--- apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.0.52/23"],"mac_address":"0a:58:0a:81:00:34","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.52/23","gateway_ip":"10.129.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.0.52" ], "mac": "0a:58:0a:81:00:34", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:34:15Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"a6ba535b-545f-41e8-afeb-07152ec5a53d"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:34:15Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-1 operation: Update subresource: status time: "2025-10-11T10:34:15Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:34:16Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.129.0.52"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:34:57Z" name: installer-2-master-1 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: a6ba535b-545f-41e8-afeb-07152ec5a53d resourceVersion: "13360" uid: c1c3b2b9-8880-496b-88ed-9706cd8ee23d spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=2 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:34:57Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:34:15Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:34:55Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:34:55Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:34:15Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://d5b95693856e76475228e56822cf59bc988be47b5715c02d7d3f81ff2fa1bb74 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://d5b95693856e76475228e56822cf59bc988be47b5715c02d7d3f81ff2fa1bb74 exitCode: 0 finishedAt: "2025-10-11T10:34:54Z" reason: Completed startedAt: "2025-10-11T10:34:16Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 phase: Succeeded podIP: 10.129.0.52 podIPs: - ip: 10.129.0.52 qosClass: Guaranteed startTime: "2025-10-11T10:34:15Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.59/23"],"mac_address":"0a:58:0a:80:00:3b","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.59/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.59" ], "mac": "0a:58:0a:80:00:3b", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:32:42Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"a6ba535b-545f-41e8-afeb-07152ec5a53d"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:32:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-2 operation: Update subresource: status time: "2025-10-11T10:32:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:32:45Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.59"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:33:25Z" name: installer-2-master-2 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: a6ba535b-545f-41e8-afeb-07152ec5a53d resourceVersion: "12663" uid: d7d02073-00a3-41a2-8ca4-6932819886b8 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=2 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: master-2 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:25Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:32:42Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:23Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:23Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:32:42Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://2486353b3b6462d5e98cb24747afeeaf5ae72f91e0a411ae6b701751ae441123 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://2486353b3b6462d5e98cb24747afeeaf5ae72f91e0a411ae6b701751ae441123 exitCode: 0 finishedAt: "2025-10-11T10:33:23Z" reason: Completed startedAt: "2025-10-11T10:32:45Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.12 hostIPs: - ip: 192.168.34.12 phase: Succeeded podIP: 10.128.0.59 podIPs: - ip: 10.128.0.59 qosClass: Guaranteed startTime: "2025-10-11T10:32:42Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.0.74/23"],"mac_address":"0a:58:0a:81:00:4a","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.74/23","gateway_ip":"10.129.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.0.74" ], "mac": "0a:58:0a:81:00:4a", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:38:41Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"00810c8f-1712-4ac1-bcd4-d8710f2fda1b"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:38:41Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-1 operation: Update subresource: status time: "2025-10-11T10:38:41Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:38:43Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.129.0.74"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:39:44Z" name: installer-5-master-1 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-5 uid: 00810c8f-1712-4ac1-bcd4-d8710f2fda1b resourceVersion: "20014" uid: 04d0b40e-b6ae-4466-a0af-fcb5ce630a97 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=5 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:39:44Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:38:41Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:39:43Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:39:43Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:38:41Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://3d3a7650ee6f21f1edc22785fe9fc463251f973399b34912c74a0d533d0b5e22 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://3d3a7650ee6f21f1edc22785fe9fc463251f973399b34912c74a0d533d0b5e22 exitCode: 0 finishedAt: "2025-10-11T10:39:42Z" reason: Completed startedAt: "2025-10-11T10:38:43Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 phase: Succeeded podIP: 10.129.0.74 podIPs: - ip: 10.129.0.74 qosClass: Guaranteed startTime: "2025-10-11T10:38:41Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.130.0.24/23"],"mac_address":"0a:58:0a:82:00:18","gateway_ips":["10.130.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.130.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.130.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.130.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.130.0.1"}],"ip_address":"10.130.0.24/23","gateway_ip":"10.130.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.130.0.24" ], "mac": "0a:58:0a:82:00:18", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:42:19Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:42:19Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2025-10-11T10:42:19Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:42:20Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.130.0.24"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:43:20Z" name: installer-6-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "22751" uid: e7063ccc-c150-41d0-9285-8a8ca00aa417 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=6 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:20Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:42:19Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:19Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:19Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:42:19Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://194353fb7acfeb121812b2d62c7722c179dced595ba3e814ace7d8070862578b image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://194353fb7acfeb121812b2d62c7722c179dced595ba3e814ace7d8070862578b exitCode: 0 finishedAt: "2025-10-11T10:43:19Z" reason: Completed startedAt: "2025-10-11T10:42:20Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.10 hostIPs: - ip: 192.168.34.10 phase: Succeeded podIP: 10.130.0.24 podIPs: - ip: 10.130.0.24 qosClass: Guaranteed startTime: "2025-10-11T10:42:19Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.0.90/23"],"mac_address":"0a:58:0a:81:00:5a","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.90/23","gateway_ip":"10.129.