--- apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: annotations: istio.io/rev: openshift-gateway k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.133.0.24/23"],"mac_address":"0a:58:0a:85:00:18","gateway_ips":["10.133.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.133.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.133.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.133.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.133.0.1"}],"ip_address":"10.133.0.24/23","gateway_ip":"10.133.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.133.0.24" ], "mac": "0a:58:0a:85:00:18", "default": true, "dns": {} }] openshift.io/scc: restricted-v2 prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:31:07Z" generateName: data-science-gateway-data-science-gateway-class-5b556588bc- generation: 1 labels: gateway.istio.io/managed: istio.io-gateway-controller gateway.networking.k8s.io/gateway-name: data-science-gateway pod-template-hash: 5b556588bc service.istio.io/canonical-name: data-science-gateway-data-science-gateway-class service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-139-164 operation: Update subresource: status time: "2026-06-05T18:31:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:istio.io/rev: {} f:prometheus.io/path: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:generateName: {} f:labels: .: {} f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:pod-template-hash: {} f:service.istio.io/canonical-name: {} f:service.istio.io/canonical-revision: {} f:sidecar.istio.io/inject: {} f:ownerReferences: .: {} k:{"uid":"a1db4c89-4183-4eed-b293-71109ee72d73"}: {} f:spec: f:containers: k:{"name":"istio-proxy"}: .: {} f:args: {} f:env: .: {} k:{"name":"CA_ADDR"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"INSTANCE_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"ISTIO_CPU_LIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"ISTIO_META_APP_CONTAINERS"}: .: {} f:name: {} k:{"name":"ISTIO_META_CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_INTERCEPTION_MODE"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_MESH_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"ISTIO_META_OWNER"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_POD_PORTS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_WORKLOAD_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"PROXY_CONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"TRUST_DOMAIN"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":15020,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15021,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15090,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:privileged: {} f:readOnlyRootFilesystem: {} f:runAsGroup: {} f:runAsNonRoot: {} f:runAsUser: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/istio/pod"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/istio/proxy"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lib/istio/data"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/credential-uds"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istio"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-credentials"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-uds"}: .: {} f:mountPath: {} f:name: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:sysctls: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:volumes: .: {} k:{"name":"credential-socket"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-data"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-envoy"}: .: {} f:emptyDir: .: {} f:medium: {} f:name: {} k:{"name":"istio-podinfo"}: .: {} f:downwardAPI: .: {} f:defaultMode: {} f:items: {} f:name: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"istiod-ca-cert"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:name: {} k:{"name":"workload-certs"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"workload-socket"}: .: {} f:emptyDir: {} f:name: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:31:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:31:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.133.0.24"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:31:13Z" name: data-science-gateway-data-science-gateway-class-5b556588bcqhrhs namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: data-science-gateway-data-science-gateway-class-5b556588bc uid: a1db4c89-4183-4eed-b293-71109ee72d73 resourceVersion: "17927" uid: 8b261781-4aa7-4881-a271-6b5d19cc4e0f spec: containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel - warning - --proxyComponentLogLevel - misc:error - --log_output_level - default:info env: - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod-openshift-gateway.openshift-ingress.svc:15012 - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: PROXY_CONFIG value: | {"discoveryAddress":"istiod-openshift-gateway.openshift-ingress.svc:15012","proxyHeaders":{"server":{"disabled":true},"envoyDebugHeaders":{"disabled":true},"metadataExchangeHeaders":{"mode":"IN_MESH"}}} - name: ISTIO_META_POD_PORTS value: '[]' - name: ISTIO_META_APP_CONTAINERS - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: data-science-gateway-data-science-gateway-class - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/openshift-ingress/deployments/data-science-gateway-data-science-gateway-class - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN value: cluster.local image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000329999 runAsNonRoot: true runAsUser: 1000329999 startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-lzdsn readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: data-science-gateway-data-science-gateway-class-dockercfg-fxb9v nodeName: ip-10-0-139-164.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" serviceAccount: data-science-gateway-data-science-gateway-class serviceAccountName: data-science-gateway-data-science-gateway-class terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket - emptyDir: {} name: workload-certs - emptyDir: medium: Memory name: istio-envoy - emptyDir: {} name: istio-data - downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: defaultMode: 420 name: openshift-gw-ca-root-cert name: istiod-ca-cert - name: kube-api-access-lzdsn projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:12Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:07Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:13Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:13Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:07Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 100m memory: 128Mi containerID: cri-o://e34b70567841342d4b4d311bec97c5dd1cbcf652391f81bcced252feb4ef635e image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 imageID: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 lastState: {} name: istio-proxy ready: true resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:31:11Z" user: linux: gid: 1000329999 supplementalGroups: - 1000329999 - 1000320000 uid: 1000329999 volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-lzdsn readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.139.164 hostIPs: - ip: 10.0.139.164 observedGeneration: 1 phase: Running podIP: 10.133.0.24 podIPs: - ip: 10.133.0.24 qosClass: Burstable startTime: "2026-06-05T18:31:07Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.134.0.37/23"],"mac_address":"0a:58:0a:86:00:25","gateway_ips":["10.134.