--- apiVersion: apps/v1 items: - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "5" openshiftapiservers.operator.openshift.io/operator-pull-spec: "" operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret: H-0Ygw== operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap: HOMAdQ== operator.openshift.io/spec-hash: 0eea89273a41960c7f2d91e0dce43f1f736099412d95b5e56713ae91f8f9e04f creationTimestamp: "2025-10-11T10:28:43Z" generation: 6 labels: apiserver: "true" app: openshift-oauth-apiserver revision: "1" managedFields: - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:openshiftapiservers.operator.openshift.io/operator-pull-spec: {} f:operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret: {} f:operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap: {} f:operator.openshift.io/spec-hash: {} f:labels: .: {} f:apiserver: {} f:app: {} f:revision: {} f:spec: f:progressDeadlineSeconds: {} f:replicas: {} f:revisionHistoryLimit: {} f:selector: {} f:strategy: f:rollingUpdate: .: {} f:maxSurge: {} f:maxUnavailable: {} f:type: {} f:template: f:metadata: f:annotations: .: {} f:openshift.io/required-scc: {} f:operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret: {} f:operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap: {} f:target.workload.openshift.io/management: {} f:labels: .: {} f:apiserver: {} f:app: {} f:oauth-apiserver-anti-affinity: {} f:revision: {} f:name: {} f:spec: f:affinity: .: {} f:podAntiAffinity: .: {} f:requiredDuringSchedulingIgnoredDuringExecution: {} f:containers: k:{"name":"oauth-apiserver"}: .: {} f:args: {} f:command: {} f:env: .: {} k:{"name":"POD_NAME"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} k:{"name":"POD_NAMESPACE"}: .: {} f:name: {} f:valueFrom: .: {} f:fieldRef: {} f:image: {} f:imagePullPolicy: {} f:livenessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:name: {} f:ports: .: {} k:{"containerPort":8443,"protocol":"TCP"}: .: {} f:containerPort: {} f:protocol: {} f:readinessProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:startupProbe: .: {} f:failureThreshold: {} f:httpGet: .: {} f:path: {} f:port: {} f:scheme: {} f:periodSeconds: {} f:successThreshold: {} f:timeoutSeconds: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/oauth-apiserver"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/configmaps/audit"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/configmaps/etcd-serving-ca"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/configmaps/trusted-ca-bundle"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/encryption-config"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/etcd-client"}: .: {} f:mountPath: {} f:name: {} k:{"mountPath":"/var/run/secrets/serving-cert"}: .: {} f:mountPath: {} f:name: {} f:dnsPolicy: {} f:initContainers: .: {} k:{"name":"fix-audit-permissions"}: .: {} f:command: {} f:image: {} f:imagePullPolicy: {} f:name: {} f:resources: .: {} f:requests: .: {} f:cpu: {} f:memory: {} f:securityContext: .: {} f:privileged: {} f:runAsUser: {} f:terminationMessagePath: {} f:terminationMessagePolicy: {} f:volumeMounts: .: {} k:{"mountPath":"/var/log/oauth-apiserver"}: .: {} f:mountPath: {} f:name: {} f:nodeSelector: {} f:priorityClassName: {} f:restartPolicy: {} f:schedulerName: {} f:securityContext: {} f:serviceAccount: {} f:serviceAccountName: {} f:terminationGracePeriodSeconds: {} f:tolerations: {} f:volumes: .: {} k:{"name":"audit-dir"}: .: {} f:hostPath: .: {} f:path: {} f:type: {} f:name: {} k:{"name":"audit-policies"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:name: {} k:{"name":"encryption-config"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:optional: {} f:secretName: {} k:{"name":"etcd-client"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"etcd-serving-ca"}: .: {} f:configMap: .: {} f:defaultMode: {} f:name: {} f:name: {} k:{"name":"serving-cert"}: .: {} f:name: {} f:secret: .: {} f:defaultMode: {} f:secretName: {} k:{"name":"trusted-ca-bundle"}: .: {} f:configMap: .: {} f:defaultMode: {} f:items: {} f:name: {} f:optional: {} f:name: {} manager: authentication-operator operation: Update time: "2025-10-11T10:41:42Z" - apiVersion: apps/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: f:deployment.kubernetes.io/revision: {} f:status: f:availableReplicas: {} f:conditions: .: {} k:{"type":"Available"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"Progressing"}: .: {} f:lastTransitionTime: {} f:lastUpdateTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} f:observedGeneration: {} f:readyReplicas: {} f:replicas: {} f:updatedReplicas: {} manager: kube-controller-manager operation: Update subresource: status time: "2025-10-11T10:45:08Z" name: apiserver namespace: openshift-oauth-apiserver resourceVersion: "23716" uid: 498bbb31-bba3-4db0-97d9-29977906f3c6 spec: progressDeadlineSeconds: 600 replicas: 3 revisionHistoryLimit: 10 selector: matchLabels: apiserver: "true" app: openshift-oauth-apiserver strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: openshift.io/required-scc: privileged operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret: H-0Ygw== operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap: HOMAdQ== target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: null labels: apiserver: "true" app: openshift-oauth-apiserver oauth-apiserver-anti-affinity: "true" revision: "1" name: openshift-oauth-apiserver spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: apiserver: "true" app: openshift-oauth-apiserver oauth-apiserver-anti-affinity: "true" topologyKey: kubernetes.io/hostname containers: - args: - | if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then echo "Copying system trust bundle" cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi exec oauth-apiserver start \ --secure-port=8443 \ --audit-log-path=/var/log/oauth-apiserver/audit.log \ --audit-log-format=json \ --audit-log-maxsize=100 \ --audit-log-maxbackup=10 \ --audit-policy-file=/var/run/configmaps/audit/policy.yaml \ --etcd-cafile=/var/run/configmaps/etcd-serving-ca/ca-bundle.crt \ --etcd-keyfile=/var/run/secrets/etcd-client/tls.key \ --etcd-certfile=/var/run/secrets/etcd-client/tls.crt \ --etcd-healthcheck-timeout=9s \ --etcd-readycheck-timeout=9s \ --shutdown-delay-duration=50s \ --shutdown-send-retry-after=true \ --tls-private-key-file=/var/run/secrets/serving-cert/tls.key \ --tls-cert-file=/var/run/secrets/serving-cert/tls.crt \ --enable-priority-and-fairness=false \ --api-audiences=https://kubernetes.default.svc \ --cors-allowed-origins='//127\.0\.0\.1(:|$)' \ --cors-allowed-origins='//localhost(:|$)' \ --etcd-servers=https://192.168.34.10:2379 \ --etcd-servers=https://192.168.34.11:2379 \ --etcd-servers=https://192.168.34.12:2379 \ --tls-cipher-suites=TLS_AES_128_GCM_SHA256 \ --tls-cipher-suites=TLS_AES_256_GCM_SHA384 \ --tls-cipher-suites=TLS_CHACHA20_POLY1305_SHA256 \ --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \ --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \ --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \ --tls-min-version=VersionTLS12 \ --v=2 command: - /bin/bash - -ec env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a10f1f5c782b4f4fb9c364625daf34791903749d4149eb87291c70598b16b404 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: livez?exclude=etcd port: 8443 scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 name: oauth-apiserver ports: - containerPort: 8443 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: readyz?exclude=etcd&exclude=etcd-readiness port: 8443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 resources: requests: cpu: 150m memory: 200Mi securityContext: privileged: true runAsUser: 0 startupProbe: failureThreshold: 30 httpGet: path: livez port: 8443 scheme: HTTPS periodSeconds: 5 successThreshold: 1 timeoutSeconds: 10 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/configmaps/audit name: audit-policies - mountPath: /var/run/secrets/etcd-client name: etcd-client - mountPath: /var/run/configmaps/etcd-serving-ca name: etcd-serving-ca - mountPath: /var/run/configmaps/trusted-ca-bundle name: trusted-ca-bundle - mountPath: /var/run/secrets/serving-cert name: serving-cert - mountPath: /var/run/secrets/encryption-config name: encryption-config - mountPath: /var/log/oauth-apiserver name: audit-dir dnsPolicy: ClusterFirst initContainers: - command: - sh - -c - chmod 0700 /var/log/oauth-apiserver && touch /var/log/oauth-apiserver/audit.log && chmod 0600 /var/log/oauth-apiserver/* image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a10f1f5c782b4f4fb9c364625daf34791903749d4149eb87291c70598b16b404 imagePullPolicy: IfNotPresent name: fix-audit-permissions resources: requests: cpu: 15m memory: 50Mi securityContext: privileged: true runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/log/oauth-apiserver name: audit-dir nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: oauth-apiserver-sa serviceAccountName: oauth-apiserver-sa terminationGracePeriodSeconds: 120 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 120 - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 120 volumes: - configMap: defaultMode: 420 name: audit-1 name: audit-policies - name: etcd-client secret: defaultMode: 420 secretName: etcd-client - configMap: defaultMode: 420 name: etcd-serving-ca name: etcd-serving-ca - name: serving-cert secret: defaultMode: 420 secretName: serving-cert - configMap: defaultMode: 420 items: - key: ca-bundle.crt path: tls-ca-bundle.pem name: trusted-ca-bundle optional: true name: trusted-ca-bundle - name: encryption-config secret: defaultMode: 420 optional: true secretName: encryption-config-1 - hostPath: path: /var/log/oauth-apiserver type: "" name: audit-dir status: availableReplicas: 3 conditions: - lastTransitionTime: "2025-10-11T10:39:06Z" lastUpdateTime: "2025-10-11T10:39:06Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2025-10-11T10:28:43Z" lastUpdateTime: "2025-10-11T10:45:08Z" message: ReplicaSet "apiserver-68f4c55ff4" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 6 readyReplicas: 3 replicas: 3 updatedReplicas: 3 kind: DeploymentList metadata: resourceVersion: "64289"