--- apiVersion: apps/v1 items: - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" creationTimestamp: "2026-04-19T15:30:52Z" generation: 1 labels: gateway.istio.io/managed: openshift.io-gateway-controller-v1 gateway.networking.k8s.io/gateway-name: data-science-gateway managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: {} f:labels: f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:ownerReferences: k:{"uid":"d7f3b900-e16a-4b32-9d62-f1c00c09f257"}: {} f:spec: f:selector: {} f:template: f:metadata: f:annotations: f:istio.io/rev: {} f:prometheus.io/path: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:labels: f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:service.istio.io/canonical-name: {} f:service.istio.io/canonical-revision: {} f:sidecar.istio.io/inject: {} f:spec: f:containers: k:{"name":"istio-proxy"}: .: {} f:args: {} f:env: k:{"name":"CA_ADDR"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"INSTANCE_IP"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"ISTIO_CPU_LIMIT"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"ISTIO_META_APP_CONTAINERS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_INTERCEPTION_MODE"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_MESH_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_NODE_NAME"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"ISTIO_META_OWNER"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_POD_PORTS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_WORKLOAD_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"PROXY_CONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"TRUST_DOMAIN"}: .: {} f:name: {} f:value: {} f:image: {} f:name: {} f:ports: k:{"containerPort":15020,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15021,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15090,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: f:failureThreshold: {} f:httpGet: f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: f:limits: f:cpu: {} f:memory: {} f:requests: f:cpu: {} f:memory: {} f:securityContext: f:allowPrivilegeEscalation: {} f:capabilities: f:drop: {} f:privileged: {} f:readOnlyRootFilesystem: {} f:runAsGroup: {} f:runAsNonRoot: {} f:runAsUser: {} f:startupProbe: f:failureThreshold: {} f:httpGet: f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:volumeMounts: k:{"mountPath":"/etc/istio/pod"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/istio/proxy"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lib/istio/data"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/credential-uds"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istio"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-credentials"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-uds"}: .: {} f:mountPath: {} f:name: {} f:securityContext: f:sysctls: {} f:serviceAccountName: {} f:volumes: k:{"name":"credential-socket"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-data"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-envoy"}: .: {} f:emptyDir: f:medium: {} f:name: {} k:{"name":"istio-podinfo"}: .: {} f:downwardAPI: f:items: {} f:name: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: f:sources: {} k:{"name":"istiod-ca-cert"}: .: {} f:configMap: f:name: {} f:name: {} k:{"name":"workload-certs"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"workload-socket"}: .: {} f:emptyDir: {} f:name: {} manager: openshift.io/gateway-controller/v1 operation: Apply time: "2026-04-19T15:30:52Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2026-04-19T15:30:57Z" name: data-science-gateway-data-science-gateway-class namespace: openshift-ingress ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: data-science-gateway uid: d7f3b900-e16a-4b32-9d62-f1c00c09f257 resourceVersion: "15894" uid: 447dee71-d792-40e6-a636-5a7c991550a7 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: gateway.networking.k8s.io/gateway-name: data-science-gateway strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: istio.io/rev: openshift-gateway prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" creationTimestamp: null labels: gateway.istio.io/managed: istio.io-gateway-controller gateway.networking.k8s.io/gateway-name: data-science-gateway service.istio.io/canonical-name: data-science-gateway-data-science-gateway-class service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" spec: containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel - warning - --proxyComponentLogLevel - misc:error - --log_output_level - default:info env: - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod-openshift-gateway.openshift-ingress.svc:15012 - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: PROXY_CONFIG value: | {"discoveryAddress":"istiod-openshift-gateway.openshift-ingress.svc:15012","proxyHeaders":{"server":{"disabled":true},"envoyDebugHeaders":{"disabled":true},"metadataExchangeHeaders":{"mode":"IN_MESH"}}} - name: ISTIO_META_POD_PORTS value: '[]' - name: ISTIO_META_APP_CONTAINERS - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: data-science-gateway-data-science-gateway-class - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/openshift-ingress/deployments/data-science-gateway-data-science-gateway-class - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN value: cluster.local image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000319999 runAsNonRoot: true runAsUser: 1000319999 startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" serviceAccount: data-science-gateway-data-science-gateway-class serviceAccountName: data-science-gateway-data-science-gateway-class terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket - emptyDir: {} name: workload-certs - emptyDir: medium: Memory name: istio-envoy - emptyDir: {} name: istio-data - downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: defaultMode: 420 name: istio-ca-root-cert name: istiod-ca-cert status: availableReplicas: 1 conditions: - lastTransitionTime: "2026-04-19T15:30:57Z" lastUpdateTime: "2026-04-19T15:30:57Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2026-04-19T15:30:52Z" lastUpdateTime: "2026-04-19T15:30:57Z" message: ReplicaSet "data-science-gateway-data-science-gateway-class-5cb8b776cf" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: openshift-gateway-istiod meta.helm.sh/release-namespace: openshift-ingress creationTimestamp: "2026-04-19T15:30:48Z" generation: 1 labels: app: istiod app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio: pilot istio.io/rev: openshift-gateway managed-by: sail-operator operator.istio.io/component: Pilot release: openshift-gateway-istiod managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:meta.helm.sh/release-name: {} f:meta.helm.sh/release-namespace: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio: {} f:istio.io/rev: {} f:managed-by: {} f:operator.istio.io/component: {} f:release: {} f:ownerReferences: .: {} k:{"uid":"f81942f3-4aca-40fc-8309-298ef5033f2c"}: {} f:spec: f:progressDeadlineSeconds: {} f:replicas: {} f:revisionHistoryLimit: {} f:selector: {} f:strategy: f:rollingUpdate: .: {} f:maxSurge: {} f:maxUnavailable: {} f:type: {} f:template: f:metadata: f:annotations: .: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:sidecar.istio.io/inject: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio: {} f:istio.io/dataplane-mode: {} f:istio.io/rev: {} f:operator.istio.io/component: {} f:sidecar.istio.io/inject: {} f:spec: f:containers: k:{"name":"discovery"}: .: {} f:args: {} f:env: .: {} k:{"name":"CA_TRUSTED_NODE_ACCOUNTS"}: .: {} f:name: {} f:value: {} k:{"name":"CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ENABLE_GATEWAY_API_INFERENCE_EXTENSION"}: .: {} f:name: {} f:value: {} k:{"name":"ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"KUBECONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_ALPHA_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_ANALYSIS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_STATUS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_GATEWAY_API_CONTROLLER_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_TRACE_SAMPLING"}: .: {} f:name: {} f:value: {} k:{"name":"PLATFORM"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"REVISION"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":8080,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15010,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15012,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15014,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15017,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:runAsNonRoot: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/cacerts"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/istio-dns"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istiod/ca"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/istiod/tls"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/remote"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"cacerts"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-csr-ca-configmap"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:optional: {} f:name: {} k:{"name":"istio-csr-dns-cert"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-kubeconfig"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"local-certs"}: .: {} f:emptyDir: .: {} f:medium: {} f:name: {} manager: sail-operator operation: Update time: "2026-04-19T15:30:48Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2026-04-19T15:30:54Z" name: istiod-openshift-gateway namespace: openshift-ingress ownerReferences: - apiVersion: sailoperator.io/v1 blockOwnerDeletion: true controller: true kind: IstioRevision name: openshift-gateway uid: f81942f3-4aca-40fc-8309-298ef5033f2c resourceVersion: "15792" uid: 83683b6d-a548-42d6-979c-327edb4dfbd2 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: istiod istio.io/rev: openshift-gateway strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: null labels: app: istiod app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.26.2 helm.sh/chart: istiod-1.26.2 istio: istiod istio.io/dataplane-mode: none istio.io/rev: openshift-gateway operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" spec: containers: - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --keepaliveMaxServerConnectionAge - 30m env: - name: REVISION value: openshift-gateway - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: KUBECONFIG value: /var/run/secrets/remote/config - name: CA_TRUSTED_NODE_ACCOUNTS value: kube-system/ztunnel - name: ENABLE_GATEWAY_API_INFERENCE_EXTENSION value: "true" - name: ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT value: "false" - name: PILOT_ENABLE_ALPHA_GATEWAY_API value: "false" - name: PILOT_ENABLE_GATEWAY_API value: "true" - name: PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY value: "true" - name: PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS value: "false" - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER value: "true" - name: PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER value: "false" - name: PILOT_ENABLE_GATEWAY_API_STATUS value: "true" - name: PILOT_GATEWAY_API_CONTROLLER_NAME value: openshift.io/gateway-controller/v1 - name: PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME value: openshift-default - name: PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API value: "false" - name: PILOT_TRACE_SAMPLING value: "1" - name: PILOT_ENABLE_ANALYSIS value: "false" - name: CLUSTER_ID value: Kubernetes - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "1" resource: limits.cpu - name: PLATFORM value: openshift image: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8 imagePullPolicy: IfNotPresent name: discovery ports: - containerPort: 8080 name: http-debug protocol: TCP - containerPort: 15010 name: grpc-xds protocol: TCP - containerPort: 15012 name: tls-xds protocol: TCP - containerPort: 15017 name: https-webhooks protocol: TCP - containerPort: 15014 name: http-monitoring protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /ready port: 8080 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 3 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/run/secrets/istio-dns name: local-certs - mountPath: /etc/cacerts name: cacerts readOnly: true - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - mountPath: /var/run/secrets/istiod/tls name: istio-csr-dns-cert readOnly: true - mountPath: /var/run/secrets/istiod/ca name: istio-csr-ca-configmap readOnly: true dnsPolicy: ClusterFirst priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: istiod-openshift-gateway serviceAccountName: istiod-openshift-gateway terminationGracePeriodSeconds: 30 tolerations: - key: cni.istio.io/not-ready operator: Exists volumes: - emptyDir: medium: Memory name: local-certs - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: cacerts secret: defaultMode: 420 optional: true secretName: cacerts - name: istio-kubeconfig secret: defaultMode: 420 optional: true secretName: istio-kubeconfig - name: istio-csr-dns-cert secret: defaultMode: 420 optional: true secretName: istiod-tls - configMap: defaultMode: 420 name: istio-ca-root-cert optional: true name: istio-csr-ca-configmap status: availableReplicas: 1 conditions: - lastTransitionTime: "2026-04-19T15:30:54Z" lastUpdateTime: "2026-04-19T15:30:54Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2026-04-19T15:30:48Z" lastUpdateTime: "2026-04-19T15:30:54Z" message: ReplicaSet "istiod-openshift-gateway-55ff986f96" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" platform.opendatahub.io/instance.generation: "2" platform.opendatahub.io/instance.name: default-gateway platform.opendatahub.io/instance.uid: 2943d7a6-01c3-4986-9a60-c8f9340500a0 platform.opendatahub.io/type: Open Data Hub platform.opendatahub.io/version: 3.4.0-ea.1 creationTimestamp: "2026-04-19T15:30:18Z" generation: 2 labels: app: kube-auth-proxy app.kubernetes.io/component: authentication platform.opendatahub.io/part-of: gatewayconfig managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:platform.opendatahub.io/instance.generation: {} f:platform.opendatahub.io/instance.name: {} f:platform.opendatahub.io/instance.uid: {} f:platform.opendatahub.io/type: {} f:platform.opendatahub.io/version: {} f:labels: f:app: {} f:app.kubernetes.io/component: {} f:platform.opendatahub.io/part-of: {} f:ownerReferences: k:{"uid":"2943d7a6-01c3-4986-9a60-c8f9340500a0"}: {} f:spec: f:replicas: {} f:selector: {} f:template: f:metadata: f:annotations: f:opendatahub.io/secret-hash: {} f:labels: f:app: {} f:app.kubernetes.io/component: {} f:spec: f:containers: k:{"name":"kube-auth-proxy"}: .: {} f:args: {} f:env: k:{"name":"OAUTH2_PROXY_CLIENT_ID"}: .: {} f:name: {} f:valueFrom: f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_CLIENT_SECRET"}: .: {} f:name: {} f:valueFrom: f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_COOKIE_SECRET"}: .: {} f:name: {} f:valueFrom: f:secretKeyRef: {} k:{"name":"PROXY_MODE"}: .: {} f:name: {} f:value: {} f:image: {} f:name: {} f:ports: k:{"containerPort":4180,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} k:{"containerPort":8443,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} k:{"containerPort":9000,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:resources: f:limits: f:memory: {} f:requests: f:cpu: {} f:memory: {} f:securityContext: f:allowPrivilegeEscalation: {} f:capabilities: f:drop: {} f:readOnlyRootFilesystem: {} f:volumeMounts: k:{"mountPath":"/etc/tls/private"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/tmp"}: .: {} f:mountPath: {} f:name: {} f:securityContext: f:runAsNonRoot: {} f:seccompProfile: f:type: {} f:serviceAccountName: {} f:volumes: k:{"name":"tls-certs"}: .: {} f:name: {} f:secret: f:secretName: {} k:{"name":"tmp"}: .: {} f:emptyDir: f:medium: {} f:sizeLimit: {} f:name: {} manager: gatewayconfig operation: Apply time: "2026-04-19T15:30:53Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2026-04-19T15:30:53Z" name: kube-auth-proxy namespace: openshift-ingress ownerReferences: - apiVersion: services.platform.opendatahub.io/v1alpha1 blockOwnerDeletion: true controller: true kind: GatewayConfig name: default-gateway uid: 2943d7a6-01c3-4986-9a60-c8f9340500a0 resourceVersion: "15760" uid: 486bfeb3-a4eb-4055-a1e0-a9b69f73e0df spec: progressDeadlineSeconds: 600 replicas: 2 revisionHistoryLimit: 10 selector: matchLabels: app: kube-auth-proxy strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: opendatahub.io/secret-hash: cfe14b7723191a1e5c527946ea7a4ec978a8398fa4a655cc21a3406eca86fdfc creationTimestamp: null labels: app: kube-auth-proxy app.kubernetes.io/component: authentication spec: containers: - args: - --http-address=0.0.0.0:4180 - --https-address=0.0.0.0:8443 - --metrics-address=0.0.0.0:9000 - --email-domain=* - --upstream=static://200 - --skip-provider-button - --skip-jwt-bearer-tokens=true - --pass-access-token=true - --set-xauthrequest=true - --enable-k8s-token-validation=true - --redirect-url=https://rh-ai.apps.c4065df6-b89e-484a-a39a-0a5154e176de.prod.konfluxeaas.com/oauth2/callback - --tls-cert-file=/etc/tls/private/tls.crt - --tls-key-file=/etc/tls/private/tls.key - --use-system-trust-store=true - --cookie-expire=24h0m0s - --cookie-refresh=1h0m0s - --cookie-secure=true - --cookie-httponly=true - --cookie-samesite=lax - --cookie-name=_oauth2_proxy - --cookie-domain=rh-ai.apps.c4065df6-b89e-484a-a39a-0a5154e176de.prod.konfluxeaas.com - --provider=openshift - --ssl-insecure-skip-verify=false - --scope=user:full env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_ID name: kube-auth-proxy-creds - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_SECRET name: kube-auth-proxy-creds - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_COOKIE_SECRET name: kube-auth-proxy-creds - name: PROXY_MODE value: auth image: quay.io/opendatahub/odh-kube-auth-proxy:v3.4-ea.1 imagePullPolicy: IfNotPresent name: kube-auth-proxy ports: - containerPort: 4180 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 9000 name: metrics protocol: TCP resources: limits: memory: 128Mi requests: cpu: 500m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/tls/private name: tls-certs readOnly: true - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccount: kube-auth-proxy serviceAccountName: kube-auth-proxy terminationGracePeriodSeconds: 30 volumes: - name: tls-certs secret: defaultMode: 420 secretName: kube-auth-proxy-tls - emptyDir: medium: Memory sizeLimit: 10Mi name: tmp status: availableReplicas: 2 conditions: - lastTransitionTime: "2026-04-19T15:30:23Z" lastUpdateTime: "2026-04-19T15:30:23Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2026-04-19T15:30:18Z" lastUpdateTime: "2026-04-19T15:30:23Z" message: ReplicaSet "kube-auth-proxy-745fb64bc5" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 2 readyReplicas: 2 replicas: 2 updatedReplicas: 2 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" creationTimestamp: "2026-04-19T15:32:52Z" generation: 1 labels: gateway.istio.io/managed: openshift.io-gateway-controller-v1 gateway.networking.k8s.io/gateway-name: maas-default-gateway managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: {} f:labels: f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:ownerReferences: k:{"uid":"d4417948-adfc-4ef9-ba85-676ad86af103"}: {} f:spec: f:selector: {} f:template: f:metadata: f:annotations: f:istio.io/rev: {} f:prometheus.io/path: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:labels: f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:service.istio.io/canonical-name: {} f:service.istio.io/canonical-revision: {} f:sidecar.istio.io/inject: {} f:spec: f:containers: k:{"name":"istio-proxy"}: .: {} f:args: {} f:env: k:{"name":"CA_ADDR"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"INSTANCE_IP"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"ISTIO_CPU_LIMIT"}: .: {} f:name: {} f:valueFrom: f:resourceFieldRef: {} k:{"name":"ISTIO_META_APP_CONTAINERS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_INTERCEPTION_MODE"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_MESH_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_NODE_NAME"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"ISTIO_META_OWNER"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_POD_PORTS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_WORKLOAD_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"PROXY_CONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: f:fieldRef: {} k:{"name":"TRUST_DOMAIN"}: .: {} f:name: {} f:value: {} f:image: {} f:name: {} f:ports: k:{"containerPort":15020,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15021,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15090,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: f:failureThreshold: {} f:httpGet: f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: f:limits: f:cpu: {} f:memory: {} f:requests: f:cpu: {} f:memory: {} f:securityContext: f:allowPrivilegeEscalation: {} f:capabilities: f:drop: {} f:privileged: {} f:readOnlyRootFilesystem: {} f:runAsGroup: {} f:runAsNonRoot: {} f:runAsUser: {} f:startupProbe: f:failureThreshold: {} f:httpGet: f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:volumeMounts: k:{"mountPath":"/etc/istio/pod"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/istio/proxy"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lib/istio/data"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/credential-uds"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istio"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-credentials"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-uds"}: .: {} f:mountPath: {} f:name: {} f:securityContext: f:sysctls: {} f:serviceAccountName: {} f:volumes: k:{"name":"credential-socket"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-data"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-envoy"}: .: {} f:emptyDir: f:medium: {} f:name: {} k:{"name":"istio-podinfo"}: .: {} f:downwardAPI: f:items: {} f:name: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: f:sources: {} k:{"name":"istiod-ca-cert"}: .: {} f:configMap: f:name: {} f:name: {} k:{"name":"workload-certs"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"workload-socket"}: .: {} f:emptyDir: {} f:name: {} manager: openshift.io/gateway-controller/v1 operation: Apply time: "2026-04-19T15:32:52Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2026-04-19T15:32:55Z" name: maas-default-gateway-openshift-default namespace: openshift-ingress ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway name: maas-default-gateway uid: d4417948-adfc-4ef9-ba85-676ad86af103 resourceVersion: "21160" uid: e0ca29f0-407d-46d2-9943-8ac088dac1ce spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: gateway.networking.k8s.io/gateway-name: maas-default-gateway strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: istio.io/rev: openshift-gateway prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" creationTimestamp: null labels: gateway.istio.io/managed: istio.io-gateway-controller gateway.networking.k8s.io/gateway-name: maas-default-gateway service.istio.io/canonical-name: maas-default-gateway-openshift-default service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" spec: containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel - warning - --proxyComponentLogLevel - misc:error - --log_output_level - default:info env: - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod-openshift-gateway.openshift-ingress.svc:15012 - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: PROXY_CONFIG value: | {"discoveryAddress":"istiod-openshift-gateway.openshift-ingress.svc:15012","proxyHeaders":{"server":{"disabled":true},"envoyDebugHeaders":{"disabled":true},"metadataExchangeHeaders":{"mode":"IN_MESH"}}} - name: ISTIO_META_POD_PORTS value: '[]' - name: ISTIO_META_APP_CONTAINERS - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: maas-default-gateway-openshift-default - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/openshift-ingress/deployments/maas-default-gateway-openshift-default - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN value: cluster.local image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000319999 runAsNonRoot: true runAsUser: 1000319999 startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" serviceAccount: maas-default-gateway-openshift-default serviceAccountName: maas-default-gateway-openshift-default terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket - emptyDir: {} name: workload-certs - emptyDir: medium: Memory name: istio-envoy - emptyDir: {} name: istio-data - downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: defaultMode: 420 name: istio-ca-root-cert name: istiod-ca-cert status: availableReplicas: 1 conditions: - lastTransitionTime: "2026-04-19T15:32:55Z" lastUpdateTime: "2026-04-19T15:32:55Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2026-04-19T15:32:52Z" lastUpdateTime: "2026-04-19T15:32:55Z" message: ReplicaSet "maas-default-gateway-openshift-default-58b6f876" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" creationTimestamp: "2026-04-19T15:20:03Z" generation: 1 labels: ingresscontroller.operator.openshift.io/owning-ingresscontroller: default managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ingresscontroller.operator.openshift.io/owning-ingresscontroller: {} f:spec: f:minReadySeconds: {} f:progressDeadlineSeconds: {} f:replicas: {} f:revisionHistoryLimit: {} f:selector: {} f:strategy: f:rollingUpdate: .: {} f:maxSurge: {} f:maxUnavailable: {} f:type: {} f:template: f:metadata: f:annotations: .: {} f:openshift.io/required-scc: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:ingresscontroller.operator.openshift.io/deployment-ingresscontroller: {} f:ingresscontroller.operator.openshift.io/hash: {} f:spec: f:affinity: .: {} f:nodeAffinity: .: {} f:requiredDuringSchedulingIgnoredDuringExecution: {} f:containers: k:{"name":"router"}: .: {} f:env: .: {} k:{"name":"DEFAULT_CERTIFICATE_DIR"}: .: {} f:name: {} f:value: {} k:{"name":"DEFAULT_DESTINATION_CA_PATH"}: .: {} f:name: {} f:value: {} k:{"name":"RELOAD_INTERVAL"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_ALLOW_WILDCARD_ROUTES"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CANONICAL_HOSTNAME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CIPHERS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CIPHERSUITES"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DISABLE_HTTP2"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DOMAIN"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_ENABLE_EXTERNAL_CERTIFICATE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_LOAD_BALANCE_ALGORITHM"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TLS_CERT_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TLS_KEY_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TYPE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SERVICE_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SERVICE_NAMESPACE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SET_FORWARDED_HEADERS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_TCP_BALANCE_SCHEME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_THREADS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_USE_PROXY_PROTOCOL"}: .: {} f:name: {} f:value: {} k:{"name":"SSL_MIN_VERSION"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_PASSWORD_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_PORT"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_USERNAME_FILE"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:terminationGracePeriodSeconds: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":80,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":443,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":1936,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:readOnlyRootFilesystem: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/pki/tls/metrics-certs"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/etc/pki/tls/private"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/lib/haproxy/conf/metrics-auth"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/configmaps/service-ca"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:nodeSelector: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:topologySpreadConstraints: .: {} k:{"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"}: .: {} f:labelSelector: {} f:maxSkew: {} f:topologyKey: {} f:whenUnsatisfiable: {} f:volumes: .: {} k:{"name":"default-certificate"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"metrics-certs"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"service-ca-bundle"}: .: {} f:configMap: .: {} f:defaultMode: {} f:items: {} f:name: {} f:optional: {} f:name: {} k:{"name":"stats-auth"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} manager: ingress-operator operation: Update time: "2026-04-19T15:20:03Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2026-04-19T15:26:56Z" name: router-default namespace: openshift-ingress resourceVersion: "9763" uid: 04333fa5-b88b-426d-b586-b1f73c581207 spec: minReadySeconds: 30 progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: openshift.io/required-scc: restricted target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: null labels: ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default ingresscontroller.operator.openshift.io/hash: 86f5656c4c spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node.openshift.io/remote-worker operator: NotIn values: - "" containers: - env: - name: DEFAULT_CERTIFICATE_DIR value: /etc/pki/tls/private - name: DEFAULT_DESTINATION_CA_PATH value: /var/run/configmaps/service-ca/service-ca.crt - name: RELOAD_INTERVAL value: 5s - name: ROUTER_ALLOW_WILDCARD_ROUTES value: "false" - name: ROUTER_CANONICAL_HOSTNAME value: router-default.apps.c4065df6-b89e-484a-a39a-0a5154e176de.prod.konfluxeaas.com - name: ROUTER_CIPHERS value: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - name: ROUTER_CIPHERSUITES value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - name: ROUTER_DISABLE_HTTP2 value: "true" - name: ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK value: "false" - name: ROUTER_DOMAIN value: apps.c4065df6-b89e-484a-a39a-0a5154e176de.prod.konfluxeaas.com - name: ROUTER_ENABLE_EXTERNAL_CERTIFICATE value: "true" - name: ROUTER_LOAD_BALANCE_ALGORITHM value: random - name: ROUTER_METRICS_TLS_CERT_FILE value: /etc/pki/tls/metrics-certs/tls.crt - name: ROUTER_METRICS_TLS_KEY_FILE value: /etc/pki/tls/metrics-certs/tls.key - name: ROUTER_METRICS_TYPE value: haproxy - name: ROUTER_SERVICE_NAME value: default - name: ROUTER_SERVICE_NAMESPACE value: openshift-ingress - name: ROUTER_SET_FORWARDED_HEADERS value: append - name: ROUTER_TCP_BALANCE_SCHEME value: source - name: ROUTER_THREADS value: "4" - name: ROUTER_USE_PROXY_PROTOCOL value: "true" - name: SSL_MIN_VERSION value: TLSv1.2 - name: STATS_PASSWORD_FILE value: /var/lib/haproxy/conf/metrics-auth/statsPassword - name: STATS_PORT value: "1936" - name: STATS_USERNAME_FILE value: /var/lib/haproxy/conf/metrics-auth/statsUsername image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:294af5c64228434d1ed6ee8ea3ac802e3c999aa847223e3b2efa18425a9fe421 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 1936 scheme: HTTP periodSeconds: 10 successThreshold: 1 terminationGracePeriodSeconds: 10 timeoutSeconds: 1 name: router ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 1936 name: metrics protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz/ready port: 1936 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 256Mi securityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false startupProbe: failureThreshold: 120 httpGet: path: /healthz/ready port: 1936 scheme: HTTP periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/pki/tls/private name: default-certificate readOnly: true - mountPath: /var/run/configmaps/service-ca name: service-ca-bundle readOnly: true - mountPath: /var/lib/haproxy/conf/metrics-auth name: stats-auth readOnly: true - mountPath: /etc/pki/tls/metrics-certs name: metrics-certs readOnly: true dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/worker: "" priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: router serviceAccountName: router terminationGracePeriodSeconds: 3600 tolerations: - effect: NoExecute key: kubernetes.io/e2e-evict-taint-key operator: Equal value: evictTaintVal topologySpreadConstraints: - labelSelector: matchExpressions: - key: ingresscontroller.operator.openshift.io/hash operator: In values: - 86f5656c4c maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: default-certificate secret: defaultMode: 420 secretName: default-ingress-cert - configMap: defaultMode: 420 items: - key: service-ca.crt path: service-ca.crt name: service-ca-bundle optional: false name: service-ca-bundle - name: stats-auth secret: defaultMode: 420 secretName: router-stats-default - name: metrics-certs secret: defaultMode: 420 secretName: router-metrics-certs-default status: availableReplicas: 1 conditions: - lastTransitionTime: "2026-04-19T15:26:56Z" lastUpdateTime: "2026-04-19T15:26:56Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2026-04-19T15:20:03Z" lastUpdateTime: "2026-04-19T15:26:56Z" message: ReplicaSet "router-default-d7c7c5446" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 kind: DeploymentList metadata: resourceVersion: "46482"