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.134.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.134.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.134.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.134.0.1"}],"ip_address":"10.134.0.37/23","gateway_ip":"10.134.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.134.0.37" ], "mac": "0a:58:0a:86:00:25", "default": true, "dns": {} }] openshift.io/scc: restricted-v2 prometheus.io/port: "15014" prometheus.io/scrape: "true" seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user sidecar.istio.io/inject: "false" creationTimestamp: "2026-06-05T18:31:03Z" generateName: istiod-openshift-gateway-75c67f8887- generation: 1 labels: app: istiod app.kubernetes.io/instance: openshift-gateway-istiod app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istiod app.kubernetes.io/part-of: istio app.kubernetes.io/version: 1.27.3 helm.sh/chart: istiod-1.27.3 istio: istiod istio.io/dataplane-mode: none istio.io/rev: openshift-gateway operator.istio.io/component: Pilot pod-template-hash: 75c67f8887 sidecar.istio.io/inject: "false" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-135-182 operation: Update subresource: status time: "2026-06-05T18:31:03Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:sidecar.istio.io/inject: {} f:target.workload.openshift.io/management: {} f:generateName: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:helm.sh/chart: {} f:istio: {} f:istio.io/dataplane-mode: {} f:istio.io/rev: {} f:operator.istio.io/component: {} f:pod-template-hash: {} f:sidecar.istio.io/inject: {} f:ownerReferences: .: {} k:{"uid":"7320ca30-f35e-4755-8fb8-aa5a4336adee"}: {} f:spec: f:containers: k:{"name":"discovery"}: .: {} f:args: {} f:env: .: {} k:{"name":"CA_TRUSTED_NODE_ACCOUNTS"}: .: {} f:name: {} f:value: {} k:{"name":"CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ENABLE_GATEWAY_API_INFERENCE_EXTENSION"}: .: {} f:name: {} f:value: {} k:{"name":"ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"KUBECONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CA_CERT_CONFIGMAP"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_ALPHA_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_ANALYSIS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_ENABLE_GATEWAY_API_STATUS"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_GATEWAY_API_CONTROLLER_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_TRACE_SAMPLING"}: .: {} f:name: {} f:value: {} k:{"name":"PLATFORM"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"REVISION"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":8080,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15010,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15012,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15014,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15017,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:runAsNonRoot: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/cacerts"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/istio-dns"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istiod/ca"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/istiod/tls"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/remote"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"cacerts"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-csr-ca-configmap"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:optional: {} f:name: {} k:{"name":"istio-csr-dns-cert"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-kubeconfig"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"local-certs"}: .: {} f:emptyDir: .: {} f:medium: {} f:name: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:31:03Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:31:04Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.134.0.37"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:31:08Z" name: istiod-openshift-gateway-75c67f8887-jlddw namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: istiod-openshift-gateway-75c67f8887 uid: 7320ca30-f35e-4755-8fb8-aa5a4336adee resourceVersion: "17770" uid: 1f6d75e6-3a67-44d9-839c-53bc8334064b spec: containers: - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --keepaliveMaxServerConnectionAge - 30m env: - name: REVISION value: openshift-gateway - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: KUBECONFIG value: /var/run/secrets/remote/config - name: CA_TRUSTED_NODE_ACCOUNTS value: kube-system/ztunnel - name: ENABLE_GATEWAY_API_INFERENCE_EXTENSION value: "true" - name: ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT value: "false" - name: PILOT_ENABLE_ALPHA_GATEWAY_API value: "false" - name: PILOT_ENABLE_GATEWAY_API value: "true" - name: PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY value: "true" - name: PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS value: "false" - name: PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER value: "true" - name: PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER value: "false" - name: PILOT_ENABLE_GATEWAY_API_STATUS value: "true" - name: PILOT_GATEWAY_API_CONTROLLER_NAME value: openshift.io/gateway-controller/v1 - name: PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME value: openshift-default - name: PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API value: "false" - name: PILOT_TRACE_SAMPLING value: "1" - name: PILOT_CA_CERT_CONFIGMAP value: openshift-gw-ca-root-cert - name: PILOT_ENABLE_ANALYSIS value: "false" - name: CLUSTER_ID value: Kubernetes - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "1" resource: limits.cpu - name: PLATFORM value: openshift image: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0 imagePullPolicy: IfNotPresent name: discovery ports: - containerPort: 8080 name: http-debug protocol: TCP - containerPort: 15010 name: grpc-xds protocol: TCP - containerPort: 15012 name: tls-xds protocol: TCP - containerPort: 15017 name: https-webhooks protocol: TCP - containerPort: 15014 name: http-monitoring protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /ready port: 8080 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 3 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000320000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true - mountPath: /var/run/secrets/istio-dns name: local-certs - mountPath: /etc/cacerts name: cacerts readOnly: true - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - mountPath: /var/run/secrets/istiod/tls name: istio-csr-dns-cert readOnly: true - mountPath: /var/run/secrets/istiod/ca name: istio-csr-ca-configmap readOnly: true - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-kdtcp readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: istiod-openshift-gateway-dockercfg-8c9cc nodeName: ip-10-0-135-182.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault serviceAccount: istiod-openshift-gateway serviceAccountName: istiod-openshift-gateway terminationGracePeriodSeconds: 30 tolerations: - key: cni.istio.