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.0.90" ], "mac": "0a:58:0a:81:00:5a", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:47:07Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:47:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-1 operation: Update subresource: status time: "2025-10-11T10:47:07Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:47:08Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.129.0.90"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:47:48Z" name: installer-6-master-1 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "26188" uid: 75f73eff-98a5-47a6-b15c-2338930444b9 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=6 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:47:48Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:47:07Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:47:47Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:47:47Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:47:07Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://2a911b9063702410de3ab33cdd411750a6c1735b8b89a04533d1fce1ca985ed4 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://2a911b9063702410de3ab33cdd411750a6c1735b8b89a04533d1fce1ca985ed4 exitCode: 0 finishedAt: "2025-10-11T10:47:46Z" reason: Completed startedAt: "2025-10-11T10:47:08Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 phase: Succeeded podIP: 10.129.0.90 podIPs: - ip: 10.129.0.90 qosClass: Guaranteed startTime: "2025-10-11T10:47:07Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.88/23"],"mac_address":"0a:58:0a:80:00:58","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.88/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.88" ], "mac": "0a:58:0a:80:00:58", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:44:13Z" labels: app: installer managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"installer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"NODE_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/lock"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"var-lock"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:44:13Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-2 operation: Update subresource: status time: "2025-10-11T10:44:13Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:44:14Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.88"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:44:54Z" name: installer-6-master-2 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "23506" uid: 2e6df740-3969-4dd7-8953-2c21514694b8 spec: automountServiceAccountToken: false containers: - args: - -v=2 - --revision=6 - --namespace=openshift-kube-apiserver - --pod=kube-apiserver-pod - --resource-dir=/etc/kubernetes/static-pod-resources - --pod-manifest-dir=/etc/kubernetes/manifests - --configmaps=kube-apiserver-pod - --configmaps=config - --configmaps=kube-apiserver-cert-syncer-kubeconfig - --optional-configmaps=oauth-metadata - --optional-configmaps=cloud-config - --configmaps=bound-sa-token-signing-certs - --configmaps=etcd-serving-ca - --optional-configmaps=kube-apiserver-server-ca - --configmaps=kubelet-serving-ca - --configmaps=sa-token-signing-certs - --configmaps=kube-apiserver-audit-policies - --secrets=etcd-client - --optional-secrets=encryption-config - --secrets=localhost-recovery-serving-certkey - --secrets=localhost-recovery-client-token - --optional-secrets=webhook-authenticator - --cert-dir=/etc/kubernetes/static-pod-resources/kube-apiserver-certs - --cert-configmaps=aggregator-client-ca - --cert-configmaps=client-ca - --optional-cert-configmaps=trusted-ca-bundle - --cert-configmaps=control-plane-node-kubeconfig - --cert-configmaps=check-endpoints-kubeconfig - --cert-secrets=aggregator-client - --cert-secrets=localhost-serving-cert-certkey - --cert-secrets=service-network-serving-certkey - --cert-secrets=external-loadbalancer-serving-certkey - --cert-secrets=internal-loadbalancer-serving-certkey - --cert-secrets=bound-service-account-signing-key - --cert-secrets=control-plane-node-admin-client-cert-key - --cert-secrets=check-endpoints-client-cert-key - --cert-secrets=kubelet-client - --cert-secrets=node-kubeconfigs - --optional-cert-secrets=user-serving-cert - --optional-cert-secrets=user-serving-cert-000 - --optional-cert-secrets=user-serving-cert-001 - --optional-cert-secrets=user-serving-cert-002 - --optional-cert-secrets=user-serving-cert-003 - --optional-cert-secrets=user-serving-cert-004 - --optional-cert-secrets=user-serving-cert-005 - --optional-cert-secrets=user-serving-cert-006 - --optional-cert-secrets=user-serving-cert-007 - --optional-cert-secrets=user-serving-cert-008 - --optional-cert-secrets=user-serving-cert-009 command: - cluster-kube-apiserver-operator - installer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: installer resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true - mountPath: /var/lock name: var-lock dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-2 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - hostPath: path: /var/lock type: "" name: var-lock - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:44:54Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:44:13Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:44:53Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:44:53Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:44:13Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://dafe48c0553defd2bb14beff21925c74176e23a28e26ccc15fdf50c0af2425e7 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: installer ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://dafe48c0553defd2bb14beff21925c74176e23a28e26ccc15fdf50c0af2425e7 exitCode: 0 finishedAt: "2025-10-11T10:44:52Z" reason: Completed startedAt: "2025-10-11T10:44:14Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled - mountPath: /var/lock name: var-lock hostIP: 192.168.34.12 hostIPs: - ip: 192.168.34.12 phase: Succeeded podIP: 10.128.0.88 podIPs: - ip: 10.128.0.88 qosClass: Guaranteed startTime: "2025-10-11T10:44:13Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.130.0.26/23"],"mac_address":"0a:58:0a:82:00:1a","gateway_ips":["10.130.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.130.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.130.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.130.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.130.0.1"}],"ip_address":"10.130.0.26/23","gateway_ip":"10.130.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.130.0.26" ], "mac": "0a:58:0a:82:00:1a", "default": true, "dns": {} }] target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:43:29Z" labels: app: guard managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2025-10-11T10:43:29Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:43:30Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.130.0.26"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:43:31Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:target.workload.openshift.io/management: {} f:labels: .: {} f:app: {} f:spec: f:containers: k:{"name":"guard"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:host: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostname: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:43:38Z" name: kube-apiserver-guard-master-0 namespace: openshift-kube-apiserver resourceVersion: "22875" uid: acfb978c-45a9-4081-9d1e-3751eea1b483 spec: containers: - args: - -c - | # properly handle TERM and exit as soon as it is signaled set -euo pipefail trap 'jobs -p | xargs -r kill; exit 0' TERM sleep infinity & wait command: - /bin/bash image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: guard readinessProbe: failureThreshold: 3 httpGet: host: 192.168.34.10 path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 10m memory: 5Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-v2vct readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostname: guard-fe24dedbcfcb8957d64c99c81d04647bc194bc58-end imagePullSecrets: - name: default-dockercfg-hlr4b nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 3 tolerations: - operator: Exists volumes: - name: kube-api-access-v2vct projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:31Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:29Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:31Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:31Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:29Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://44f0928c4192874c201c618b86ce60c31a0620f8ec403ce90ee4b0b25f138ba0 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: guard ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:31Z" volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-v2vct readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.10 hostIPs: - ip: 192.168.34.10 phase: Running podIP: 10.130.0.26 podIPs: - ip: 10.130.0.26 qosClass: Burstable startTime: "2025-10-11T10:43:29Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.0.47/23"],"mac_address":"0a:58:0a:81:00:2f","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.47/23","gateway_ip":"10.129.