--- apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.46/23"],"mac_address":"0a:58:0a:80:00:2e","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/16","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.46/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.46" ], "mac": "0a:58:0a:80:00:2e", "default": true, "dns": {} }] creationTimestamp: "2026-02-23T13:02:04Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"a294e7f5-b17d-4c16-ab1a-8fbad65dd2bb"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2026-02-23T13:02:04Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2026-02-23T13:02:04Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-02-23T13:02:05Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:05:40Z" name: installer-1-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: a294e7f5-b17d-4c16-ab1a-8fbad65dd2bb resourceVersion: "10921" uid: 04a14e09-67c1-45e9-af34-bccb2fe3757e spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=1 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:02:51Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:02:04Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:02:50Z" reason: PodFailed status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:02:50Z" reason: PodFailed status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:02:04Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://88e0e24f4f045d3a42d1ee4cfb99a951aeace5cf2e7bece4bd5f41827f8965f5 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://88e0e24f4f045d3a42d1ee4cfb99a951aeace5cf2e7bece4bd5f41827f8965f5 exitCode: 1 finishedAt: "2026-02-23T13:02:50Z" message: | ving-cert", (string) (len=21) "user-serving-cert-000", (string) (len=21) "user-serving-cert-001", (string) (len=21) "user-serving-cert-002", (string) (len=21) "user-serving-cert-003", (string) (len=21) "user-serving-cert-004", (string) (len=21) "user-serving-cert-005", (string) (len=21) "user-serving-cert-006", (string) (len=21) "user-serving-cert-007", (string) (len=21) "user-serving-cert-008", (string) (len=21) "user-serving-cert-009" }, CertConfigMapNamePrefixes: ([]string) (len=4 cap=4) { (string) (len=20) "aggregator-client-ca", (string) (len=9) "client-ca", (string) (len=29) "control-plane-node-kubeconfig", (string) (len=26) "check-endpoints-kubeconfig" }, OptionalCertConfigMapNamePrefixes: ([]string) (len=1 cap=1) { (string) (len=17) "trusted-ca-bundle" }, CertDir: (string) (len=57) "/etc/kubernetes/static-pod-resources/kube-apiserver-certs", ResourceDir: (string) (len=36) "/etc/kubernetes/static-pod-resources", PodManifestDir: (string) (len=25) "/etc/kubernetes/manifests", Timeout: (time.Duration) 2m0s, StaticPodManifestsLockFile: (string) "", PodMutationFns: ([]installerpod.PodMutationFunc) , KubeletVersion: (string) "" }) I0223 13:02:06.232299 1 cmd.go:413] Getting controller reference for node master-0 I0223 13:02:06.253154 1 cmd.go:426] Waiting for installer revisions to settle for node master-0 I0223 13:02:06.253235 1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false I0223 13:02:06.315392 1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false I0223 13:02:06.321007 1 cmd.go:518] Waiting additional period after revisions have settled for node master-0 I0223 13:02:36.321683 1 cmd.go:524] Getting installer pods for node master-0 F0223 13:02:50.325769 1 cmd.go:109] Get "https://172.30.0.1:443/api/v1/namespaces/openshift-kube-apiserver/pods?labelSelector=app%3Dinstaller": net/http: request canceled (Client.Timeout exceeded while awaiting headers) reason: Error startedAt: "2026-02-23T13:02:05Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 phase: Failed qosClass: Guaranteed startTime: "2026-02-23T13:02:04Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.69/23"],"mac_address":"0a:58:0a:80:00:45","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/16","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.69/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.69" ], "mac": "0a:58:0a:80:00:45", "default": true, "dns": {} }] creationTimestamp: "2026-02-23T13:06:01Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"a294e7f5-b17d-4c16-ab1a-8fbad65dd2bb"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2026-02-23T13:06:01Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2026-02-23T13:06:01Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-02-23T13:06:01Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:06:45Z" name: installer-1-retry-1-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: a294e7f5-b17d-4c16-ab1a-8fbad65dd2bb resourceVersion: "10928" uid: c2e50127-3c2e-4514-ace5-2cf6f9223abf spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=1 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-q2chk nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:06:42Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:06:01Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:06:41Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:06:41Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:06:01Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://87320ceaa2976029b0853261379f23dc5fc274ad76d399f47415010358a9fd41 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://87320ceaa2976029b0853261379f23dc5fc274ad76d399f47415010358a9fd41 exitCode: 0 finishedAt: "2026-02-23T13:06:40Z" reason: Completed startedAt: "2026-02-23T13:06:01Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 phase: Succeeded qosClass: Guaranteed startTime: "2026-02-23T13:06:01Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.87/23"],"mac_address":"0a:58:0a:80:00:57","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/16","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.87/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.87" ], "mac": "0a:58:0a:80:00:57", "default": true, "dns": {} }] creationTimestamp: "2026-02-23T13:07:36Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"1821350c-42f0-40fb-a75f-6069135615dc"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2026-02-23T13:07:36Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2026-02-23T13:07:36Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-02-23T13:07:37Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.87"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:08:33Z" name: installer-2-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 1821350c-42f0-40fb-a75f-6069135615dc resourceVersion: "13228" uid: 649c8f56-22ef-4e68-bc9b-9d608fba998c spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=2 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-q2chk nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:08:17Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:07:36Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:08:16Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:08:16Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:07:36Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://0ad530397d7e0906f92bdc82f78dbc6b9a8f87e05a0492ec16d7cc020ef72a12 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://0ad530397d7e0906f92bdc82f78dbc6b9a8f87e05a0492ec16d7cc020ef72a12 exitCode: 0 finishedAt: "2026-02-23T13:08:15Z" reason: Completed startedAt: "2026-02-23T13:07:37Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 phase: Succeeded podIP: 10.128.0.87 podIPs: - ip: 10.128.0.87 qosClass: Guaranteed startTime: "2026-02-23T13:07:36Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.94/23"],"mac_address":"0a:58:0a:80:00:5e","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/16","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.94/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.94" ], "mac": "0a:58:0a:80:00:5e", "default": true, "dns": {} }] creationTimestamp: "2026-02-23T13:11:19Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"9c9bc9bc-52b8-4e2a-81e2-16587bedd9b7"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2026-02-23T13:11:19Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2026-02-23T13:11:20Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-02-23T13:11:20Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.94"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:14:34Z" name: installer-4-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-4 uid: 9c9bc9bc-52b8-4e2a-81e2-16587bedd9b7 resourceVersion: "14135" uid: 382f96d2-f66c-4adc-9b6d-4ed63124da89 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=4 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-q2chk nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:12:42Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:11:20Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:12:40Z" reason: PodFailed status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:12:40Z" reason: PodFailed status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:11:20Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://75e186849ab472b06510b38037d45625e486194e5caf39cee1406a4fb4c97a4d image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://75e186849ab472b06510b38037d45625e486194e5caf39cee1406a4fb4c97a4d exitCode: 1 finishedAt: "2026-02-23T13:12:39Z" message: | , ResourceDir: (string) (len=36) "/etc/kubernetes/static-pod-resources", PodManifestDir: (string) (len=25) "/etc/kubernetes/manifests", Timeout: (time.Duration) 2m0s, StaticPodManifestsLockFile: (string) "", PodMutationFns: ([]installerpod.PodMutationFunc) , KubeletVersion: (string) "" }) I0223 13:11:21.725131 1 cmd.go:413] Getting controller reference for node master-0 I0223 13:11:21.819368 1 cmd.go:426] Waiting for installer revisions to settle for node master-0 I0223 13:11:21.819490 1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false I0223 13:11:21.819570 1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false I0223 13:11:21.822869 1 cmd.go:506] Pod container: installer state for node master-0 is not terminated, waiting W0223 13:11:45.825628 1 cmd.go:470] Error getting installer pods on current node master-0: Get "https://172.30.0.1:443/api/v1/namespaces/openshift-kube-apiserver/pods?labelSelector=app%3Dinstaller": net/http: request canceled (Client.Timeout exceeded while awaiting headers) W0223 13:12:05.826730 1 cmd.go:470] Error getting installer pods on current node master-0: Get "https://172.30.0.1:443/api/v1/namespaces/openshift-kube-apiserver/pods?labelSelector=app%3Dinstaller": net/http: request canceled (Client.Timeout exceeded while awaiting headers) W0223 13:12:25.823687 1 cmd.go:470] Error getting installer pods on current node master-0: Get "https://172.30.0.1:443/api/v1/namespaces/openshift-kube-apiserver/pods?labelSelector=app%3Dinstaller": net/http: request canceled (Client.Timeout exceeded while awaiting headers) W0223 13:12:39.824965 1 cmd.go:470] Error getting installer pods on current node master-0: Get "https://172.30.0.1:443/api/v1/namespaces/openshift-kube-apiserver/pods?labelSelector=app%3Dinstaller": net/http: request canceled (Client.Timeout exceeded while awaiting headers) F0223 13:12:39.825041 1 cmd.go:109] timed out waiting for the condition reason: Error startedAt: "2026-02-23T13:11:21Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 phase: Failed podIP: 10.128.0.94 podIPs: - ip: 10.128.0.94 qosClass: Guaranteed startTime: "2026-02-23T13:11:20Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.96/23"],"mac_address":"0a:58:0a:80:00:60","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/16","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.96/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.96" ], "mac": "0a:58:0a:80:00:60", "default": true, "dns": {} }] creationTimestamp: "2026-02-23T13:14:50Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"9c9bc9bc-52b8-4e2a-81e2-16587bedd9b7"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2026-02-23T13:14:50Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2026-02-23T13:14:50Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2026-02-23T13:14:51Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.96"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:16:40Z" name: installer-4-retry-1-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-4 uid: 9c9bc9bc-52b8-4e2a-81e2-16587bedd9b7 resourceVersion: "14860" uid: 23f6e482-8da1-4df0-8de6-66a930e45a20 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=4 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-q2chk nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:09Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:14:50Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:07Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:07Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:14:50Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://7e430dd00f0a0105863d8293fdc97c4fe96bc4ed6b8ff010a52f450aad23346b image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://7e430dd00f0a0105863d8293fdc97c4fe96bc4ed6b8ff010a52f450aad23346b exitCode: 0 finishedAt: "2026-02-23T13:16:07Z" reason: Completed startedAt: "2026-02-23T13:14:51Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 phase: Succeeded podIP: 10.128.0.96 podIPs: - ip: 10.128.0.96 qosClass: Guaranteed startTime: "2026-02-23T13:14:50Z" - apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/default-container: kube-apiserver kubernetes.io/config.hash: 959c75833224b4ba3fa488b77d8f5032 kubernetes.io/config.mirror: 959c75833224b4ba3fa488b77d8f5032 kubernetes.io/config.seen: "2026-02-23T13:16:06.826373289Z" kubernetes.io/config.source: file target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2026-02-23T13:16:40Z" labels: apiserver: "true" app: openshift-kube-apiserver revision: "4" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/default-container: {} f:kubernetes.io/config.hash: {} f:kubernetes.io/config.mirror: {} f:kubernetes.io/config.seen: {} f:kubernetes.io/config.source: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:apiserver: {} f:app: {} f:revision: {} f:ownerReferences: .: {} k:{"uid":"a649b105-b588-45b2-81ba-99a4648aee7c"}: {} f:spec: f:containers: k:{"name":"kube-apiserver"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"GOGC"}: .: {} f:name: {} f:value: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"STATIC_POD_VERSION"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":6443,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-regeneration-controller"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-syncer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-check-endpoints"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":17697,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-insecure-readyz"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":6080,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostNetwork: {} f:initContainers: .: {} k:{"name":"setup"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"audit-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"cert-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"resource-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: kubelet operation: Update time: "2026-02-23T13:16:40Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:initContainerStatuses: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"192.168.32.10"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2026-02-23T13:16:53Z" name: kube-apiserver-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 controller: true kind: Node name: master-0 uid: a649b105-b588-45b2-81ba-99a4648aee7c resourceVersion: "15031" uid: e02fac60-9feb-469c-9f39-0a6507464db2 spec: containers: - args: - | LOCK=/var/log/kube-apiserver/.lock # We should be able to acquire the lock immediatelly. If not, it means the init container has not released it yet and kubelet or CRI-O started container prematurely. exec {LOCK_FD}>${LOCK} && flock --verbose -w 30 "${LOCK_FD}" || { echo "Failed to acquire lock for kube-apiserver. Please check setup container for details. This is likely kubelet or CRI-O bug." exit 1 } if [ -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt ]; then echo "Copying system trust bundle ..." cp -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi exec watch-termination --termination-touch-file=/var/log/kube-apiserver/.terminating --termination-log-file=/var/log/kube-apiserver/termination.log --graceful-termination-duration=15s --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig -- hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml --advertise-address=${HOST_IP} -v=2 --permit-address-sharing command: - /bin/bash - -ec env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: STATIC_POD_VERSION value: "4" - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: GOGC value: "100" image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: livez?exclude=etcd port: 6443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver ports: - containerPort: 6443 hostPort: 6443 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 265m memory: 1Gi securityContext: privileged: true startupProbe: failureThreshold: 30 httpGet: path: livez port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - --destination-dir=/etc/kubernetes/static-pod-certs command: - cluster-kube-apiserver-operator - cert-syncer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: kube-apiserver-cert-syncer resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - -v=2 command: - cluster-kube-apiserver-operator - cert-regeneration-controller env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: kube-apiserver-cert-regeneration-controller resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - args: - --insecure-port=6080 - --delegate-url=https://localhost:6443/readyz command: - cluster-kube-apiserver-operator - insecure-readyz image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent name: kube-apiserver-insecure-readyz ports: - containerPort: 6080 hostPort: 6080 protocol: TCP resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError - args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig - --listen - 0.0.0.0:17697 - --namespace - $(POD_NAMESPACE) - --v - "2" command: - cluster-kube-apiserver-operator - check-endpoints env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver-check-endpoints ports: - containerPort: 17697 hostPort: 17697 name: check-endpoints protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 10m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - args: - | echo "Fixing audit permissions ..." chmod 0700 /var/log/kube-apiserver && touch /var/log/kube-apiserver/audit.log && chmod 0600 /var/log/kube-apiserver/* LOCK=/var/log/kube-apiserver/.lock echo "Acquiring exclusive lock ${LOCK} ..." # Waiting for 15s max for old kube-apiserver's watch-termination process to exit and remove the lock. # Two cases: # 1. if kubelet does not start the old and new in parallel (i.e. works as expected), the flock will always succeed without any time. # 2. if kubelet does overlap old and new pods for up to 130s, the flock will wait and immediate return when the old finishes. # # NOTE: We can increase 15s for a bigger expected overlap. But a higher value means less noise about the broken kubelet behaviour, i.e. we hide a bug. # NOTE: Do not tweak these timings without considering the livenessProbe initialDelaySeconds exec {LOCK_FD}>${LOCK} && flock --verbose -w 15 "${LOCK_FD}" || { echo "$(date -Iseconds -u) kubelet did not terminate old kube-apiserver before new one" >> /var/log/kube-apiserver/lock.log echo -n ": WARNING: kubelet did not terminate old kube-apiserver before new one." # We failed to acquire exclusive lock, which means there is old kube-apiserver running in system. # Since we utilize SO_REUSEPORT, we need to make sure the old kube-apiserver stopped listening. # # NOTE: This is a fallback for broken kubelet, if you observe this please report a bug. echo -n "Waiting for port 6443 to be released due to likely bug in kubelet or CRI-O " while [ -n "$(ss -Htan state listening '( sport = 6443 or sport = 6080 )')" ]; do echo -n "." sleep 1 (( tries += 1 )) if [[ "${tries}" -gt 10 ]]; then echo "Timed out waiting for port :6443 and :6080 to be released, this is likely a bug in kubelet or CRI-O" exit 1 fi done # This is to make sure the server has terminated independently from the lock. # After the port has been freed (requests can be pending and need 60s max). sleep 65 } # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe. flock -u "${LOCK_FD}" command: - /usr/bin/timeout - "100" - /bin/bash - -ec image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 imagePullPolicy: IfNotPresent name: setup resources: requests: cpu: 5m memory: 50Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 15 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-4 type: "" name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs type: "" name: cert-dir - hostPath: path: /var/log/kube-apiserver type: "" name: audit-dir status: conditions: - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:52Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:52Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:52Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:52Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2026-02-23T13:16:52Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://7b6cc5be5905ae7f4816b017841fa7b3fcf14727394d0d519f454d37363136d4 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 lastState: {} name: kube-apiserver ready: true restartCount: 0 started: true state: running: startedAt: "2026-02-23T13:16:33Z" - containerID: cri-o://c87147a4890661b2f7c15d9641dc954d9d696c88a05d2b50a5bc7bbc4de4fd51 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: kube-apiserver-cert-regeneration-controller ready: true restartCount: 0 started: true state: running: startedAt: "2026-02-23T13:16:34Z" - containerID: cri-o://0bfe2991265cd588abcaf8d0b2af43bf522379cacbac29b26444a0a05d8a31b1 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: kube-apiserver-cert-syncer ready: true restartCount: 0 started: true state: running: startedAt: "2026-02-23T13:16:34Z" - containerID: cri-o://0362eff4d622e8da84bef8c367ec2f348346a9c774e282f1c62b337838da0ed4 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: kube-apiserver-check-endpoints ready: true restartCount: 0 started: true state: running: startedAt: "2026-02-23T13:16:34Z" - containerID: cri-o://aa9417a69b3d8534fa7fbe4b07141243e626f791a17923e9d8b54134a737639f image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8fd63e2c1185e529c6e9f6e1426222ff2ac195132b44a1775f407e4593b66d4c lastState: {} name: kube-apiserver-insecure-readyz ready: true restartCount: 0 started: true state: running: startedAt: "2026-02-23T13:16:34Z" hostIP: 192.168.32.10 hostIPs: - ip: 192.168.32.10 initContainerStatuses: - containerID: cri-o://1ccd0d66efb6fc1017d9ff7c176c9ee040c1b848e55b7965ec1f33d638df12be image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8177c465e14c63854e5c0fa95ca0635cffc9b5dd3d077ecf971feedbc42b1274 lastState: {} name: setup ready: true restartCount: 0 started: false state: terminated: containerID: cri-o://1ccd0d66efb6fc1017d9ff7c176c9ee040c1b848e55b7965ec1f33d638df12be exitCode: 0 finishedAt: "2026-02-23T13:16:33Z" reason: Completed startedAt: "2026-02-23T13:16:33Z" phase: Running podIP: 192.168.32.10 podIPs: - ip: 192.168.32.10 qosClass: Burstable startTime: "2026-02-23T13:16:52Z" kind: PodList metadata: resourceVersion: "23614"