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - emptyDir: medium: Memory name: local-certs - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - name: cacerts secret: defaultMode: 420 optional: true secretName: cacerts - name: istio-kubeconfig secret: defaultMode: 420 optional: true secretName: istio-kubeconfig - name: istio-csr-dns-cert secret: defaultMode: 420 optional: true secretName: istiod-tls - configMap: defaultMode: 420 name: openshift-gw-ca-root-cert optional: true name: istio-csr-ca-configmap - name: kube-api-access-kdtcp projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:07Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:03Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:08Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:08Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:31:03Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 500m memory: 2Gi containerID: cri-o://d7e7a870ff9ea31d9dffed99b8b739b963903b7ea4d6eb98c8d8d058c3e64b5f image: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:f118bf81f44443fbdab23b689c97e9801eba8799c7af85228f914d8cd8afe6c0 imageID: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:7a23f83201027f55574ec3c94ca64fa01dda52658d44dca313314b0c16d31c76 lastState: {} name: discovery ready: true resources: requests: cpu: 500m memory: 2Gi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:31:06Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/istio-dns name: local-certs - mountPath: /etc/cacerts name: cacerts readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/istiod/tls name: istio-csr-dns-cert readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/istiod/ca name: istio-csr-ca-configmap readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-kdtcp readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.135.182 hostIPs: - ip: 10.0.135.182 observedGeneration: 1 phase: Running podIP: 10.134.0.37 podIPs: - ip: 10.134.0.37 qosClass: Burstable startTime: "2026-06-05T18:31:03Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.132.0.25/23"],"mac_address":"0a:58:0a:84:00:19","gateway_ips":["10.132.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.132.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.132.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.132.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.132.0.1"}],"ip_address":"10.132.0.25/23","gateway_ip":"10.132.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.132.0.25" ], "mac": "0a:58:0a:84:00:19", "default": true, "dns": {} }] opendatahub.io/secret-hash: c5ddeb388cf928325e250e7e8bc4023e6d52b503a19621c2c7492a9e8d00475e openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:30:10Z" generateName: kube-auth-proxy-6b5554b5b- generation: 1 labels: app: kube-auth-proxy app.kubernetes.io/component: authentication pod-template-hash: 6b5554b5b managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-132-252 operation: Update subresource: status time: "2026-06-05T18:30:10Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:opendatahub.io/secret-hash: {} f:generateName: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/component: {} f:pod-template-hash: {} f:ownerReferences: .: {} k:{"uid":"4a8f567a-91fe-423a-b745-cdd1ab8a00d8"}: {} f:spec: f:containers: k:{"name":"kube-auth-proxy"}: .: {} f:args: {} f:env: .: {} k:{"name":"OAUTH2_PROXY_CLIENT_ID"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_CLIENT_SECRET"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_COOKIE_SECRET"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"PROXY_MODE"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":4180,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":8443,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":9000,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:resources: .: {} f:limits: .: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/tls/private"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/tmp"}: .: {} f:mountPath: {} f:name: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsNonRoot: {} f:seccompProfile: .: {} f:type: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:volumes: .: {} k:{"name":"tls-certs"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"tmp"}: .: {} f:emptyDir: .: {} f:medium: {} f:sizeLimit: {} f:name: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:30:10Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:30:11Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.132.0.25"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:30:15Z" name: kube-auth-proxy-6b5554b5b-k9qsx namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: kube-auth-proxy-6b5554b5b uid: 4a8f567a-91fe-423a-b745-cdd1ab8a00d8 resourceVersion: "15769" uid: 7b53917f-db15-427a-af26-8b9ce7f4ad51 spec: containers: - args: - --http-address=0.0.0.0:4180 - --https-address=0.0.0.0:8443 - --metrics-address=0.0.0.0:9000 - --email-domain=* - --upstream=static://200 - --skip-provider-button - --skip-jwt-bearer-tokens=true - --pass-access-token=true - --set-xauthrequest=true - --enable-k8s-token-validation=true - --redirect-url=https://rh-ai.apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com/oauth2/callback - --tls-cert-file=/etc/tls/private/tls.crt - --tls-key-file=/etc/tls/private/tls.key - --use-system-trust-store=true - --cookie-expire=24h0m0s - --cookie-refresh=1h0m0s - --cookie-secure=true - --cookie-httponly=true - --cookie-samesite=lax - --cookie-name=_oauth2_proxy - --cookie-domain=rh-ai.apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com - --provider=openshift - --ssl-insecure-skip-verify=false - --scope=user:full env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_ID name: kube-auth-proxy-creds - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_SECRET name: kube-auth-proxy-creds - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_COOKIE_SECRET name: kube-auth-proxy-creds - name: PROXY_MODE value: auth image: quay.io/opendatahub/odh-kube-auth-proxy:v3.5.0-ea.1 imagePullPolicy: IfNotPresent name: kube-auth-proxy ports: - containerPort: 4180 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 9000 name: metrics protocol: TCP resources: limits: memory: 128Mi requests: cpu: 500m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000320000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/tls/private name: tls-certs readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-l9vlh readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: kube-auth-proxy-dockercfg-fp7rg nodeName: ip-10-0-132-252.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 runAsNonRoot: true seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault serviceAccount: kube-auth-proxy serviceAccountName: kube-auth-proxy terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - name: tls-certs secret: defaultMode: 420 secretName: kube-auth-proxy-tls - emptyDir: medium: Memory sizeLimit: 10Mi name: tmp - name: kube-api-access-l9vlh projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:15Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:10Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:15Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:15Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:10Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 500m memory: 128Mi containerID: cri-o://a08d25398e765eac4046ed48c553cf3d4fe62074114d574f26cb6493eed672d3 image: quay.io/opendatahub/odh-kube-auth-proxy:v3.5.0-ea.1 imageID: quay.io/opendatahub/odh-kube-auth-proxy@sha256:1631cec0a988d9d033508072303ef0fe7aec28270dc0942b9abedc7e0893b409 lastState: {} name: kube-auth-proxy ready: true resources: limits: memory: 128Mi requests: cpu: 500m memory: 128Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:30:15Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /etc/tls/private name: tls-certs readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-l9vlh readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.132.252 hostIPs: - ip: 10.0.132.252 observedGeneration: 1 phase: Running podIP: 10.132.0.25 podIPs: - ip: 10.132.0.25 qosClass: Burstable startTime: "2026-06-05T18:30:10Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.134.0.28/23"],"mac_address":"0a:58:0a:86:00:1c","gateway_ips":["10.134.