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.0.47" ], "mac": "0a:58:0a:81:00:2f", "default": true, "dns": {} }] target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:31:42Z" labels: app: guard managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-1 operation: Update subresource: status time: "2025-10-11T10:31:42Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:31:43Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:target.workload.openshift.io/management: {} f:labels: .: {} f:app: {} f:spec: f:containers: k:{"name":"guard"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:host: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostname: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:31:47Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.129.0.47"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:49:18Z" name: kube-apiserver-guard-master-1 namespace: openshift-kube-apiserver resourceVersion: "30020" uid: 86b914fa-4ccd-42fb-965a-a1bc19442489 spec: containers: - args: - -c - | # properly handle TERM and exit as soon as it is signaled set -euo pipefail trap 'jobs -p | xargs -r kill; exit 0' TERM sleep infinity & wait command: - /bin/bash image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: guard readinessProbe: failureThreshold: 3 httpGet: host: 192.168.34.11 path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 10m memory: 5Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-pkxxx readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostname: guard-f1d8facf00531860b6cbd951c4b787ab1982edd3-end nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 3 tolerations: - operator: Exists volumes: - name: kube-api-access-pkxxx projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:31:44Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:31:42Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:18Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:18Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:31:42Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://16917522dd8d6c564900b32768804f2aa15698ba6c7c0d38122dff408276f3fa image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: guard ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:31:43Z" volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-pkxxx readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 phase: Running podIP: 10.129.0.47 podIPs: - ip: 10.129.0.47 qosClass: Burstable startTime: "2025-10-11T10:31:42Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.63/23"],"mac_address":"0a:58:0a:80:00:3f","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.63/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.63" ], "mac": "0a:58:0a:80:00:3f", "default": true, "dns": {} }] target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:33:27Z" labels: app: guard managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-2 operation: Update subresource: status time: "2025-10-11T10:33:27Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:33:28Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:target.workload.openshift.io/management: {} f:labels: .: {} f:app: {} f:spec: f:containers: k:{"name":"guard"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:host: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostname: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:33:36Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.63"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:46:13Z" name: kube-apiserver-guard-master-2 namespace: openshift-kube-apiserver resourceVersion: "24276" uid: 1a003c5f-2a49-44fb-93a8-7a83319ce8e8 spec: containers: - args: - -c - | # properly handle TERM and exit as soon as it is signaled set -euo pipefail trap 'jobs -p | xargs -r kill; exit 0' TERM sleep infinity & wait command: - /bin/bash image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: guard readinessProbe: failureThreshold: 3 httpGet: host: 192.168.34.12 path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 10m memory: 5Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-bv7m6 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostname: guard-9ebd003be3f351d92417beeadb163bd50e8622c1-end nodeName: master-2 preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 3 tolerations: - operator: Exists volumes: - name: kube-api-access-bv7m6 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace - configMap: items: - key: service-ca.crt path: service-ca.crt name: openshift-service-ca.crt status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:29Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:27Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:13Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:13Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:27Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://beaf5a3da8aca93aa44591bd942154456555dc1572d65396b432139667d779a5 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: guard ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:33:28Z" volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-bv7m6 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.12 hostIPs: - ip: 192.168.34.12 phase: Running podIP: 10.128.0.63 podIPs: - ip: 10.128.0.63 qosClass: Burstable startTime: "2025-10-11T10:33:27Z" - apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/default-container: kube-apiserver kubernetes.io/config.hash: 08bb0ac7b01a53ae0dcb90ce8b66efa1 kubernetes.io/config.mirror: 08bb0ac7b01a53ae0dcb90ce8b66efa1 kubernetes.io/config.seen: "2025-10-11T10:43:18.933221600Z" kubernetes.io/config.source: file target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:43:18Z" labels: apiserver: "true" app: openshift-kube-apiserver revision: "6" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/default-container: {} f:kubernetes.io/config.hash: {} f:kubernetes.io/config.mirror: {} f:kubernetes.io/config.seen: {} f:kubernetes.io/config.source: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:apiserver: {} f:app: {} f:revision: {} f:ownerReferences: .: {} k:{"uid":"97dd5b8a-350a-439c-8589-4fe0e8fb3b9e"}: {} f:spec: f:containers: k:{"name":"kube-apiserver"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"GOGC"}: .: {} f:name: {} f:value: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"STATIC_POD_VERSION"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":6443,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-regeneration-controller"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-syncer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-check-endpoints"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":17697,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-insecure-readyz"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":6080,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostNetwork: {} f:initContainers: .: {} k:{"name":"setup"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"audit-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"cert-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"resource-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: kubelet operation: Update time: "2025-10-11T10:43:18Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:initContainerStatuses: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"192.168.34.10"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:43:39Z" name: kube-apiserver-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 controller: true kind: Node name: master-0 uid: 97dd5b8a-350a-439c-8589-4fe0e8fb3b9e resourceVersion: "22877" uid: 7d482d30-0ff3-430d-9a5b-d60cd10a7b44 spec: containers: - args: - | LOCK=/var/log/kube-apiserver/.lock # We should be able to acquire the lock immediatelly. If not, it means the init container has not released it yet and kubelet or CRI-O started container prematurely. exec {LOCK_FD}>${LOCK} && flock --verbose -w 30 "${LOCK_FD}" || { echo "Failed to acquire lock for kube-apiserver. Please check setup container for details. This is likely kubelet or CRI-O bug." exit 1 } if [ -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt ]; then echo "Copying system trust bundle ..." cp -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi exec watch-termination --termination-touch-file=/var/log/kube-apiserver/.terminating --termination-log-file=/var/log/kube-apiserver/termination.log --graceful-termination-duration=135s --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig -- hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml --advertise-address=${HOST_IP} -v=2 --permit-address-sharing command: - /bin/bash - -ec env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: STATIC_POD_VERSION value: "6" - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: GOGC value: "100" image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: livez?exclude=etcd port: 6443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver ports: - containerPort: 6443 hostPort: 6443 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 265m memory: 1Gi securityContext: privileged: true startupProbe: failureThreshold: 30 httpGet: path: livez port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - --destination-dir=/etc/kubernetes/static-pod-certs command: - cluster-kube-apiserver-operator - cert-syncer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-syncer resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - -v=2 command: - cluster-kube-apiserver-operator - cert-regeneration-controller env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-regeneration-controller resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - args: - --insecure-port=6080 - --delegate-url=https://localhost:6443/readyz command: - cluster-kube-apiserver-operator - insecure-readyz image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-insecure-readyz ports: - containerPort: 6080 hostPort: 6080 protocol: TCP resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError - args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig - --listen - 0.0.0.0:17697 - --namespace - $(POD_NAMESPACE) - --v - "2" command: - cluster-kube-apiserver-operator - check-endpoints env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver-check-endpoints ports: - containerPort: 17697 hostPort: 17697 name: check-endpoints protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 10m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - args: - | echo "Fixing audit permissions ..." chmod 0700 /var/log/kube-apiserver && touch /var/log/kube-apiserver/audit.log && chmod 0600 /var/log/kube-apiserver/* LOCK=/var/log/kube-apiserver/.lock echo "Acquiring exclusive lock ${LOCK} ..." # Waiting for 135s max for old kube-apiserver's watch-termination process to exit and remove the lock. # Two cases: # 1. if kubelet does not start the old and new in parallel (i.e. works as expected), the flock will always succeed without any time. # 2. if kubelet does overlap old and new pods for up to 130s, the flock will wait and immediate return when the old finishes. # # NOTE: We can increase 135s for a bigger expected overlap. But a higher value means less noise about the broken kubelet behaviour, i.e. we hide a bug. # NOTE: Do not tweak these timings without considering the livenessProbe initialDelaySeconds exec {LOCK_FD}>${LOCK} && flock --verbose -w 135 "${LOCK_FD}" || { echo "$(date -Iseconds -u) kubelet did not terminate old kube-apiserver before new one" >> /var/log/kube-apiserver/lock.log echo -n ": WARNING: kubelet did not terminate old kube-apiserver before new one." # We failed to acquire exclusive lock, which means there is old kube-apiserver running in system. # Since we utilize SO_REUSEPORT, we need to make sure the old kube-apiserver stopped listening. # # NOTE: This is a fallback for broken kubelet, if you observe this please report a bug. echo -n "Waiting for port 6443 to be released due to likely bug in kubelet or CRI-O " while [ -n "$(ss -Htan state listening '( sport = 6443 or sport = 6080 )')" ]; do echo -n "." sleep 1 (( tries += 1 )) if [[ "${tries}" -gt 10 ]]; then echo "Timed out waiting for port :6443 and :6080 to be released, this is likely a bug in kubelet or CRI-O" exit 1 fi done # This is to make sure the server has terminated independently from the lock. # After the port has been freed (requests can be pending and need 60s max). sleep 65 } # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe. flock -u "${LOCK_FD}" command: - /usr/bin/timeout - "220" - /bin/bash - -ec image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent name: setup resources: requests: cpu: 5m memory: 50Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 135 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-6 type: "" name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs type: "" name: cert-dir - hostPath: path: /var/log/kube-apiserver type: "" name: audit-dir status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:20Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:20Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:39Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:39Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:43:18Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://b09ec9f78f9897a605241691754a162993368392c8020db0290ac43a9862d1f3 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: kube-apiserver ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:20Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - containerID: cri-o://489c4661078f82b6a0b68d83fed1c53684d72b0df178edbd87252ff524a895b3 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-regeneration-controller ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:20Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - containerID: cri-o://df2872816af4c38af6c470c634071a8b5944f8a31faf49fe4569a9da208e13f7 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-syncer ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:20Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://67efb8bfe5a6f1b758ca157bfcef80c59b85907f88572dd02d40afe6e9896027 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-check-endpoints ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:21Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://ef053c2ec24777c6f73bf24c58ce6d81648a2919f61739a5cde9038627df1879 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-insecure-readyz ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:43:21Z" hostIP: 192.168.34.10 hostIPs: - ip: 192.168.34.10 initContainerStatuses: - containerID: cri-o://f212a76b747e114411a9d00eac6144e357bffebadcfd5266386a67eb7633032b image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: setup ready: true restartCount: 0 started: