type K8sErrorTestingFunc func(err error) bool
 
 // Matches one of the k8s error types that the user wants to ignore
-func IsIgnoredK8sError(k8sErrorsToIgnore []K8sErrorTestingFunc) types2.GomegaMatcher {
-	return gcustom.MakeMatcher(func(errorToTest error) (matches bool, err error) {
-		if errorToTest == nil {
-			matches = false
-			return
-		}
-
-		for _, testingFunc := range k8sErrorsToIgnore {
-			if testingFunc(errorToTest) {
-				matches = true
-				return
-			}
-		}
-
-		matches = false
-
-		return
-	})
-}
-
 func IsK8sNotFoundError() types2.GomegaMatcher {
 	return gcustom.MakeMatcher(func(errorToTest error) (matches bool, err error) {
 		if errorToTest == nil {
diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
index e2e8ba174..cc35f9ad3 100644
--- a/pkg/controlplane/manager.go
+++ b/pkg/controlplane/manager.go
@@ -190,6 +190,14 @@ func (manager *Manager) isKubeletServiceRunning() bool {
 		manager.log.Error(err, "kubelet service is down", "node name", manager.nodeName)
 		return false
 	}
-	defer resp.Body.Close()
-	return true
+	defer func() {
+		if cerr := resp.Body.Close(); cerr != nil {
+			manager.log.Error(cerr, "failed to close kubelet response body", "node name", manager.nodeName)
+		}
+	}()
+	if resp.StatusCode >= 200 && resp.StatusCode < 400 {
+		return true
+	}
+	manager.log.Info("kubelet responded with non-success status", "node name", manager.nodeName, "status", resp.StatusCode)
+	return false
 }