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.134.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.134.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.134.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.134.0.1"}],"ip_address":"10.134.0.28/23","gateway_ip":"10.134.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.134.0.28" ], "mac": "0a:58:0a:86:00:1c", "default": true, "dns": {} }] opendatahub.io/secret-hash: c5ddeb388cf928325e250e7e8bc4023e6d52b503a19621c2c7492a9e8d00475e openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:30:10Z" generateName: kube-auth-proxy-6b5554b5b- generation: 1 labels: app: kube-auth-proxy app.kubernetes.io/component: authentication pod-template-hash: 6b5554b5b managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-135-182 operation: Update subresource: status time: "2026-06-05T18:30:10Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:opendatahub.io/secret-hash: {} f:generateName: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/component: {} f:pod-template-hash: {} f:ownerReferences: .: {} k:{"uid":"4a8f567a-91fe-423a-b745-cdd1ab8a00d8"}: {} f:spec: f:containers: k:{"name":"kube-auth-proxy"}: .: {} f:args: {} f:env: .: {} k:{"name":"OAUTH2_PROXY_CLIENT_ID"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_CLIENT_SECRET"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"OAUTH2_PROXY_COOKIE_SECRET"}: .: {} f:name: {} f:valueFrom: .: {} f:secretKeyRef: {} k:{"name":"PROXY_MODE"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":4180,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":8443,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":9000,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:resources: .: {} f:limits: .: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/tls/private"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/tmp"}: .: {} f:mountPath: {} f:name: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsNonRoot: {} f:seccompProfile: .: {} f:type: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:volumes: .: {} k:{"name":"tls-certs"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"tmp"}: .: {} f:emptyDir: .: {} f:medium: {} f:sizeLimit: {} f:name: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:30:10Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:30:11Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.134.0.28"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:30:17Z" name: kube-auth-proxy-6b5554b5b-mgmd7 namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: kube-auth-proxy-6b5554b5b uid: 4a8f567a-91fe-423a-b745-cdd1ab8a00d8 resourceVersion: "15792" uid: 4d7b862b-ea3d-4794-b81f-b4945a446126 spec: containers: - args: - --http-address=0.0.0.0:4180 - --https-address=0.0.0.0:8443 - --metrics-address=0.0.0.0:9000 - --email-domain=* - --upstream=static://200 - --skip-provider-button - --skip-jwt-bearer-tokens=true - --pass-access-token=true - --set-xauthrequest=true - --enable-k8s-token-validation=true - --redirect-url=https://rh-ai.apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com/oauth2/callback - --tls-cert-file=/etc/tls/private/tls.crt - --tls-key-file=/etc/tls/private/tls.key - --use-system-trust-store=true - --cookie-expire=24h0m0s - --cookie-refresh=1h0m0s - --cookie-secure=true - --cookie-httponly=true - --cookie-samesite=lax - --cookie-name=_oauth2_proxy - --cookie-domain=rh-ai.apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com - --provider=openshift - --ssl-insecure-skip-verify=false - --scope=user:full env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_ID name: kube-auth-proxy-creds - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_CLIENT_SECRET name: kube-auth-proxy-creds - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: key: OAUTH2_PROXY_COOKIE_SECRET name: kube-auth-proxy-creds - name: PROXY_MODE value: auth image: quay.io/opendatahub/odh-kube-auth-proxy:v3.5.0-ea.1 imagePullPolicy: IfNotPresent name: kube-auth-proxy ports: - containerPort: 4180 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 9000 name: metrics protocol: TCP resources: limits: memory: 128Mi requests: cpu: 500m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000320000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/tls/private name: tls-certs readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-jrjxb readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: kube-auth-proxy-dockercfg-fp7rg nodeName: ip-10-0-135-182.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 runAsNonRoot: true seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault serviceAccount: kube-auth-proxy serviceAccountName: kube-auth-proxy terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - name: tls-certs secret: defaultMode: 420 secretName: kube-auth-proxy-tls - emptyDir: medium: Memory sizeLimit: 10Mi name: tmp - name: kube-api-access-jrjxb projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:17Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:10Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:17Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:17Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:30:10Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 500m memory: 128Mi containerID: cri-o://07894e6f4c8c058e4093d12a81aa96bc0c2173be9be50352158d276853e78258 image: quay.io/opendatahub/odh-kube-auth-proxy:v3.5.0-ea.1 imageID: quay.io/opendatahub/odh-kube-auth-proxy@sha256:1631cec0a988d9d033508072303ef0fe7aec28270dc0942b9abedc7e0893b409 lastState: {} name: kube-auth-proxy ready: true resources: limits: memory: 128Mi requests: cpu: 500m memory: 128Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:30:16Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /etc/tls/private name: tls-certs readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-jrjxb readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.135.182 hostIPs: - ip: 10.0.135.182 observedGeneration: 1 phase: Running podIP: 10.134.0.28 podIPs: - ip: 10.134.0.28 qosClass: Burstable startTime: "2026-06-05T18:30:10Z" - apiVersion: v1 kind: Pod metadata: annotations: istio.io/rev: openshift-gateway k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.133.0.37/23"],"mac_address":"0a:58:0a:85:00:25","gateway_ips":["10.133.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.133.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.133.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.133.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.133.0.1"}],"ip_address":"10.133.0.37/23","gateway_ip":"10.133.