false state: terminated: containerID: cri-o://f212a76b747e114411a9d00eac6144e357bffebadcfd5266386a67eb7633032b exitCode: 0 finishedAt: "2025-10-11T10:43:19Z" reason: Completed startedAt: "2025-10-11T10:43:19Z" volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir phase: Running podIP: 192.168.34.10 podIPs: - ip: 192.168.34.10 qosClass: Burstable startTime: "2025-10-11T10:43:18Z" - apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/default-container: kube-apiserver kubernetes.io/config.hash: 23141951a25391899fad7b9f2d5b6739 kubernetes.io/config.mirror: 23141951a25391899fad7b9f2d5b6739 kubernetes.io/config.seen: "2025-10-11T10:47:46.754519142Z" kubernetes.io/config.source: file target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:49:12Z" labels: apiserver: "true" app: openshift-kube-apiserver revision: "6" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/default-container: {} f:kubernetes.io/config.hash: {} f:kubernetes.io/config.mirror: {} f:kubernetes.io/config.seen: {} f:kubernetes.io/config.source: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:apiserver: {} f:app: {} f:revision: {} f:ownerReferences: .: {} k:{"uid":"a42c3d58-398c-4d83-a471-700c0c6694c4"}: {} f:spec: f:containers: k:{"name":"kube-apiserver"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"GOGC"}: .: {} f:name: {} f:value: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"STATIC_POD_VERSION"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":6443,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-regeneration-controller"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-syncer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-check-endpoints"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":17697,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-insecure-readyz"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":6080,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostNetwork: {} f:initContainers: .: {} k:{"name":"setup"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"audit-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"cert-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"resource-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: kubelet operation: Update time: "2025-10-11T10:49:12Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:initContainerStatuses: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"192.168.34.11"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:49:32Z" name: kube-apiserver-master-1 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 controller: true kind: Node name: master-1 uid: a42c3d58-398c-4d83-a471-700c0c6694c4 resourceVersion: "30208" uid: f3b273b7-0f72-4b9c-8f45-88891e9838c7 spec: containers: - args: - | LOCK=/var/log/kube-apiserver/.lock # We should be able to acquire the lock immediatelly. If not, it means the init container has not released it yet and kubelet or CRI-O started container prematurely. exec {LOCK_FD}>${LOCK} && flock --verbose -w 30 "${LOCK_FD}" || { echo "Failed to acquire lock for kube-apiserver. Please check setup container for details. This is likely kubelet or CRI-O bug." exit 1 } if [ -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt ]; then echo "Copying system trust bundle ..." cp -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi exec watch-termination --termination-touch-file=/var/log/kube-apiserver/.terminating --termination-log-file=/var/log/kube-apiserver/termination.log --graceful-termination-duration=135s --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig -- hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml --advertise-address=${HOST_IP} -v=2 --permit-address-sharing command: - /bin/bash - -ec env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: STATIC_POD_VERSION value: "6" - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: GOGC value: "100" image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: livez?exclude=etcd port: 6443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver ports: - containerPort: 6443 hostPort: 6443 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 265m memory: 1Gi securityContext: privileged: true startupProbe: failureThreshold: 30 httpGet: path: livez port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - --destination-dir=/etc/kubernetes/static-pod-certs command: - cluster-kube-apiserver-operator - cert-syncer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-syncer resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - -v=2 command: - cluster-kube-apiserver-operator - cert-regeneration-controller env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-regeneration-controller resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - args: - --insecure-port=6080 - --delegate-url=https://localhost:6443/readyz command: - cluster-kube-apiserver-operator - insecure-readyz image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-insecure-readyz ports: - containerPort: 6080 hostPort: 6080 protocol: TCP resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError - args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig - --listen - 0.0.0.0:17697 - --namespace - $(POD_NAMESPACE) - --v - "2" command: - cluster-kube-apiserver-operator - check-endpoints env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver-check-endpoints ports: - containerPort: 17697 hostPort: 17697 name: check-endpoints protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 10m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - args: - | echo "Fixing audit permissions ..." chmod 0700 /var/log/kube-apiserver && touch /var/log/kube-apiserver/audit.log && chmod 0600 /var/log/kube-apiserver/* LOCK=/var/log/kube-apiserver/.lock echo "Acquiring exclusive lock ${LOCK} ..." # Waiting for 135s max for old kube-apiserver's watch-termination process to exit and remove the lock. # Two cases: # 1. if kubelet does not start the old and new in parallel (i.e. works as expected), the flock will always succeed without any time. # 2. if kubelet does overlap old and new pods for up to 130s, the flock will wait and immediate return when the old finishes. # # NOTE: We can increase 135s for a bigger expected overlap. But a higher value means less noise about the broken kubelet behaviour, i.e. we hide a bug. # NOTE: Do not tweak these timings without considering the livenessProbe initialDelaySeconds exec {LOCK_FD}>${LOCK} && flock --verbose -w 135 "${LOCK_FD}" || { echo "$(date -Iseconds -u) kubelet did not terminate old kube-apiserver before new one" >> /var/log/kube-apiserver/lock.log echo -n ": WARNING: kubelet did not terminate old kube-apiserver before new one." # We failed to acquire exclusive lock, which means there is old kube-apiserver running in system. # Since we utilize SO_REUSEPORT, we need to make sure the old kube-apiserver stopped listening. # # NOTE: This is a fallback for broken kubelet, if you observe this please report a bug. echo -n "Waiting for port 6443 to be released due to likely bug in kubelet or CRI-O " while [ -n "$(ss -Htan state listening '( sport = 6443 or sport = 6080 )')" ]; do echo -n "." sleep 1 (( tries += 1 )) if [[ "${tries}" -gt 10 ]]; then echo "Timed out waiting for port :6443 and :6080 to be released, this is likely a bug in kubelet or CRI-O" exit 1 fi done # This is to make sure the server has terminated independently from the lock. # After the port has been freed (requests can be pending and need 60s max). sleep 65 } # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe. flock -u "${LOCK_FD}" command: - /usr/bin/timeout - "220" - /bin/bash - -ec image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent name: setup resources: requests: cpu: 5m memory: 50Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 135 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-6 type: "" name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs type: "" name: cert-dir - hostPath: path: /var/log/kube-apiserver type: "" name: audit-dir status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:12Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:12Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:32Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:49:32Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:37:36Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://78130b5301fab8a631d47c753616bc63c2d7d8f2931253367a84eb0adf8538fb image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: kube-apiserver ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:49:13Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - containerID: cri-o://6981b4508ac74e45d282fe5a59f106dabfea7c7c3293de729e9d6f0db68c7510 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-regeneration-controller ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:49:13Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - containerID: cri-o://07c0fc0bccb7b7da4962275bebaa5f5ab1861795bc9d86159b3e163ce05cddac image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-syncer ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:49:13Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://761b6c7301a42f97ce8830816995738e797ac6ef0b6d2847f3ce0b1a956aa630 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-check-endpoints ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:49:14Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://6b790055ab747dc39b0de5102915f7f68179102f3a383ae626b746d0c22b0f1f image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-insecure-readyz ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:49:14Z" hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 initContainerStatuses: - containerID: cri-o://5e79b10186bcde1683e0ff15f9bb04b0604789f489cf69d5e42d464f0d1d0aed image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: setup ready: true restartCount: 0 started: false state: terminated: containerID: cri-o://5e79b10186bcde1683e0ff15f9bb04b0604789f489cf69d5e42d464f0d1d0aed exitCode: 0 finishedAt: "2025-10-11T10:49:12Z" reason: Completed startedAt: "2025-10-11T10:49:12Z" volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir phase: Running podIP: 192.168.34.11 podIPs: - ip: 192.168.34.11 qosClass: Burstable startTime: "2025-10-11T10:37:36Z" - apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/default-container: kube-apiserver kubernetes.io/config.hash: 978811670a28b21932e323b181b31435 kubernetes.io/config.mirror: 978811670a28b21932e323b181b31435 kubernetes.io/config.seen: "2025-10-11T10:44:52.366736799Z" kubernetes.io/config.source: file target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: "2025-10-11T10:46:09Z" labels: apiserver: "true" app: openshift-kube-apiserver revision: "6" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:kubectl.kubernetes.io/default-container: {} f:kubernetes.io/config.hash: {} f:kubernetes.io/config.mirror: {} f:kubernetes.io/config.seen: {} f:kubernetes.io/config.source: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:apiserver: {} f:app: {} f:revision: {} f:ownerReferences: .: {} k:{"uid":"f1b83c3f-afaa-4166-90d8-83c06dc59b8f"}: {} f:spec: f:containers: k:{"name":"kube-apiserver"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"GOGC"}: .: {} f:name: {} f:value: {} k:{"name":"HOST_IP"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"STATIC_POD_VERSION"}: .: {} f:name: {} f:value: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":6443,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-regeneration-controller"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-cert-syncer"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-check-endpoints"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":17697,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:name: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:initialDelaySeconds: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/static-pod-certs"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/etc/kubernetes/static-pod-resources"}: .: {} f:mountPath: {} f:name: {} k:{"name":"kube-apiserver-insecure-readyz"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:ports: .: {} k:{"containerPort":6080,"protocol":"TCP"}: .: {} f:containerPort: {} f:hostPort: {} f:protocol: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:hostNetwork: {} f:initContainers: .: {} k:{"name":"setup"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/kube-apiserver"}: .: {} f:mountPath: {} f:name: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"audit-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"cert-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"resource-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: kubelet operation: Update time: "2025-10-11T10:46:09Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:initContainerStatuses: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"192.168.34.12"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:46:29Z" name: kube-apiserver-master-2 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 controller: true kind: Node name: master-2 uid: f1b83c3f-afaa-4166-90d8-83c06dc59b8f resourceVersion: "24807" uid: 4687bd3d-ba6b-4078-956e-377c7a3ea444 spec: containers: - args: - | LOCK=/var/log/kube-apiserver/.lock # We should be able to acquire the lock immediatelly. If not, it means the init container has not released it yet and kubelet or CRI-O started container prematurely. exec {LOCK_FD}>${LOCK} && flock --verbose -w 30 "${LOCK_FD}" || { echo "Failed to acquire lock for kube-apiserver. Please check setup container for details. This is likely kubelet or CRI-O bug." exit 1 } if [ -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt ]; then echo "Copying system trust bundle ..." cp -f /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi exec watch-termination --termination-touch-file=/var/log/kube-apiserver/.terminating --termination-log-file=/var/log/kube-apiserver/termination.log --graceful-termination-duration=135s --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig -- hyperkube kube-apiserver --openshift-config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml --advertise-address=${HOST_IP} -v=2 --permit-address-sharing command: - /bin/bash - -ec env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: STATIC_POD_VERSION value: "6" - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: GOGC value: "100" image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: livez?exclude=etcd port: 6443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver ports: - containerPort: 6443 hostPort: 6443 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: readyz port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 265m memory: 1Gi securityContext: privileged: true startupProbe: failureThreshold: 30 httpGet: path: livez port: 6443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - --destination-dir=/etc/kubernetes/static-pod-certs command: - cluster-kube-apiserver-operator - cert-syncer env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-syncer resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - args: - --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-cert-syncer-kubeconfig/kubeconfig - --namespace=$(POD_NAMESPACE) - -v=2 command: - cluster-kube-apiserver-operator - cert-regeneration-controller env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-cert-regeneration-controller resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - args: - --insecure-port=6080 - --delegate-url=https://localhost:6443/readyz command: - cluster-kube-apiserver-operator - insecure-readyz image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: kube-apiserver-insecure-readyz ports: - containerPort: 6080 hostPort: 6080 protocol: TCP resources: requests: cpu: 5m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError - args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig - --listen - 0.0.0.0:17697 - --namespace - $(POD_NAMESPACE) - --v - "2" command: - cluster-kube-apiserver-operator - check-endpoints env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: kube-apiserver-check-endpoints ports: - containerPort: 17697 hostPort: 17697 name: check-endpoints protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: healthz port: 17697 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 10m memory: 50Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - args: - | echo "Fixing audit permissions ..." chmod 0700 /var/log/kube-apiserver && touch /var/log/kube-apiserver/audit.log && chmod 0600 /var/log/kube-apiserver/* LOCK=/var/log/kube-apiserver/.lock echo "Acquiring exclusive lock ${LOCK} ..." # Waiting for 135s max for old kube-apiserver's watch-termination process to exit and remove the lock. # Two cases: # 1. if kubelet does not start the old and new in parallel (i.e. works as expected), the flock will always succeed without any time. # 2. if kubelet does overlap old and new pods for up to 130s, the flock will wait and immediate return when the old finishes. # # NOTE: We can increase 135s for a bigger expected overlap. But a higher value means less noise about the broken kubelet behaviour, i.e. we hide a bug. # NOTE: Do not tweak these timings without considering the livenessProbe initialDelaySeconds exec {LOCK_FD}>${LOCK} && flock --verbose -w 135 "${LOCK_FD}" || { echo "$(date -Iseconds -u) kubelet did not terminate old kube-apiserver before new one" >> /var/log/kube-apiserver/lock.log echo -n ": WARNING: kubelet did not terminate old kube-apiserver before new one." # We failed to acquire exclusive lock, which means there is old kube-apiserver running in system. # Since we utilize SO_REUSEPORT, we need to make sure the old kube-apiserver stopped listening. # # NOTE: This is a fallback for broken kubelet, if you observe this please report a bug. echo -n "Waiting for port 6443 to be released due to likely bug in kubelet or CRI-O " while [ -n "$(ss -Htan state listening '( sport = 6443 or sport = 6080 )')" ]; do echo -n "." sleep 1 (( tries += 1 )) if [[ "${tries}" -gt 10 ]]; then echo "Timed out waiting for port :6443 and :6080 to be released, this is likely a bug in kubelet or CRI-O" exit 1 fi done # This is to make sure the server has terminated independently from the lock. # After the port has been freed (requests can be pending and need 60s max). sleep 65 } # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe. flock -u "${LOCK_FD}" command: - /usr/bin/timeout - "220" - /bin/bash - -ec image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imagePullPolicy: IfNotPresent name: setup resources: requests: cpu: 5m memory: 50Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir nodeName: master-2 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 135 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-6 type: "" name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs type: "" name: cert-dir - hostPath: path: /var/log/kube-apiserver type: "" name: audit-dir status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:09Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:09Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:29Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:46:29Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:33:23Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://53abb969cf9ec7a6a0b3309d898dd34b335fe0c42ff8b613f60abc04e216e34c image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: kube-apiserver ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:46:10Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/log/kube-apiserver name: audit-dir - containerID: cri-o://e6502be51ddefdca06d3a091a1356ff59f90e648646c60ca18073c7cc29dd884 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-regeneration-controller ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:46:10Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - containerID: cri-o://fab18106c8341976767bd5af4dbc1f1bac3d07bab245177bb31d7f4058237efa image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-cert-syncer ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:46:10Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://803d9f33ede284510ac06ea69345c389f6ba883c3072fbc05d47b05da5f8d05f image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-check-endpoints ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:46:11Z" volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - containerID: cri-o://81bd40984e0ececaa997a36721a48f361a68869ec7f5f8ab9db73abd3b783282 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: kube-apiserver-insecure-readyz ready: true restartCount: 0 started: true state: running: startedAt: "2025-10-11T10:46:10Z" hostIP: 192.168.34.12 hostIPs: - ip: 192.168.34.12 initContainerStatuses: - containerID: cri-o://c33f9dbc69178f562a6fbf097b9145cc3bcae184a07ac83d7567b22faaebbd11 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b283544da0bfbf6c8c5a11e0ca9fb4daaf4ac4ec910b30c07c7bef65a98f11d lastState: {} name: setup ready: true restartCount: 0 started: false state: terminated: containerID: cri-o://c33f9dbc69178f562a6fbf097b9145cc3bcae184a07ac83d7567b22faaebbd11 exitCode: 0 finishedAt: "2025-10-11T10:46:09Z" reason: Completed startedAt: "2025-10-11T10:46:09Z" volumeMounts: - mountPath: /var/log/kube-apiserver name: audit-dir phase: Running podIP: 192.168.34.12 podIPs: - ip: 192.168.34.12 qosClass: Burstable startTime: "2025-10-11T10:33:23Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.130.0.50/23"],"mac_address":"0a:58:0a:82:00:32","gateway_ips":["10.130.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.130.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.130.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.130.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.130.0.1"}],"ip_address":"10.130.0.50/23","gateway_ip":"10.130.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.130.0.50" ], "mac": "0a:58:0a:82:00:32", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:50:02Z" labels: app: pruner managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"pruner"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:50:02Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-0 operation: Update subresource: status time: "2025-10-11T10:50:03Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:50:03Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.130.0.50"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:50:07Z" name: revision-pruner-6-master-0 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "30543" uid: 14a0545c-12d2-49a0-be5e-17f472bac134 spec: automountServiceAccountToken: false containers: - args: - -v=4 - --max-eligible-revision=6 - --protected-revisions=2,3,4,5,6 - --resource-dir=/etc/kubernetes/static-pod-resources - --cert-dir=kube-apiserver-certs - --static-pod-name=kube-apiserver-pod command: - cluster-kube-apiserver-operator - prune image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: pruner resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-0 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:07Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:03Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:05Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:05Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:03Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://1b18bd815a4c78ab3d993af09213efb805e050af67596981f577c078fd8793c8 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: pruner ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://1b18bd815a4c78ab3d993af09213efb805e050af67596981f577c078fd8793c8 exitCode: 0 finishedAt: "2025-10-11T10:50:05Z" reason: Completed startedAt: "2025-10-11T10:50:04Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.10 hostIPs: - ip: 192.168.34.10 phase: Succeeded podIP: 10.130.0.50 podIPs: - ip: 10.130.0.50 qosClass: Guaranteed startTime: "2025-10-11T10:50:03Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.0.93/23"],"mac_address":"0a:58:0a:81:00:5d","gateway_ips":["10.129.