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.133.0.37" ], "mac": "0a:58:0a:85:00:25", "default": true, "dns": {} }] openshift.io/scc: restricted-v2 prometheus.io/path: /stats/prometheus prometheus.io/port: "15020" prometheus.io/scrape: "true" seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:32:30Z" generateName: maas-default-gateway-openshift-default-8559cd5744- generation: 1 labels: gateway.istio.io/managed: istio.io-gateway-controller gateway.networking.k8s.io/gateway-name: maas-default-gateway pod-template-hash: 8559cd5744 service.istio.io/canonical-name: maas-default-gateway-openshift-default service.istio.io/canonical-revision: latest sidecar.istio.io/inject: "false" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-139-164 operation: Update subresource: status time: "2026-06-05T18:32:30Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:istio.io/rev: {} f:prometheus.io/path: {} f:prometheus.io/port: {} f:prometheus.io/scrape: {} f:generateName: {} f:labels: .: {} f:gateway.istio.io/managed: {} f:gateway.networking.k8s.io/gateway-name: {} f:pod-template-hash: {} f:service.istio.io/canonical-name: {} f:service.istio.io/canonical-revision: {} f:sidecar.istio.io/inject: {} f:ownerReferences: .: {} k:{"uid":"52e1a57d-b8a1-4d4f-9211-59c7adb43277"}: {} f:spec: f:containers: k:{"name":"istio-proxy"}: .: {} f:args: {} f:env: .: {} k:{"name":"CA_ADDR"}: .: {} f:name: {} f:value: {} k:{"name":"GOMAXPROCS"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"GOMEMLIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"INSTANCE_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"ISTIO_CPU_LIMIT"}: .: {} f:name: {} f:valueFrom: .: {} f:resourceFieldRef: {} k:{"name":"ISTIO_META_APP_CONTAINERS"}: .: {} f:name: {} k:{"name":"ISTIO_META_CLUSTER_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_INTERCEPTION_MODE"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_MESH_ID"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"ISTIO_META_OWNER"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_POD_PORTS"}: .: {} f:name: {} f:value: {} k:{"name":"ISTIO_META_WORKLOAD_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"PILOT_CERT_PROVIDER"}: .: {} f:name: {} f:value: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"PROXY_CONFIG"}: .: {} f:name: {} f:value: {} k:{"name":"SERVICE_ACCOUNT"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"TRUST_DOMAIN"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":15020,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15021,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":15090,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:privileged: {} f:readOnlyRootFilesystem: {} f:runAsGroup: {} f:runAsNonRoot: {} f:runAsUser: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/istio/pod"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/istio/proxy"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lib/istio/data"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/credential-uds"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/istio"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/tokens"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-credentials"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/workload-spiffe-uds"}: .: {} f:mountPath: {} f:name: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:sysctls: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:volumes: .: {} k:{"name":"credential-socket"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-data"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"istio-envoy"}: .: {} f:emptyDir: .: {} f:medium: {} f:name: {} k:{"name":"istio-podinfo"}: .: {} f:downwardAPI: .: {} f:defaultMode: {} f:items: {} f:name: {} k:{"name":"istio-token"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"istiod-ca-cert"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:name: {} k:{"name":"workload-certs"}: .: {} f:emptyDir: {} f:name: {} k:{"name":"workload-socket"}: .: {} f:emptyDir: {} f:name: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:32:30Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:32:31Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.133.0.37"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:34:56Z" name: maas-default-gateway-openshift-default-8559cd5744-lb5qr namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: maas-default-gateway-openshift-default-8559cd5744 uid: 52e1a57d-b8a1-4d4f-9211-59c7adb43277 resourceVersion: "25389" uid: 461eaf85-34e5-46d8-a77a-447ae7cfbecb spec: containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel - warning - --proxyComponentLogLevel - misc:error - --log_output_level - default:info env: - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR value: istiod-openshift-gateway.openshift-ingress.svc:15012 - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: ISTIO_CPU_LIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: PROXY_CONFIG value: | {"discoveryAddress":"istiod-openshift-gateway.openshift-ingress.svc:15012","proxyHeaders":{"server":{"disabled":true},"envoyDebugHeaders":{"disabled":true},"metadataExchangeHeaders":{"mode":"IN_MESH"}}} - name: ISTIO_META_POD_PORTS value: '[]' - name: ISTIO_META_APP_CONTAINERS - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "0" resource: limits.memory - name: GOMAXPROCS valueFrom: resourceFieldRef: divisor: "0" resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: ISTIO_META_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME value: maas-default-gateway-openshift-default - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/openshift-ingress/deployments/maas-default-gateway-openshift-default - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN value: cluster.local image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 name: metrics protocol: TCP - containerPort: 15021 name: status-port protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 4 httpGet: path: /healthz/ready port: 15021 scheme: HTTP periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1000329999 runAsNonRoot: true runAsUser: 1000329999 startupProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15021 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-7jc8p readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: maas-default-gateway-openshift-default-dockercfg-sk24s nodeName: ip-10-0-139-164.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" serviceAccount: maas-default-gateway-openshift-default serviceAccountName: maas-default-gateway-openshift-default terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - emptyDir: {} name: workload-socket - emptyDir: {} name: credential-socket - emptyDir: {} name: workload-certs - emptyDir: medium: Memory name: istio-envoy - emptyDir: {} name: istio-data - downwardAPI: defaultMode: 420 items: - fieldRef: apiVersion: v1 fieldPath: metadata.labels path: labels - fieldRef: apiVersion: v1 fieldPath: metadata.annotations path: annotations name: istio-podinfo - name: istio-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token - configMap: defaultMode: 420 name: openshift-gw-ca-root-cert name: istiod-ca-cert - name: kube-api-access-7jc8p projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:32:31Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:32:30Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:56Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:56Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:32:30Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 100m memory: 128Mi containerID: cri-o://1e267c1c1d92e730777c216aa6e6087f830b77eebd5e4824afbb60cca4b1711c image: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 imageID: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:40be785b9abecd641f3121855a066c0ea01aba66e1350f33d175f2351c54e371 lastState: terminated: containerID: cri-o://004664e94ef73c16b10ef0809548bb14ff5e724ad056515c97730e59b0c2ba55 exitCode: 0 finishedAt: "2026-06-05T18:34:49Z" reason: Completed startedAt: "2026-06-05T18:32:31Z" name: istio-proxy ready: true resources: limits: cpu: "2" memory: 1Gi requests: cpu: 100m memory: 128Mi restartCount: 1 started: true state: running: startedAt: "2026-06-05T18:34:50Z" user: linux: gid: 1000329999 supplementalGroups: - 1000329999 - 1000320000 uid: 1000329999 volumeMounts: - mountPath: /var/run/secrets/workload-spiffe-uds name: workload-socket - mountPath: /var/run/secrets/credential-uds name: credential-socket - mountPath: /var/run/secrets/workload-spiffe-credentials name: workload-certs - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data name: istio-data - mountPath: /etc/istio/proxy name: istio-envoy - mountPath: /var/run/secrets/tokens name: istio-token - mountPath: /etc/istio/pod name: istio-podinfo - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-7jc8p readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.139.164 hostIPs: - ip: 10.0.139.164 observedGeneration: 1 phase: Running podIP: 10.133.0.37 podIPs: - ip: 10.133.0.37 qosClass: Burstable startTime: "2026-06-05T18:32:30Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.133.0.49/23"],"mac_address":"0a:58:0a:85:00:31","gateway_ips":["10.133.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.133.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.133.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.133.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.133.0.1"}],"ip_address":"10.133.0.49/23","gateway_ip":"10.133.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.133.0.49" ], "mac": "0a:58:0a:85:00:31", "default": true, "dns": {} }] openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:34:42Z" generateName: payload-pre-processing-67d7689b65- generation: 1 labels: app: payload-pre-processing app.kubernetes.io/component: api app.kubernetes.io/name: maas-api app.kubernetes.io/part-of: models-as-a-service pod-template-hash: 67d7689b65 managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-139-164 operation: Update subresource: status time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:generateName: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/component: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:pod-template-hash: {} f:ownerReferences: .: {} k:{"uid":"1bec0ba1-cc1b-4447-9a3b-ab3ce3efb02b"}: {} f:spec: f:containers: k:{"name":"payload-pre-processing"}: .: {} f:args: {} f:env: .: {} k:{"name":"MODEL_TO_HEADER"}: .: {} f:name: {} f:valueFrom: .: {} f:configMapKeyRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:tcpSocket: .: {} f:port: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":9004,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:tcpSocket: .: {} f:port: {} f:timeoutSeconds: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsNonRoot: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.133.0.49"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:35:07Z" name: payload-pre-processing-67d7689b65-cnm9g namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: payload-pre-processing-67d7689b65 uid: 1bec0ba1-cc1b-4447-9a3b-ab3ce3efb02b resourceVersion: "25535" uid: 35586ad5-0ff6-4c43-be31-7cdaad560afe spec: containers: - args: - --streaming - --v - "3" - --plugin - $(MODEL_TO_HEADER) - --tracing=false env: - name: MODEL_TO_HEADER valueFrom: configMapKeyRef: key: model-to-header-plugin name: payload-processing-plugins image: quay.io/opendatahub/odh-ai-gateway-payload-processing:odh-stable imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 15 periodSeconds: 20 successThreshold: 1 tcpSocket: port: grpc timeoutSeconds: 1 name: payload-pre-processing ports: - containerPort: 9004 name: grpc protocol: TCP readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 tcpSocket: port: grpc timeoutSeconds: 1 resources: limits: cpu: 200m memory: 128Mi requests: cpu: 25m memory: 32Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000320000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-9txdg readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: payload-processing-dockercfg-2f29m nodeName: ip-10-0-139-164.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 runAsNonRoot: true seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault serviceAccount: payload-processing serviceAccountName: payload-processing terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - name: kube-api-access-9txdg projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:46Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:42Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:35:07Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:35:07Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:42Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 25m memory: 32Mi containerID: cri-o://be345e01e853a1beec2d1fcf8bb021ceafe779410cd69e08462e47e5315dcbbc image: quay.io/opendatahub/odh-ai-gateway-payload-processing:odh-stable imageID: quay.io/opendatahub/odh-ai-gateway-payload-processing@sha256:be5d04e623de2d51c688e50d2664fa6ff0fe45496162d367855691abf5a937f8 lastState: {} name: payload-pre-processing ready: true resources: limits: cpu: 200m memory: 128Mi requests: cpu: 25m memory: 32Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:34:45Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-9txdg readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.139.164 hostIPs: - ip: 10.0.139.164 observedGeneration: 1 phase: Running podIP: 10.133.0.49 podIPs: - ip: 10.133.0.49 qosClass: Burstable startTime: "2026-06-05T18:34:42Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.133.0.48/23"],"mac_address":"0a:58:0a:85:00:30","gateway_ips":["10.133.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.133.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.133.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.133.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.133.0.1"}],"ip_address":"10.133.0.48/23","gateway_ip":"10.133.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.133.0.48" ], "mac": "0a:58:0a:85:00:30", "default": true, "dns": {} }] openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default security.openshift.io/validated-scc-subject-type: user creationTimestamp: "2026-06-05T18:34:42Z" generateName: payload-processing-7c6c859784- generation: 1 labels: app: payload-processing app.kubernetes.io/component: api app.kubernetes.io/name: maas-api app.kubernetes.io/part-of: models-as-a-service pod-template-hash: 7c6c859784 managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-139-164 operation: Update subresource: status time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:generateName: {} f:labels: .: {} f:app: {} f:app.kubernetes.io/component: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:pod-template-hash: {} f:ownerReferences: .: {} k:{"uid":"4dc93915-04d4-4ef3-b591-c807c3fd26e2"}: {} f:spec: f:containers: k:{"name":"payload-processing"}: .: {} f:args: {} f:env: .: {} k:{"name":"API_TRANSLATION"}: .: {} f:name: {} f:valueFrom: .: {} f:configMapKeyRef: {} k:{"name":"APIKEY_INJECTION"}: .: {} f:name: {} f:valueFrom: .: {} f:configMapKeyRef: {} k:{"name":"MODEL_PROVIDER_RESOLVER"}: .: {} f:name: {} f:valueFrom: .: {} f:configMapKeyRef: {} k:{"name":"MODEL_TO_HEADER"}: .: {} f:name: {} f:valueFrom: .: {} f:configMapKeyRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:tcpSocket: .: {} f:port: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":9004,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":9005,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:tcpSocket: .: {} f:port: {} f:timeoutSeconds: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:capabilities: .: {} f:drop: {} f:readOnlyRootFilesystem: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsNonRoot: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:34:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.133.0.48"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:34:57Z" name: payload-processing-7c6c859784-npzmw namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: payload-processing-7c6c859784 uid: 4dc93915-04d4-4ef3-b591-c807c3fd26e2 resourceVersion: "25417" uid: d8449d3d-22a4-46fc-9405-690727d5bdae spec: containers: - args: - --streaming - --v - "3" - --plugin - $(MODEL_TO_HEADER) - --plugin - $(MODEL_PROVIDER_RESOLVER) - --plugin - $(API_TRANSLATION) - --plugin - $(APIKEY_INJECTION) - --tracing=false env: - name: MODEL_TO_HEADER valueFrom: configMapKeyRef: key: model-to-header-plugin name: payload-processing-plugins - name: MODEL_PROVIDER_RESOLVER valueFrom: configMapKeyRef: key: model-provider-resolver-plugin name: payload-processing-plugins - name: API_TRANSLATION valueFrom: configMapKeyRef: key: api-translation-plugin name: payload-processing-plugins - name: APIKEY_INJECTION valueFrom: configMapKeyRef: key: apikey-injection-plugin name: payload-processing-plugins image: quay.io/opendatahub/odh-ai-gateway-payload-processing:odh-stable imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 15 periodSeconds: 20 successThreshold: 1 tcpSocket: port: grpc timeoutSeconds: 1 name: payload-processing ports: - containerPort: 9004 name: grpc protocol: TCP - containerPort: 9005 name: metrics protocol: TCP readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 tcpSocket: port: grpc timeoutSeconds: 1 resources: limits: cpu: 500m memory: 256Mi requests: cpu: 50m memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsUser: 1000320000 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-jkbqr readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: payload-processing-dockercfg-2f29m nodeName: ip-10-0-139-164.ec2.internal preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 runAsNonRoot: true seLinuxOptions: level: s0:c18,c7 seccompProfile: type: RuntimeDefault serviceAccount: payload-processing serviceAccountName: payload-processing terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists volumes: - name: kube-api-access-jkbqr projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:46Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:42Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:57Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:57Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:34:42Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 50m memory: 64Mi containerID: cri-o://f2b3f3aca5b3803cf94478bd649614450f674f39aa35260eb1abc959291f59b2 image: quay.io/opendatahub/odh-ai-gateway-payload-processing:odh-stable imageID: quay.io/opendatahub/odh-ai-gateway-payload-processing@sha256:be5d04e623de2d51c688e50d2664fa6ff0fe45496162d367855691abf5a937f8 lastState: {} name: payload-processing ready: true resources: limits: cpu: 500m memory: 256Mi requests: cpu: 50m memory: 64Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:34:45Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-jkbqr readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.139.164 hostIPs: - ip: 10.0.139.164 observedGeneration: 1 phase: Running podIP: 10.133.0.48 podIPs: - ip: 10.133.0.48 qosClass: Burstable startTime: "2026-06-05T18:34:42Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.132.0.13/23"],"mac_address":"0a:58:0a:84:00:0d","gateway_ips":["10.132.0.1"],"routes":[{"dest":"10.132.0.0/14","nextHop":"10.132.0.1"},{"dest":"172.31.0.0/16","nextHop":"10.132.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.132.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.132.0.1"}],"ip_address":"10.132.0.13/23","gateway_ip":"10.132.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.132.0.13" ], "mac": "0a:58:0a:84:00:0d", "default": true, "dns": {} }] openshift.io/required-scc: restricted openshift.io/scc: restricted security.openshift.io/validated-scc-subject-type: serviceaccount creationTimestamp: "2026-06-05T18:25:15Z" generateName: router-default-df998fbdf- generation: 1 labels: ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default ingresscontroller.operator.openshift.io/hash: 5cb4fd75d6 pod-template-hash: df998fbdf managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.ovn.org/pod-networks: {} manager: ip-10-0-132-252 operation: Update subresource: status time: "2026-06-05T18:25:15Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:openshift.io/required-scc: {} f:target.workload.openshift.io/management: {} f:generateName: {} f:labels: .: {} f:ingresscontroller.operator.openshift.io/deployment-ingresscontroller: {} f:ingresscontroller.operator.openshift.io/hash: {} f:pod-template-hash: {} f:ownerReferences: .: {} k:{"uid":"ae3c4625-0c69-466a-8daf-a2fc2d1df11e"}: {} f:spec: f:affinity: .: {} f:nodeAffinity: .: {} f:requiredDuringSchedulingIgnoredDuringExecution: {} f:containers: k:{"name":"router"}: .: {} f:env: .: {} k:{"name":"DEFAULT_CERTIFICATE_DIR"}: .: {} f:name: {} f:value: {} k:{"name":"DEFAULT_DESTINATION_CA_PATH"}: .: {} f:name: {} f:value: {} k:{"name":"RELOAD_INTERVAL"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_ALLOW_WILDCARD_ROUTES"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CANONICAL_HOSTNAME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CIPHERS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_CIPHERSUITES"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DISABLE_HTTP2"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_DOMAIN"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_ENABLE_EXTERNAL_CERTIFICATE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_LOAD_BALANCE_ALGORITHM"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TLS_CERT_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TLS_KEY_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_METRICS_TYPE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SERVICE_NAME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SERVICE_NAMESPACE"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_SET_FORWARDED_HEADERS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_TCP_BALANCE_SCHEME"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_THREADS"}: .: {} f:name: {} f:value: {} k:{"name":"ROUTER_USE_PROXY_PROTOCOL"}: .: {} f:name: {} f:value: {} k:{"name":"SSL_MIN_VERSION"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_PASSWORD_FILE"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_PORT"}: .: {} f:name: {} f:value: {} k:{"name":"STATS_USERNAME_FILE"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:terminationGracePeriodSeconds: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":80,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":443,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} k:{"containerPort":1936,"protocol":"TCP"}: .: {} f:containerPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:allowPrivilegeEscalation: {} f:readOnlyRootFilesystem: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/pki/tls/metrics-certs"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/etc/pki/tls/private"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/lib/haproxy/conf/metrics-auth"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} k:{"mountPath":"/var/run/configmaps/service-ca"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeSelector: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:topologySpreadConstraints: .: {} k:{"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"}: .: {} f:labelSelector: {} f:maxSkew: {} f:topologyKey: {} f:whenUnsatisfiable: {} f:volumes: .: {} k:{"name":"default-certificate"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"metrics-certs"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"service-ca-bundle"}: .: {} f:configMap: .: {} f:defaultMode: {} f:items: {} f:name: {} f:optional: {} f:name: {} k:{"name":"stats-auth"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} manager: kube-controller-manager operation: Update time: "2026-06-05T18:25:15Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-06-05T18:25:47Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: f:observedGeneration: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:observedGeneration: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:observedGeneration: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.132.0.13"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-06-05T18:25:48Z" name: router-default-df998fbdf-4gpjs namespace: openshift-ingress ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: router-default-df998fbdf uid: ae3c4625-0c69-466a-8daf-a2fc2d1df11e resourceVersion: "9306" uid: 8fb01b15-2226-4492-b804-102d45343072 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node.openshift.io/remote-worker operator: NotIn values: - "" containers: - env: - name: DEFAULT_CERTIFICATE_DIR value: /etc/pki/tls/private - name: DEFAULT_DESTINATION_CA_PATH value: /var/run/configmaps/service-ca/service-ca.crt - name: RELOAD_INTERVAL value: 5s - name: ROUTER_ALLOW_WILDCARD_ROUTES value: "false" - name: ROUTER_CANONICAL_HOSTNAME value: router-default.apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com - name: ROUTER_CIPHERS value: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - name: ROUTER_CIPHERSUITES value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - name: ROUTER_DISABLE_HTTP2 value: "true" - name: ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK value: "false" - name: ROUTER_DOMAIN value: apps.26508685-3b54-4497-9df2-1c0180a39a4e.prod.konfluxeaas.com - name: ROUTER_ENABLE_EXTERNAL_CERTIFICATE value: "true" - name: ROUTER_LOAD_BALANCE_ALGORITHM value: random - name: ROUTER_METRICS_TLS_CERT_FILE value: /etc/pki/tls/metrics-certs/tls.crt - name: ROUTER_METRICS_TLS_KEY_FILE value: /etc/pki/tls/metrics-certs/tls.key - name: ROUTER_METRICS_TYPE value: haproxy - name: ROUTER_SERVICE_NAME value: default - name: ROUTER_SERVICE_NAMESPACE value: openshift-ingress - name: ROUTER_SET_FORWARDED_HEADERS value: append - name: ROUTER_TCP_BALANCE_SCHEME value: source - name: ROUTER_THREADS value: "4" - name: ROUTER_USE_PROXY_PROTOCOL value: "true" - name: SSL_MIN_VERSION value: TLSv1.2 - name: STATS_PASSWORD_FILE value: /var/lib/haproxy/conf/metrics-auth/statsPassword - name: STATS_PORT value: "1936" - name: STATS_USERNAME_FILE value: /var/lib/haproxy/conf/metrics-auth/statsUsername image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ff2a1b99a07e285ee709042ae253d7022ca12b5906327bc8c069bcd0acd749ae imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 1936 scheme: HTTP periodSeconds: 10 successThreshold: 1 terminationGracePeriodSeconds: 10 timeoutSeconds: 1 name: router ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 1936 name: metrics protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz/ready port: 1936 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 256Mi securityContext: allowPrivilegeEscalation: true capabilities: drop: - KILL - MKNOD - SETGID - SETUID readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000320000 startupProbe: failureThreshold: 120 httpGet: path: /healthz/ready port: 1936 scheme: HTTP periodSeconds: 1 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/pki/tls/private name: default-certificate readOnly: true - mountPath: /var/run/configmaps/service-ca name: service-ca-bundle readOnly: true - mountPath: /var/lib/haproxy/conf/metrics-auth name: stats-auth readOnly: true - mountPath: /etc/pki/tls/metrics-certs name: metrics-certs readOnly: true - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-vmt88 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: router-dockercfg-mrwml nodeName: ip-10-0-132-252.ec2.internal nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/worker: "" preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000320000 seLinuxOptions: level: s0:c18,c7 serviceAccount: router serviceAccountName: router terminationGracePeriodSeconds: 3600 tolerations: - effect: NoExecute key: kubernetes.io/e2e-evict-taint-key operator: Equal value: evictTaintVal - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists topologySpreadConstraints: - labelSelector: matchExpressions: - key: ingresscontroller.operator.openshift.io/hash operator: In values: - 5cb4fd75d6 maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - name: default-certificate secret: defaultMode: 420 secretName: default-ingress-cert - configMap: defaultMode: 420 items: - key: service-ca.crt path: service-ca.crt name: service-ca-bundle optional: false name: service-ca-bundle - name: stats-auth secret: defaultMode: 420 secretName: router-stats-default - name: metrics-certs secret: defaultMode: 420 secretName: router-metrics-certs-default - name: kube-api-access-vmt88 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2026-06-05T18:25:47Z" observedGeneration: 1 status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-06-05T18:25:15Z" observedGeneration: 1 status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-06-05T18:25:48Z" observedGeneration: 1 status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-06-05T18:25:48Z" observedGeneration: 1 status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-06-05T18:25:15Z" observedGeneration: 1 status: "True" type: PodScheduled containerStatuses: - allocatedResources: cpu: 100m memory: 256Mi containerID: cri-o://48b22d28cc177bbbb3a3c33c15dd53199b852649b5b8e6af5051437fe2a73fd4 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ff2a1b99a07e285ee709042ae253d7022ca12b5906327bc8c069bcd0acd749ae imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3eaaaff90b233a8497fc09c79e8802dee2a108b53bd91984c83fa54f8f671027 lastState: {} name: router ready: true resources: requests: cpu: 100m memory: 256Mi restartCount: 0 started: true state: running: startedAt: "2026-06-05T18:25:47Z" user: linux: gid: 0 supplementalGroups: - 0 - 1000320000 uid: 1000320000 volumeMounts: - mountPath: /etc/pki/tls/private name: default-certificate readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/configmaps/service-ca name: service-ca-bundle readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lib/haproxy/conf/metrics-auth name: stats-auth readOnly: true recursiveReadOnly: Disabled - mountPath: /etc/pki/tls/metrics-certs name: metrics-certs readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-vmt88 readOnly: true recursiveReadOnly: Disabled hostIP: 10.0.132.252 hostIPs: - ip: 10.0.132.252 observedGeneration: 1 phase: Running podIP: 10.132.0.13 podIPs: - ip: 10.132.0.13 qosClass: Burstable startTime: "2026-06-05T18:25:15Z" kind: PodList metadata: resourceVersion: "31428"