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.129.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.129.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.129.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.129.0.1"}],"ip_address":"10.129.0.93/23","gateway_ip":"10.129.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.129.0.93" ], "mac": "0a:58:0a:81:00:5d", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:50:05Z" labels: app: pruner managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"pruner"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:50:05Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-1 operation: Update subresource: status time: "2025-10-11T10:50:05Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:50:06Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.129.0.93"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:50:09Z" name: revision-pruner-6-master-1 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "30573" uid: c72a1cdf-d776-4854-b379-bde17097bab0 spec: automountServiceAccountToken: false containers: - args: - -v=4 - --max-eligible-revision=6 - --protected-revisions=2,3,4,5,6 - --resource-dir=/etc/kubernetes/static-pod-resources - --cert-dir=kube-apiserver-certs - --static-pod-name=kube-apiserver-pod command: - cluster-kube-apiserver-operator - prune image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: pruner resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:09Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:05Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:08Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:08Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:05Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://f5834e38fc462bced57a8335af6c00a64ee6e2c61e99884fc618f9c7f277f266 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: pruner ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://f5834e38fc462bced57a8335af6c00a64ee6e2c61e99884fc618f9c7f277f266 exitCode: 0 finishedAt: "2025-10-11T10:50:08Z" reason: Completed startedAt: "2025-10-11T10:50:07Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.11 hostIPs: - ip: 192.168.34.11 phase: Succeeded podIP: 10.129.0.93 podIPs: - ip: 10.129.0.93 qosClass: Guaranteed startTime: "2025-10-11T10:50:05Z" - apiVersion: v1 kind: Pod metadata: annotations: k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.128.0.104/23"],"mac_address":"0a:58:0a:80:00:68","gateway_ips":["10.128.0.1"],"routes":[{"dest":"10.128.0.0/14","nextHop":"10.128.0.1"},{"dest":"172.30.0.0/16","nextHop":"10.128.0.1"},{"dest":"169.254.0.5/32","nextHop":"10.128.0.1"},{"dest":"100.64.0.0/16","nextHop":"10.128.0.1"}],"ip_address":"10.128.0.104/23","gateway_ip":"10.128.0.1","role":"primary"}}' k8s.v1.cni.cncf.io/network-status: |- [{ "name": "ovn-kubernetes", "interface": "eth0", "ips": [ "10.128.0.104" ], "mac": "0a:58:0a:80:00:68", "default": true, "dns": {} }] creationTimestamp: "2025-10-11T10:50:08Z" labels: app: pruner managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:app: {} f:ownerReferences: .: {} k:{"uid":"4528f968-576f-4fdf-a36a-b7787647512a"}: {} f:spec: f:automountServiceAccountToken: {} f:containers: k:{"name":"pruner"}: .: {} f:args: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:limits: .: {} f:cpu: {} f:memory: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/etc/kubernetes/"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}: .: {} f:mountPath: {} f:name: {} f:readOnly: {} f:dnsPolicy: {} f:enableServiceLinks: {} f:nodeName: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: .: {} f:runAsUser: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"kube-api-access"}: .: {} f:name: {} f:projected: .: {} f:defaultMode: {} f:sources: {} k:{"name":"kubelet-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} manager: cluster-kube-apiserver-operator operation: Update time: "2025-10-11T10:50:08Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:k8s.ovn.org/pod-networks: {} manager: master-2 operation: Update subresource: status time: "2025-10-11T10:50:08Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:k8s.v1.cni.cncf.io/network-status: {} manager: multus-daemon operation: Update subresource: status time: "2025-10-11T10:50:09Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:status: f:conditions: .: {} k:{"type":"ContainersReady"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Initialized"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} k:{"type":"PodReadyToStartContainers"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"PodScheduled"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:status: {} f:type: {} k:{"type":"Ready"}: .: {} f:lastProbeTime: {} f:lastTransitionTime: {} f:reason: {} f:status: {} f:type: {} f:containerStatuses: {} f:hostIP: {} f:hostIPs: {} f:phase: {} f:podIP: {} f:podIPs: .: {} k:{"ip":"10.128.0.104"}: .: {} f:ip: {} f:startTime: {} manager: kubelet operation: Update subresource: status time: "2025-10-11T10:50:13Z" name: revision-pruner-6-master-2 namespace: openshift-kube-apiserver ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-6 uid: 4528f968-576f-4fdf-a36a-b7787647512a resourceVersion: "30617" uid: b0ae11ca-a8d5-4a55-9898-269dfe907446 spec: automountServiceAccountToken: false containers: - args: - -v=4 - --max-eligible-revision=6 - --protected-revisions=2,3,4,5,6 - --resource-dir=/etc/kubernetes/static-pod-resources - --cert-dir=kube-apiserver-certs - --static-pod-name=kube-apiserver-pod command: - cluster-kube-apiserver-operator - prune image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imagePullPolicy: IfNotPresent name: pruner resources: limits: cpu: 150m memory: 200M requests: cpu: 150m memory: 200M securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: installer-sa-dockercfg-t28rg nodeName: master-2 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Never schedulerName: default-scheduler securityContext: runAsUser: 0 serviceAccount: installer-sa serviceAccountName: installer-sa terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /etc/kubernetes/ type: "" name: kubelet-dir - name: kube-api-access projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3600 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:13Z" status: "False" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:08Z" reason: PodCompleted status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:11Z" reason: PodCompleted status: "False" type: Ready - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:11Z" reason: PodCompleted status: "False" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-10-11T10:50:08Z" status: "True" type: PodScheduled containerStatuses: - containerID: cri-o://97d2ffd60350f21f0391dcc9487188f6d1cbec2083573758ddac10b06f8b652f image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bd52817806c4f947413297672397b0f17784eec91347b8d6f3a21f4b9921eb2e lastState: {} name: pruner ready: false restartCount: 0 started: false state: terminated: containerID: cri-o://97d2ffd60350f21f0391dcc9487188f6d1cbec2083573758ddac10b06f8b652f exitCode: 0 finishedAt: "2025-10-11T10:50:10Z" reason: Completed startedAt: "2025-10-11T10:50:10Z" volumeMounts: - mountPath: /etc/kubernetes/ name: kubelet-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.34.12 hostIPs: - ip: 192.168.34.12 phase: Succeeded podIP: 10.128.0.104 podIPs: - ip: 10.128.0.104 qosClass: Guaranteed startTime: "2025-10-11T10:50:08Z" kind: PodList metadata: resourceVersion: "64581"